Authorization Concepts
While some still doubt the necessity of SAP authorizations - and the associated authorization concepts - others shy away from their implementation due to the high complexity. The fact is: SAP authorization concepts are indispensable for company-wide compliance and IT security. But how do companies get a reliable SAP authorization concept without despairing of it? Is there one silver bullet or are there several ways to reach the goal?
An SAP authorization concept maps relevant legal standards and internal company regulations that need to be harmonized with the IT security requirements within an SAP system. With a well thought-out authorization concept, the administrative effort can be significantly reduced while simultaneously fulfilling the legal requirements. It not only creates the desired compliance, i.e., traceable structures including complete documentation and versioning, but also provides each user with the authorizations in the SAP system that are necessary for his or her tasks in accordance with the rules.
No sign of mistrust
Anyone who thinks clear authorizations are a sign of mistrust is wrong. They serve to protect the company and employees alike. In this way, massive damage can be prevented that could result from accidental actions by employees. Typical examples are the lifting of a delivery block or the incorrect use of a mass change function. At the same time, an authorization concept protects against fraud attempts, such as employees falsifying financial statements and harming stakeholders in this way. Although SAP authorization concepts can save companies from significant financial and reputational damage, the majority only deal with them when external and internal events force them to do so. External events classically include audits and financial reviews. Internally, historically grown authorizations usually lead to conflicts and then require a reduction up to a fundamental clean-up. But an inevitable migration to S/4 Hana in the near future also causes companies to have to deal with the topic of authorizations.
Possible courses of action
When companies are confronted with these events, they have three main options for action:
1. just before: Of course, companies are free to take a wait-and-see approach and only tackle their SAP authorization concept when there is no way around it. However, this is not recommended. Especially not when the next audit is just around the corner. Companies would be well advised not to use such a time-critical trigger as an opportunity to address their SAP authorization concept.
2. selective adjustments: Another rather forced option for companies is to reactively make selective adjustments with regard to their SAP authorization concept and thus alleviate the current "pain". In specialist circles, such an approach is also often referred to as the fig leaf method. This is often less process-driven and makes a new start inevitable after a certain period of time, for example, due to too many interfaces, workarounds or lack of transparency. This is because real quick wins are only created when selective adjustments are implemented with foresight and a future, holistic solution is already taken into account during planning.
3. holistic approach: The optimum for companies is to embed their SAP authorization concept in a holistic strategy. This means introducing it in a modular fashion using an integrated system. At first glance, this may seem more complex than selective adjustments, but it has several advantages. For one thing, companies do not have to develop interfaces. Second, thanks to its modular structure, the solution can be perfectly tailored to individual company and employee needs. If you like, this method not only alleviates the pain, but also gets to the root of the problem.
SAP authorization concepts and their implementation and optimization are just as individual as each individual company. The one silver bullet is therefore a myth. The following three scenarios are examples of the many different ways in which SAP authorization concepts can be implemented.
Scenario one
Setting up for the future with S/4. A well-known industrial company wants to migrate to S/4 Hana as soon as possible in order to set itself up for the future on the one hand, and on the other hand to take advantage of the opportunity to optimize authorizations and licenses. In the run-up to this, they discussed in detail which migration approach would be best suited - Greenfield, Brownfield or Bluefield. Based on their specific requirements and after thorough consideration, the company finally opted for the Greenfield approach, i.e. the new implementation of an S/4 system. The industrial company knows that it makes sense to set up a new authorization concept even before the go-live in order to avoid the classic proliferation and to ensure compliance immediately. This is the only way to avoid various security problems during the go-live, for example due to predefined roles and role assignments that are too far-reaching. The industrial company therefore decides in advance to use SAP's system trace as a basis for continuously recording user behavior. Based on this, the company derives appropriate adjustments and transfers these to the new authorization concept. After an optimization phase, any security problems are eliminated and the migration with the new authorizations is successfully completed.
Scenario two
Check-up for upcoming audit. In the course of an internal audit, which was actually only intended for testing purposes or to prepare for the annual audit, an automotive group discovered that it had various challenges with regard to its SAP authorizations - including the separation of functions for users in business-critical areas. For example, various employees can currently create suppliers, post a goods receipt and, to top it all off, start the payment run without any real need to do so. This problem arose as a result of insufficiently controlled role assignments in the past. In order to quickly - and most importantly, in a timely manner - remedy its selective pain, the company is looking for an intelligent solution that automates compliance processes and in which the review, approval and mitigation of conflicts can be presented in a user-friendly and secure manner.
The automotive group opts for a solution that can perform an automatic audit before and after changes to authorizations and roles. The major advantage: Before the upcoming audit, the company can ensure that the relevant audit conflicts have been identified, documented in an audit-proof manner and versioned. This also guarantees that in the event of future changes, relevant violations are already displayed before the application workflow and can thus be avoided. This saves process costs and ensures an efficient audit with less preparatory work.
Scenario three
Historically grown role concept shrink. A restructuring combined with new compliance requirements confronts a large energy company with the challenge of reviewing all authorizations and roles. This project turns out to be a Herculean task, because the systems have grown considerably over the past ten to fifteen years. Although new roles and authorizations have been added regularly, they have rarely, if ever, been checked to ensure that they make sense. The energy company would like to shrink the old "monster roles" and remove superfluous authorizations from the users. However, it quickly became clear that this could not be done with a reasonable amount of effort, either manually or using SAP's on-boarding tools.
The energy company needs a simple solution that can automatically identify and clean up unused authorizations and overloaded roles. This will enable the company to rid itself of its historically grown legacy after only a short period of time. In addition to streamlined administrative work, the energy company now benefits from significantly lower audit costs. The reduced licensing costs are an additional positive aspect of the new clarity.
Don't shy away from SAP authorization concepts
Introducing SAP authorization concepts or bringing them up to date does not necessarily have to involve a great deal of effort. Quick wins can already be achieved with selective optimization. In addition, in the future, complex algorithms combined with artificial intelligence will automate the analysis, creation and revision of SAP authorization concepts, making them much more efficient. Nevertheless, there is no such thing as the much-vaunted silver bullet.
The paths to a modern SAP authorization concept are just as individual as the companies that follow them. They should see this as an opportunity to explore an approach that is tailored to their needs - and will be AI-supported in the future. Numerous successful examples from practice show how this can be done. In this way, companies not only shed their awe of SAP authorization concepts, but are well on their way to raising compliance and IT security to a resilient level.
