Quickly and securely to S/4HANA Role Conversion
PUMA SE is an international company with approximately 14,000 employees in 50 countries, many country-specific in-house developments and interfaces, and high compliance requirements. The project involved the start of the migration with 4 countries and different SAP ERP systems to S/4HANA.
Due to the large number of organizational units, distributed processes, critical country specifics, and other factors, the challenge arose to create a global authorization concept that could then be rolled out "in depth" at the country level.
It was particularly important for PUMA to choose a partner who could keep up with the company's dynamism and determination: "PUMA stands for forever faster. We also live this in our processes and projects. As the fastest sports brand, we also need the right partner in the area of IT security who can act flexibly. We have found one in the SAST SOLUTIONS team.", says Karsten Krebs, Business Solution Manager.
In addition to the introduction of a new, uniform concept across all countries and companies, the objective was to implement new processes under the motto "Fiori first!
Approach, procedure and choice of authorization concept
First, fundamental decisions had to be made: Green-, Brown- or Bluefield, classical or agile project management? Based on the objectives, a greenfield approach and agile project management were chosen.
Alina Demuth, SAP S/4HANA Consultant SAST SOLUTIONS, emphasizes: "Often, the choice of authorization concept is based on the suggestion of a single consultant or a best-practice approach without reference to the company and project-specific needs. It is essential to be aware of the advantages and disadvantages of the various authorization concepts, which all have their raison d'être depending on the situation.
If the wrong choice is made here, this is often only recognized after several days have been spent during implementation, or even worse, when the negative effects become apparent later in everyday life. A subsequent correction can then be associated with high effort and costs."
Variety of authorization concepts
For this decision, therefore, numerous aspects must be taken into account right from the start: What are the actual business needs, what are the project goals, and how high is the security requirement? What is the budget and the time and personnel resources?
Limiting factors such as the existing organizational structures and processes, the number of SAP users, and basically the type and architecture of the system provide a fixed framework. The prioritization of the goals is determined by the respective IT strategy.
The choice of the "right" authorization concept is therefore ultimately a balancing act between the need for high security with precisely tailored authorizations and the desire for minimal administrative effort. The conflict of goals is therefore the minimum assignment of authorizations vs. the standardization of processes.
Roozbeh Noori-Amoli, Deputy Head SAP Consulting at SAST SOLUTIONS, cites some scenarios where a particular concept makes sense: "In the case of an international organization with many identical parts of the company and recurring processes, the template role approach with derivations according to organizational units or the menu/value role concept work. On the other hand, if there is a very high need for security and a desire for precise assignment of authorizations, a low number of transactions used per user, and a system with few but different processes, the 1 transaction - 1 role concept is recommended."
PUMA project scenario: challenges and learnings
"We finally decided with PUMA for procedural single rolls with functional workstation collection rolls" Demuth said.because there are many units that are similar, centrally managed, with central auditing and a uniform concept with special roles as well as derivations across organizational levels."
However, Noori-Amoli emphasizes that this concept is by no means the right choice for everyone: "In another project, for example, exactly this concept was also chosen at the urgent request of the customer. However, it quickly became clear in the workshops with the departments that it was only possible to a limited extent to separate users into homogeneous groups and implement a clear separation of the individual processes. Here, a hybrid authorization concept was preferable in order to better address the circumstances of the country and department specifics."
The lessons learned from the PUMA project: It is important to identify and adopt the best of both worlds. The process should be the focus, not the user experience strategy. Early involvement of all project participants, open project communication, and training to actively promote the benefits and raise awareness of innovations are important.
Agile management and new S/4HANA transactions
The migration is accompanied by the relocation of in-house developments and the implementation of a new authorization concept. Integration, regression and authorization tests are not considered separately, but are carried out in parallel. This is because the motivation of the end users decreases if there are many changes and one encounters a lack of authorization during the functional tests.
Noori-Amoli summarizes the learnings: "Above all, sufficient time must be planned for testing. In addition, detailed coordination must be ensured between the test team, the training management team and the authorization team. Tool support, such as SAST SUITE, is helpful in ensuring process tests.
It is important to update the SU24 values of the S/4HANA standard transactions and to make developers aware that these must also be maintained in in-house developments. And the complex business partner issue must be addressed together with the specialist departments at an early stage. Finally, cross-functional decisions must be made regarding the content of authorization roles."
Authorization Management and "Fiori first!"
Analogous to the transformation, a change should also take place in the minds of the employees: "Think global!" requires that processes be harmonized so that there can be identical authorizations across the entire company.
The learnings, according to Alina Demuth: "Away from the authorization team, towards one responsible person in each department. Tool support, such as SAST SUITE, is also useful here. Standard templates are required for default roles for testing as well as clean and SoD-free roles. Authorizations should not only be tested for functionality, but negative tests should also be completed. An uninterrupted day-to-day business is then ensured by a safe-go-live approach."
Many companies focus on a Fiori strategy when introducing S/4HANA. However, many factors have an influence on how this is then put into practice and how the new interface is integrated into existing processes as a "foreign body": for example, the creation of a new mindset, the configuration of the architecture, the conception of authorizations and the rolling out of the new business processes to the individual units.
Moreover, SAP has not yet implemented Fiori across the board, and not all processes are covered. This results in unattractive media discontinuities, as operations have to be carried out partly with Fiori and partly with the backend.
Noori-Amoli summarizes the learnings as follows: "Fiori should only be used where it offers real added value and simplifies things. It is important to plan for more time and resources, because the business departments often lack process know-how and the knowledge of how they want to work in S/4HANA. The topic cannot simply be implemented alongside day-to-day business. It's a matter of creating customer-specific catalogs and groups so as not to have to resort to the overloaded SAP standard."
Dynamic, agile and a perfect fit: the authorization project at PUMA
A successful, highly dynamic and agile S/4HANA authorization project is possible with the appropriate expertise of a partner, custom-fit tools and careful planning; the choice of authorization concept depends fundamentally on the factors of cost, time and scope.
It is essential to determine stakeholder needs and project goals in advance. Experience has shown that S/4HANA authorization projects are subject to strong dynamics due to their initially often unclear overall strategy and the frequently changing requirements.
The SAST SOLUTIONS SAP experts therefore pursued an agile project management approach at PUMA SE that was precisely tailored to the complexity of the challenges and the customer's expectations, according to Karsten Krebs, PUMA SE: "With SAST SOLUTIONS, we have put together the right team with the right software tool to be able to react agilely to our dynamics. Together, we successfully implemented a global security and authorization concept for our S/4HANA system landscape."