Ten Commandments for SAP License and Authorization Management

With the auditor breathing down their necks and the SAP audit always in sight, companies invest enough time and money in their authorization management.

The effort is enormous and usually also a guarantee for unwanted gray hair for the compliance manager.

• How can business roles be mapped on a technical level?
• According to which criteria should authorizations be assigned?
• Of course, you look at what the user should and should not be able to do, but also at what he or she is already working on in SAP. What effort is involved?

Here's an example: Our flagship employee Michael from the authorization team first takes a look at the ST03N.

There, he finds out which transactions SAP user X has used in SAP system Y. He does this in just under two minutes. He can do this in just under two minutes - after all, he's a fast worker.

And intelligent, too. That's why it immediately recognizes which license needs to be assigned to this user based on the transactions used.

However, this takes a little longer, he needs four minutes for it. Quickly changed to SU01 and entered the determined (or rather estimated?) license there.

It was so quick that we can forget about the time for it.

But you guessed it, User X is still running SAP systems A, B, C, etc. The game starts all over again.

And because Michael also wants to know what the LAW will later determine, he forms the final resulting and billable license from all the licenses defined in the different systems.

Did I mention that Michael is particularly fast? He can do it in two minutes. The bottom line is that he needs eight minutes per user and SAP system. But the company has 4,500 SAP users on five different systems, so eight minutes x 4,500 users x five systems.

In that case, Michael would easily be employed for 375 days in an 8-hour workday.

As you can see, that's not possible. There are only 365 days in a year. So you need a team of three to five people, after all, you haven't had a chance to look at the authorizations yet.

The defined roles must be designed to be compliant and assigned correctly. Critical combinations must be identified and prevented from the outset.

You need an all-round view. And then the team also has to stay one step ahead and constantly recognize where authorizations are expiring or where they have been assigned too powerfully.

In the end, the departments should be able to assign the correct authorizations independently. All these processes are extremely knowledge-intensive. If an employee leaves the team, things quickly become tight in terms of manpower and know-how.

So it's no surprise that companies are toying with a software solution for their license and authorization management. If they then consider the following ten requirements, the idea will also become a well-rounded one:

1. Licensing must be transparent and traceable, withstand SAP audits and be auditor-friendly.
2. Named-user licenses are automatically adjusted when the scope of tasks changes.
3. The conditions from the SAP price and condition list are always stored up-to-date.
4. Additional costs due to engines and packages are determined and visualized transparently.
5. SAP authorizations are assigned automatically and in a compliance-compliant manner.
6. The four-eyes principle of the specialist department and technology is implemented in a way that is comprehensible and responsible for all involved.
7. SAP users can manage themselves according to the company's specifications.
8. Critical combinations are automatically prevented.
9. Authorizations are permanently checked for up-to-dateness and automatically adjusted.
10. Authorization concepts are automatically adapted according to the authorizations used