The virtual SAP role consultant

Relief through authorization concepts 2.0

The authorization concept is too lengthy, too complex, too expensive, many companies find. At the same time, however, no company can afford to sit out outdated authorization concepts or to plan the go-live generously with "SAP_ALL". The economic and security risks of errors, data misuse and oversized license packages are too great if everyone is allowed to do everything.

But the shortage of specialists is increasingly becoming the limiting factor for good, audit-proof authorization concepts. SAP specialists - both internal IT staff and external SAP consultants - are among the most sought-after experts in the IT labor market. "Worth their weight in gold" was the headline of an article in the Handelsblatt newspaper, putting the tight situation in a nutshell. Modern technologies can help cushion this gap. 

There are now numerous tools on the market that reduce the administrative effort for authorization management and thus accelerate subtasks. But the primary bottleneck remains: Role building is still a "human task" that ties up hundreds of man-hours and requires a lot of know-how. The big hit can therefore only come from intelligent automation - with solutions that not only relieve the time burden, but also enable interaction between people and machines. This is where the world's first virtual role consultant comes in: Automated Role Mining is used to automatically create or optimize complex concept proposals for individual and collective roles.

Modeling and handling

Since modeling SAP authorization concepts requires handling very large amounts of data, the software solution is based on a metaheuristic approach with evolutionary algorithms. Or to put it less scientifically: With the help of enormously high computing power, the system approaches the best solution through an interplay of variation and selection. Comparable to Robotic Process Automation (RPA), repetitive activities are automated at high speed and the behavior of human users is simulated. The result is the Authorization Robot. The tool offers enormous efficiency potential throughout the entire lifecycle of SAP authorization concepts, from initial development to ongoing maintenance.

Conventional versus automated: How does the virtual role consultant change authorization projects in practice? Step 1, the company analysis: Every authorization project starts with an analysis of the company structure and business processes. In conventional projects, this inventory is conducted in many meetings and workshops by interdisciplinary teams: SAP consultants work with internal SAP managers and the business departments to clarify the project scope and gather all relevant information and data. Among other things, existing authorizations are assessed, employee lists, job profiles, project lists and organizational charts are evaluated, relevant security and quality guidelines are identified and the actual use of SAP transactions is recorded.

Instead, up to four months of trace data from SAP transactions is collected as a database for automated authorization concepts - naturally in compliance with the German Data Protection Act (DSGVO) and in consultation with the works council. The number of meetings is reduced, the project ties up less internal capacity and requires fewer external consultant hours. Another advantage is that the database is significantly larger, which increases the quality of the authorization concept.

Step 2, role construction: Now it's time for the conceptual design: Based on the collected data and information, authorizations are bundled into roles. In conventional projects, role engineering is painstaking detail work that fills many tables: Which business or workstation roles need which rights to perform tasks smoothly? Which roles are allowed to view, enter, edit, delete data? Where are there separation-of-function conflicts or security-critical processes? Which naming conventions make sense? And which roles will be assigned to individual users in the end? 600 working hours for the role construction of an authorization concept with 1000 users is quite realistic. It is true that there are prefabricated standard templates. But authorization concepts are always very company-specific, so that individual adaptations and additions are usually always necessary.

Authorization Robot

The Authorization Robot shows its advantage in automated projects: It analyzes millions of tracing data with efficient matrix clustering methods that identify related departments, processes and patterns in the usage data and calculates complex concept proposals - faster and more accurately than any SAP consultant: Beta tests show a savings potential of over 90 percent of consultant hours and 30 percent of license costs, as well as an 80 percent reduction in project duration.

Individual goals or priorities can also be specified and flow into the calculations, aligned with parameters such as "License cost optimization" or "Maximum security level". The user interface of the virtual role advisor already visualizes the development of the various key figures in real time on the dashboard during the calculation process. The web technologies used enable a wide variety of intuitive visualization forms such as graph views, sunburst graphics or tree maps. Complex correlations and patterns are conveyed in a structured manner, from a compact overall view to granular details.

In conjunction with AI-supported modules, the virtual role advisor also acts intelligently, for example to generate comprehensible naming conventions for the roles: Which semantically meaningful name would a human assign to the respective role? This question is answered using machine learning methods. Among other things, neural networks draw on past projects to incorporate the experience of consultants and experts in the development of suitable naming conventions.

Step 3, validation: Regardless of whether it was developed conventionally or created automatically: The concept proposal is now validated by an SAP consultant, coordinated with the business units, and refined if necessary. After testing, the new authorization concept is ready for use. 

After the authorization concept is before the authorization concept, because no matter how good the initial concept was, uncontrolled growth quickly results if the rights of individual users, historically grown roles and the process landscape are not regularly checked and adjusted. The conventional, manual maintenance of authorization concepts no longer does justice to the speed and complexity of the real corporate world. The result is security gaps, compliance violations and expensive overlicensing. 

Although automation shows its full potential in initial role concepts, migrations and large redesign projects, the virtual role consultant also provides valuable support for regular maintenance or for selective tasks. Quick checks provide recommendations for targeted optimization - for example, unnecessary authorizations or security conflicts (SoD) - and preparation for audits or certifications such as PCI DSS is also more efficient and stress-free.

People and machine

SAP authorization concepts need SAP experts - also in the future. But the limited human resource must be used more efficiently so that the shortage of specialists does not lead to procrastination or half-hearted implementation of this highly sensitive security topic. Automation solutions such as the Authorization Robot are therefore no competition for IT departments or SAP consultants, but a useful relief. The virtual role consultant becomes a highly efficient colleague in the human-machine team and creates important freedom: for strategic consulting, for project management, for training and change support.