The global and independent platform for the SAP community.

The virtual SAP role consultant

SAP implementations, migrations to S/4, or preparation for audits and compliance certifications: SAP experts are well utilized, often overworked. The topic of authorization concepts is also on many to-do lists - unloved, but indispensable.
Philipp Latini, Sivis
20 July 2023
avatar
This text has been automatically translated from German to English.

Relief through authorization concepts 2.0

The authorization concept is too lengthy, too complex, too expensive, many companies find. At the same time, however, no company can afford to sit out outdated authorization concepts or to plan the go-live generously with "SAP_ALL". The economic and security risks of errors, data misuse and oversized license packages are too great if everyone is allowed to do everything.

But the shortage of specialists is increasingly becoming the limiting factor for good, audit-proof authorization concepts. SAP specialists - both internal IT staff and external SAP consultants - are among the most sought-after experts in the IT labor market. "Worth their weight in gold" was the headline of an article in the Handelsblatt newspaper, putting the tight situation in a nutshell. Modern technologies can help cushion this gap. 

Run Analysis Dashboard: The Run Analysis Dashboard displays and compares the various calculated concepts with their KPIs (e.g., number of roles, compliance score, number of deviations). Based on these different KPIs, the user can select the appropriate concept for his company. In addition, the KPIs of different concepts can be compared with each other in a radar chart. Image source: Sivis GmbH.

There are now numerous tools on the market that reduce the administrative effort for authorization management and thus accelerate subtasks. But the primary bottleneck remains: Role building is still a "human task" that ties up hundreds of man-hours and requires a lot of know-how. The big hit can therefore only come from intelligent automation - with solutions that not only relieve the time burden, but also enable interaction between people and machines. This is where the world's first virtual role consultant comes in: Automated Role Mining is used to automatically create or optimize complex concept proposals for individual and collective roles.

Modeling and handling

Since modeling SAP authorization concepts requires handling very large amounts of data, the software solution is based on a metaheuristic approach with evolutionary algorithms. Or to put it less scientifically: With the help of enormously high computing power, the system approaches the best solution through an interplay of variation and selection. Comparable to Robotic Process Automation (RPA), repetitive activities are automated at high speed and the behavior of human users is simulated. The result is the Authorization Robot. The tool offers enormous efficiency potential throughout the entire lifecycle of SAP authorization concepts, from initial development to ongoing maintenance.

Conventional versus automated: How does the virtual role consultant change authorization projects in practice? Step 1, the company analysis: Every authorization project starts with an analysis of the company structure and business processes. In conventional projects, this inventory is conducted in many meetings and workshops by interdisciplinary teams: SAP consultants work with internal SAP managers and the business departments to clarify the project scope and gather all relevant information and data. Among other things, existing authorizations are assessed, employee lists, job profiles, project lists and organizational charts are evaluated, relevant security and quality guidelines are identified and the actual use of SAP transactions is recorded.

Potential benefits and gains of an automated approach.

Instead, up to four months of trace data from SAP transactions is collected as a database for automated authorization concepts - naturally in compliance with the German Data Protection Act (DSGVO) and in consultation with the works council. The number of meetings is reduced, the project ties up less internal capacity and requires fewer external consultant hours. Another advantage is that the database is significantly larger, which increases the quality of the authorization concept.

Step 2, role construction: Now it's time for the conceptual design: Based on the collected data and information, authorizations are bundled into roles. In conventional projects, role engineering is painstaking detail work that fills many tables: Which business or workstation roles need which rights to perform tasks smoothly? Which roles are allowed to view, enter, edit, delete data? Where are there separation-of-function conflicts or security-critical processes? Which naming conventions make sense? And which roles will be assigned to individual users in the end? 600 working hours for the role construction of an authorization concept with 1000 users is quite realistic. It is true that there are prefabricated standard templates. But authorization concepts are always very company-specific, so that individual adaptations and additions are usually always necessary.

Authorization Robot

The Authorization Robot shows its advantage in automated projects: It analyzes millions of tracing data with efficient matrix clustering methods that identify related departments, processes and patterns in the usage data and calculates complex concept proposals - faster and more accurately than any SAP consultant: Beta tests show a savings potential of over 90 percent of consultant hours and 30 percent of license costs, as well as an 80 percent reduction in project duration.

Individual goals or priorities can also be specified and flow into the calculations, aligned with parameters such as "License cost optimization" or "Maximum security level". The user interface of the virtual role advisor already visualizes the development of the various key figures in real time on the dashboard during the calculation process. The web technologies used enable a wide variety of intuitive visualization forms such as graph views, sunburst graphics or tree maps. Complex correlations and patterns are conveyed in a structured manner, from a compact overall view to granular details.

In conjunction with AI-supported modules, the virtual role advisor also acts intelligently, for example to generate comprehensible naming conventions for the roles: Which semantically meaningful name would a human assign to the respective role? This question is answered using machine learning methods. Among other things, neural networks draw on past projects to incorporate the experience of consultants and experts in the development of suitable naming conventions.

Step 3, validation: Regardless of whether it was developed conventionally or created automatically: The concept proposal is now validated by an SAP consultant, coordinated with the business units, and refined if necessary. After testing, the new authorization concept is ready for use. 

After the authorization concept is before the authorization concept, because no matter how good the initial concept was, uncontrolled growth quickly results if the rights of individual users, historically grown roles and the process landscape are not regularly checked and adjusted. The conventional, manual maintenance of authorization concepts no longer does justice to the speed and complexity of the real corporate world. The result is security gaps, compliance violations and expensive overlicensing. 

The detailed views of the calculated roles provide a compact and detailed overview of their contents. This includes the role name, the KPIs of the role, transactions and services contained in the role, from which module they originate and a short description of the applications. Image source: Sivis GmbH.

Although automation shows its full potential in initial role concepts, migrations and large redesign projects, the virtual role consultant also provides valuable support for regular maintenance or for selective tasks. Quick checks provide recommendations for targeted optimization - for example, unnecessary authorizations or security conflicts (SoD) - and preparation for audits or certifications such as PCI DSS is also more efficient and stress-free.

People and machine

SAP authorization concepts need SAP experts - also in the future. But the limited human resource must be used more efficiently so that the shortage of specialists does not lead to procrastination or half-hearted implementation of this highly sensitive security topic. Automation solutions such as the Authorization Robot are therefore no competition for IT departments or SAP consultants, but a useful relief. The virtual role consultant becomes a highly efficient colleague in the human-machine team and creates important freedom: for strategic consulting, for project management, for training and change support.

https://e3mag.com/partners/sivis-gmbh/
avatar
Philipp Latini, Sivis

Philipp Latini is Managing Director at Sivis. The company specializes in software for authorization management, user administration and compliance. Before Philipp Latini took over the position as CEO in 2020, the IT systems businessman initially worked as Sales Manager and Head of Consulting at Sivis.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.