There are cases in which the management of 10.000 SAP users is done by two or three people (maybe not full-time).
Other similar or smaller cases where a team of 15 full-time people fail to meet the demands.
How is it possible? Let’s try to analyze what could be the causes and also possible solutions.
1. Users management
Statistically it is known that more than 40% (Gartner) of requests that arrive to user administrators (Help Desk) are due to reset and user releases. Some examples:
- Return from vacation
- Return after a long period of absence
- Too many passwords to remember, too many systems
- Other cases
Not always everything can be automated, the reasons are different. Unless there are contraindications, acquiring a self-service reset password or Single Sign On system could really reduce the number of calls of this type.
2.Management of de facto user roles
Although SAP makes available the way to manage the authorizations through roles, it depends on how the latter are organized in order to benefit from the native functionalities of the system. The definition of a model RBAC (Role Based Access Control) can be done in many ways, some of these correct other less.
If I have 1000 users and I have more than 40% of professional figures, maybe I have the problem of having too many roles.
Another reason, more technical, is the lack of use of the features that SAP already offers, as mentioned above. For example, the direct use of single (or simple) roles towards collective (or compound) roles.
3. Non- use of SAP standard tools
Which are the time-saving tools that improve SAP governance? Let’s see some of them:
- The choice of a good naming convention of roles
- Represents the 80% of the success in an authorization concept.
- The use of the type of compound or collective roles
- This is to design corporate jobs, job roles or professional figures.
- The use of derivatives roles type
- These to manage the segregation of organizational data (Company, Division, commercial organization etc.)
- Example: this role works only for company 1, the other one (always derived from the father) on the company 2
- Do you use the SU24 transaction? This allows to link the authorization objects to the transactions. It is essential to definitively resolve any cyclical errors.
- Avoid the use of custom authorization checks (via supporting tables or other)
- Do you have a language that is understood by ICT and Business technicians? Surely the naming of roles and an appropriate authorization model can solve this problem.
Blog post originally translated from: https://www.aglea.com/blog/3-consigli-pronti-alluso.-riduci-i-costi-di-gestione-sap-security