Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Security roles cleanup

mansipujari
Explorer
0 Kudos
1,233

Hi,

I am filing up for some one from SAP security in my team and my first assignment is to do security role cleanup. We have thousands of single roles(no composites in our system) and some of them are obsolete which can be removed without too much of thinking involved. But how to go about achieving a 'lean methodology' in security role management? Our intention is to have lesser roles than today and get ready for S4 HANA transition. We also want to take a fresh look at SoDs.

Appreciate if i can get access to any SAP documentation. Also. any pointers welcomed , that with S4 HANA transition planned , should we need to consider some perspectives along those lines?

3 REPLIES 3

former_member612251
Participant
0 Kudos
892

My advice would be to meet and sit down with the project managers who will be implementing S4. The best way of achieving a lean security build methodology would be to get the project teams to map their business processes with the relevant Fiori apps and Tcodes. Only then can you design some nice clean and compliant Comp roles or even better again, specifically designed derived roles for the processes that are mapped. Trying to shoe horn in already existing ECC processes/roles into new roles for S4 can work but it would usually mean more SOD's and clean up whilst you start running the GRC analysis. The key is to get the business to agree to map their processes and to map those processes to the relevant Access Apps/Tcodes.
Good Luck.

marco_hammel2
Participant
0 Kudos
892

Hi Mansi,

With the number of single roles you describe, I propose to conduct a role consolidation project. The results can be beneficial for the S/4HANA transformation. The aim is to identify roles with significant overlap. For example, by:

- evaluating usage logs in production or of role test users in the test system

- comparison of AGR1251 to identify similar roles by the authorizations data

Also, you can find 3rd party add-on solutions to support simulation features and similar.

It's important to improve the role documentation during consolidation. In my experience, a role consolidation, many customers can reduce the number of roles by 20%+ without creating additional SoD or critical authorization threats.

BR

Marco

marco_hammel2
Participant
0 Kudos
892

Hi Mansi,

With the number of single roles you describe, I propose to conduct a role consolidation project. The results can be beneficial for the S/4HANA transformation. The aim is to identify roles with significant overlap. For example, by:

- evaluating usage logs in production or of role test users in the test system

- comparison of AGR1251 to identify similar roles by the authorizations data

Also, you can find 3rd party add-on solutions to support simulation features and similar.

It's important to improve the role documentation during consolidation. In my experience, a role consolidation, many customers can reduce the number of roles by 20%+ without creating additional SoD or critical authorization threats.

BR

Marco