2023 Feb 28 6:04 AM
Hi,
I am filing up for some one from SAP security in my team and my first assignment is to do security role cleanup. We have thousands of single roles(no composites in our system) and some of them are obsolete which can be removed without too much of thinking involved. But how to go about achieving a 'lean methodology' in security role management? Our intention is to have lesser roles than today and get ready for S4 HANA transition. We also want to take a fresh look at SoDs.
Appreciate if i can get access to any SAP documentation. Also. any pointers welcomed , that with S4 HANA transition planned , should we need to consider some perspectives along those lines?
2023 Mar 11 8:08 PM
My advice would be to meet and sit down with the project managers who will be implementing S4. The best way of achieving a lean security build methodology would be to get the project teams to map their business processes with the relevant Fiori apps and Tcodes. Only then can you design some nice clean and compliant Comp roles or even better again, specifically designed derived roles for the processes that are mapped. Trying to shoe horn in already existing ECC processes/roles into new roles for S4 can work but it would usually mean more SOD's and clean up whilst you start running the GRC analysis. The key is to get the business to agree to map their processes and to map those processes to the relevant Access Apps/Tcodes.
Good Luck.
2023 Mar 12 3:05 PM
Hi Mansi,
With the number of single roles you describe, I propose to conduct a role consolidation project. The results can be beneficial for the S/4HANA transformation. The aim is to identify roles with significant overlap. For example, by:
- evaluating usage logs in production or of role test users in the test system
- comparison of AGR1251 to identify similar roles by the authorizations data
Also, you can find 3rd party add-on solutions to support simulation features and similar.
It's important to improve the role documentation during consolidation. In my experience, a role consolidation, many customers can reduce the number of roles by 20%+ without creating additional SoD or critical authorization threats.
BR
Marco
2023 Mar 12 3:05 PM
Hi Mansi,
With the number of single roles you describe, I propose to conduct a role consolidation project. The results can be beneficial for the S/4HANA transformation. The aim is to identify roles with significant overlap. For example, by:
- evaluating usage logs in production or of role test users in the test system
- comparison of AGR1251 to identify similar roles by the authorizations data
Also, you can find 3rd party add-on solutions to support simulation features and similar.
It's important to improve the role documentation during consolidation. In my experience, a role consolidation, many customers can reduce the number of roles by 20%+ without creating additional SoD or critical authorization threats.
BR
Marco