Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Role ownership survey

OttoGold
Active Contributor
0 Kudos

Hello ladies and gentlemen,

I would like to know if you (customer) or your customers use a role ownership (PFCG ABAP roles).

There is a field in AGR_DATEU for that, which was created before everybody went for GRC, so I don`t think that one is used anywhere in ECC for example. But I still know many companies have established this "role ownership" and I would like to know how people do it out there in the wild.

Do you use Excels for that? Do you have a custom table to store that information? Do you do role reviews, role assignment reviews performed by the role owners? It is all connected and I have no idea if there is a mainstream solution widely spread, if there are special tricks people use, so I thought I could ask you what do you do.

Thanks,

cheers Otto

1 ACCEPTED SOLUTION

Former Member
0 Kudos

I have one customer who maintain a list of "requestable roles" in a custom table and there an owner is included. From their portal the users can see this catalogue of roles and request them (the request mails go to the owner).

I am sure there are a few similar solutions out there as it is quite simple and GRC CUP is basically the same principle.

So... is anyone doing it differently?

Cheers,

Julius

24 REPLIES 24

Former Member
0 Kudos

I have one customer who maintain a list of "requestable roles" in a custom table and there an owner is included. From their portal the users can see this catalogue of roles and request them (the request mails go to the owner).

I am sure there are a few similar solutions out there as it is quite simple and GRC CUP is basically the same principle.

So... is anyone doing it differently?

Cheers,

Julius

0 Kudos

In my organisation business people own the roles, and some owners are very knowledgeable, but sadly a few are not.

We have a role database, that gives owner for access and changes, and then specific authorisers for access and changes in case of staff being out of the office.

We use these in various workflow application (all outside of SAP) to ensure role requests can be approved. Once a request is approved by a role owner, CUP style checks are done - mainly via Virsa Compliance Calibrator (remember that!) and risk free requests are then provisioned.

Downside is having to maintain the database of information, when people move on (upwards or out of the organisation) and ensuring everyone who has a role owner / approval responsibility actually takes the task seriously.

Would be better to try to have this in SAP, but with our external database, you can query this from the intranet, when requesting access.

martin_voros
Active Contributor
0 Kudos

Hi Otto,

every company has this role ownership established but some of them don't know about it The worst case scenario (common one) is that all roles are owned by IT. In this case you don't have to maintain ownership of the role. The best scenario is that almost all roles are owned by business. As usual, there are many solutions but IMO the best suitable solution for this is IdM (don't have too much experience with CUP but IdM seems to be more flexible). You even have attribute MX_OWNER on role entry to capture who owns this role. It's also pretty flexible. It can be user, group or so on. You get out of the box provisioning audit. Hence you can easily perform an audit of role assignments.

BTW "everybody went for GRC" is a really strong claim. From my experience not everyone went to GRC.

Cheers

0 Kudos

>

> BTW "everybody went for GRC" is a really strong claim. From my experience not everyone went to GRC.

>

We do a lot of GRC work so our client base is well represented in that area, however I would be very surprised if there were >50% of UK companies using SAP that use a GRC tool.

Otto - a few clients have solutions similar to that Julius mentioned, although sometimes it's web-based. Others use spreadsheets or custom databases.

0 Kudos

As usual, there are many solutions but IMO the best suitable solution for this is IdM (don't have too much experience with CUP but IdM seems to be more flexible).

Hi Martin, thanks for the suggestion. This would be cool for sure, but so many companies don`t have IdM (and some of them won`t have one for a long time). So I cannot accept it:)) If you say I exaggerate with GRC, I think your IdM is kind of similar approach. Do you have a "solution" or experience from a company which uses ERP (or + portal)... something like PFCG only, but the company still employs a skilled security admin, so he knows what must be done...

By the way my remark about GRC was caused by the fact, that GRC offers a "solution" for my question. So if everybody really go for GRC, there would be no need to ask this question, right? So I wonder how SME companies approach the situation, having no GRC, IdM etc.

Otto - a few clients have solutions similar to that Julius mentioned, although sometimes it's web-based. Others use spreadsheets or custom databases.

Hi Alex, thanks for the confirmation. But could you add some more details? Without GRC or IdM, please.

Another way of asking my question is: why companies establish the role ownership. Why do they need it?

You mentioned that role owner is involved in "approval workflow", when somebody request a role, right? Do companies really involve business users (the role owner) when a need to change the role arises for example? Do the owners do the testing of roles? Do companies ask the role owners to review the assignment to users?

I know, I know, too much philosophy, but I think I know how this is suppose to work, but don`t have enough numbers or evidence to learn how other companies do that. And there is a difference between "best practise" (ideas above) and "real life" (which is often different).

Cheers Otto

0 Kudos

Do companies really involve business users (the role owner) when a need to change the role arises for example? Do the owners do the testing of roles? Do companies ask the role owners to review the assignment to users?

Some business user may find that is too much to ask for....

I have seen two scenario where IT department own all the technical role and business users own all the end user role. For technical role it was very easy and we sorted all the things inside 4 walls. But for the business roles owner only approve functional spec and after conversion to technical spec it used to get another round of approval from IT department. Testing goes to end user in QA system and after things are OK, production migration must get another round of approval from business role owner. Edited - Here owner rely on end user

One of them has their owner maintained in excel file. These people are most of the cases from internal control. These process seems logical when audit comes around and they test sample ticket and their flow until production system.

Regards,

Arpan Paik

Edited by: P Arpan on Nov 14, 2011 3:45 PM

0 Kudos

One of them has their owner maintained in excel file. These people are most of the cases from internal control. These process seems logical when audit comes around and they test sample ticket and their flow until production system.

Interesting point, Arpan. Auditors. Are auditors hapoy with Excel "owners"? I cannot imagine that.

All people here are experienced professionals, so I thought we can find an intersection between too much process overhead, too much custom development, too many licensing/ support/ consulting costs... How would you folks do the "lean" role ownage? Having ERP, SolMan, CRM, Portal... i don`t know... but not IdM or GRC?

Thanks for the fruitful discussion, cheers Otto

0 Kudos

> Interesting point, Arpan. Auditors. Are auditors hapoy with Excel "owners"? I cannot imagine that.

Frequently yes. They will perform sample testing to ensure that the listed owners have approved any changes.

0 Kudos

> Another way of asking my question is: why companies establish the role ownership. Why do they need it?

They need to ensure that those with responsibility for processes and data certify the users who are able to perform (parts of) those processes and access that data. Generally role owners or approvers with delegated authority approve one or both of the user and the roles which they use to access that functionality and data.

> You mentioned that role owner is involved in "approval workflow", when somebody request a role, right? Do companies really involve business users (the role owner) when a need to change the role arises for example? Do the owners do the testing of roles? Do companies ask the role owners to review the assignment to users?

Very briefly, mostly, sometimes, yes

Most companies involve the business or their nominated representatives when a change to a role occurs. The roles are the method by which users interact with their processes and data so it makes sense that they approve changes to how the interaction occurs, any controls in place etc. Of course, the real trick here is to ensure that the business understands what they are approving and the context in which they are approving this. Being able to communicate this is one of the hardest yet most important part of the job!

Owners will sometimes test the roles but usually it will be someone nominated on their behalf.

Where joiner, mover, leaver processes are not good then access creep will happen. Over time users move jobs and their access isn't revoked. Temporary accesses are left permanently etc. User access review / recertification is an important control to monitor this. In the worst case users access isn't removed but if the owner of the process and / or data accepts the risk then that's fine. A good JML process will reduce the likelyhood of this happening.

> I know, I know, too much philosophy, but I think I know how this is suppose to work, but don`t have enough numbers or evidence to learn how other companies do that. And there is a difference between "best practise" (ideas above) and "real life" (which is often different).

> Cheers Otto

Questions are always good, we should always ask why we are doing these things and challenge the "status quo".

0 Kudos

"Another way of asking my question is: why companies establish the role ownership. Why do they need it?

You mentioned that role owner is involved in "approval workflow", when somebody request a role, right? Do companies really involve business users (the role owner) when a need to change the role arises for example? Do the owners do the testing of roles? Do companies ask the role owners to review the assignment to users?

I know, I know, too much philosophy, but I think I know how this is suppose to work, but don`t have enough numbers or evidence to learn how other companies do that. And there is a difference between "best practise" (ideas above) and "real life" (which is often different).

Cheers Otto"

-(a) Why do they need it : In plain terms - you do not have compliance calibrator or RAR or GRC compliance suite; still every company would like to ensure that SAP end user gets the access which they need to have. So who determines who should get access to what and upto to what level - so as Martin said that ideal scenario is that this responsibility should be with Business process owners; those who are in charge of a certain department/process/plant/location wise etc. etc.. Only the technical roles; roles meant for administration should be controlled through IT and maybe techno-functional roles (access to both side of t-codes and applications). This setup ensures that there are checks in place even when they are no SODs, rule matrixes in place.

-(b) Do companies really involve business users (the role owner) when a need to change the role arises for example? Do the owners do the testing of roles? Do companies ask the role owners to review the assignment to users? - In my opinion and as per my experience; in fact its the business owner who drive forth security setup of the organization in their respective areas. Business process owner along with other owners as per org chart/process setup across geographies take care of how to build in security into the applications the customer is going to use. So the answer is that ideally all changes/initiation should and does come out from business process owners. And its not a question of company asking role owner to review assignment of role to end user but rather in live cases where GRC/IDM workflows are not there; before assignment of any access; you need to check the role owner sheet; find the suitable role owner and then mail them; seek their approval and then only you can assign role to user. So its a bit more detailed then a review. Though I hope the chain of mails seeking approval becomes a thing of past soon. Finally its a question of investment the client is willing to pay and how mature they are internally in terms of Security processes. I hope you found something useful in this long message of mine

Best Regards

Prashant

0 Kudos

Hi,

I agree that it's really hard to sell IdM. Other questions have been answered by other guys. Just always think about incentives. Who has better incentive to maintain proper role assignment to users? Admin or business guy? I would say it should be business guys because they are usually liable what happens in the system.

Cheers

0 Kudos

Additionally it is very unfair on the poor basis guy to have to make business access decisions.

9 times out of 10 they get the better of you and you assign / build roles according to the principle of least resistance...

Role ownership is the IMO the first key step in the right direction.

Cheers,

Julius

0 Kudos

Gold,

First of all, I'm glad for the feedback.

I´ve exposed an example with a critical transaction. I mean, the role owner could define critical actions that would like to be informed when some user perform such action.The module SPM of GRC covers some of this ideas. I didn´t mean to control every user movement, It's impossible to work without a sort of "trust" relationship.

Thank you very much indeed for your responses

Diego.

Former Member
0 Kudos

this is a great thread.

here at this weird company where I am at, they have a big Excel listing most roles, with a role owner. It gets reviewed and updated yearly. It is terrible process. the role owners usually don't know what they "own" and rubberstamp every change requested, or they don't know the full effect on a business process for proposed changes. Some role owners are smart, but its very rare. Especially in global regions where they have 1 or 2 role owners for everything, it's so stupid.

best i've seen is my previous company where Functional Analyst teams (OTC, ATR, MTS, etC) each had a security lead, who owns all roles for the area. The role naming convention embedded these area names in the role name. This person gathered any consent from the business, and it was mandatory for them to attend change meetings to represent the change. For cross-area roles, it was an informal discussion and one FA was picked to represent and approve the change. These roles got special attention at change approval meetings.

I think role ownership is a bad idea. Roles are just fragments of a bigger business process.

0 Kudos

> best i've seen is my previous company where Functional Analyst teams (OTC, ATR, MTS, etC) each had a security lead, who owns all roles for the area.

> I think role ownership is a bad idea. Roles are just fragments of a bigger business process.

I'm not sure I understand the distinction. You still have "ownership" in both of your scenario's however the model of implementation is different.

0 Kudos

For cross-area roles, it was an informal discussion and one FA was picked to represent and approve the change.

This is an interesting comment, as it requires data classification and ownership within the boundaries of single roles - to be able to build bigger and better ones which closely match the job function.

Does the role provide access to data which has a critical classification? If so, then (a) who owns those sets of data requiring approval to be included in the role and (b) who approves the assignments of the role knowing that they access the sets of data?

It is imaginable that for users from a certain job function or having a certain org-type attribute the process could be simplified and for others it should be a significant hurdle if they have nothing to do with the role. In an organization anything bigger than a restaurant I cannot imagine this being done properly without a tool and some degree automation and a rule set behind it.

I think role ownership is a bad idea.

Did they plan spin-the-bottle to decide or what happened?

Cheers,

Julius

0 Kudos

Hi Experts,

I just want to give my opinion regarding this topic. I´m far to be an expert. I just pick one nice definition from this article (http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/80c094de-90aa-2910-02b8-e31a6f5ff0c2)

Business Process Owners (BPOs) - staff responsible for protecting the integrity the information and processes supported by an IT system. BPOs are in charge of

u2022 Identifying risk and/or approving controls for monitoring risks

u2022 Approving remediation to address user access issues in the IT system

u2022 Designing alternative controls to mitigate Segregation-of-Duties issues

u2022 Communicating access assignments or role changes

Recommended by this note: 1593056

The concept of role owner should be connected with the concept of BPOs.

The BPO of the corresponding area (MM,IT,TR, etc.) could be the role owner of all the roles inside his/her area.

Example scenario: a user u201CAu201D change the configuration of the client because he/she has the role u201CZ_CLIENT_ADMINu201D assigned. Due to this change a fraud or a system damage occurs. Who should take over this situation?. I think, the role owner could be, because he/she is responsible to the changes done with the transactions contained by the role (i.e SCC4) and he/she also participated in the assignment role assignment in some stage of the workflow.

Regards,

Diego.

0 Kudos

Hi Diego, thanks for the opinion.

I have a question for you. Let`s say I have a company and I follow your approach.

If I am a boss and something happens and I blame the "process owner", I fire him. If nothing happens and this person does not perform (visibly perform) every day, then he should not be in the lead, right?

That means: if he is supposed to be responsible for every transaction in every role he "owns", he would have to spend all his working hours monitoring what people do with his roles... or not? It feels like he would not have time for real work, if you build this concept like this. Of course I exaggerate, I am known for it, but still, it feels that way.

So if I am that "owner" and want to do some "real work" still, I would need a tool that would tell me everything about my roles and ESPECIALLY how people use (misuse) them. Althought I am a developer I don`t see a way (or don`t have enough ideas) how to build such a tool. That would be like real-time real-life GRC (while GRC is pretty theoretical for me...).

That leads to a natural question. What would you do to survive if you would be promoted to such a position?

I am not being sarcastic, it`s just a too strong idea for me to digest...

Cheers Otto

0 Kudos

The "data owner" of SCC4 should be "basis team" in client '000' as it is not a "Business Process".

Client '066' should be deleted ideally (as user Earlywatch has this there as well). You also dont need to restrict the cost center reporting if user SAP* does not exist somewhere... (also "basis owned" unless not taken care of).

Etc.. (black box)... etc...

Problem solved IMO.

Now what is with the cost center reports? That is where the noise starts IMO.

- Do you want to ask each cost center owner about their requirements? (remember that they will not want their own controllers to see where they put benzin in their car and when!)

- Do you want to talk to higher management to decide on a policy (and company culture...) about cost centers.

--> You need to find the real data owner and decision maker (relatively quick and efficient role built is possible) and not the hordes of people who will want to have something to say at the meetings (chances are good that you will never go live)

Cheers,

Julius

ps: However if you can use Analysis Authorizations in a clever extracted way and defer the folks from the meetings to the portal, then a consultant or developer probably owns the process...

0 Kudos

> That means: if he is supposed to be responsible for every transaction in every role he "owns", he would have to spend all his working hours monitoring what people do with his roles... or not? It feels like he would not have time for real work, if you build this concept like this. Of course I exaggerate, I am known for it, but still, it feels that way.

I don't see that as being any different to all the other "everyday" activities which people perform. A manager can't monitoring all the phone calls of people in their department as it would be impossible to track. A phone call can cause havoc that an malicious PO or refund cannot if there are the right controls in place.

This is where security must be put in context. We have owners of business processes who identify the risks and the controls they feel mitigate them to an acceptable level (or they just accept them). The trick is to be able to successfully articulate what a role does in the context in which it is being used.

"Running FB01 for company code 1000" means much less than "post a manual journal entry for the head office". This is another argument for the "job role" approach - either physically represented by 1 role or as a virtual construct.

A manager will know what their staff jobs are and they should do what they need to do to gain assurance that their teams can do what they are supposed to do in the system which supports their business processes.

Cheers

0 Kudos

Hi

Role ownership is a hinterland (is that the correct word?) where role owners rely on security to help guide them in their decisions (permissions/ account types yadayada). The roles (job/composite/etc) are dynamic and need constant review to keep them in check(IMO).

A spreadsheet/matrix of what users user groups should do is a nice to have in a clearly defined org with set business processes but, in reality, it's a bxxxh to follow quickly in admin when you get the 'but they also need to.. in their old job'

Cheers

David

Can't spell BXXXh

Edited by: David Berry on Nov 28, 2011 12:27 AM

Former Member
0 Kudos

Here's a question -

We keep getting Idm vendor sales folks in here who tout that their product will allow BPOs the ability to make changes to roles themselves like adding a transaction or an authorization object. That has always sounded like a disaster waiting to happen to me. Has anyone implemented this? And did disaster ensue?

0 Kudos

Hi, from the sustainability and overall perspective, IDM is much better than CUA for example.

On the other hand we know very little about your company/ situation to be able to answer your question. I am not sure if every company is big enough so the IDM implementation make sense...?

Anyway... my question was less about implementing a new tool (IDM), which is often difficult to justify in hard times. Also good "paper" practise can tell a lot about what tools could help or destroy the system.

Cheers Otto

0 Kudos

Hi,

if you want to install IdM just as a replacement for CUA then you can do it pretty quickly with SAP Provisioning Framework. You don't get any extra benefits but at least you have a good foundation that you can build on top of it. You will need some new boxes though.

Cheers