CONFIDENTIAL

Christian Wiegand – SAP ConsultingWalldorf, 2012

Automated Implementation of Role Concepts for SAP ERP

© 2011 SAP AG. All rights reserved. 2Confidential

Agenda

Introduction SAP Authorization Concepts and their Implementation

Method Automated Implementation of Role Concepts

Results Advantages and Planning

Introduction

© 2011 SAP AG. All rights reserved. 5Confidential

Customer ChallengeClassical approach vs. automated approach

AspectTraditional approach

(Workshop based)Automated approach

(Tool based)

Project duration:

External resources

Total

> 6 months

> 12 months

3 months

4 – 6 months

Approach:Workshop based,

manual/complex tasks

Automated approach

Review tasks

Costs:

External resources

Total

150 – 300 kEUR

200 – 400 kEUR

45 – 105 kEUR

70 – 160 kEUR

Quality issues• Lost transactions• Missing authorizations

after go-live

• No major quality issues

Major competitive advantages of automated approach

© 2011 SAP AG. All rights reserved. 7Confidential

Generic SAP ERP role contentSingle role concept / No functional redunanciesSegregating critical from non-critical functionsFunction oriented role concept

Segregation of Duty requirementsConsiders more than 297 access risks derived from the SAP BO Access Control (GRC) Solution

Tool supported approachAutomated solution to streamline the realizationRapid project results and short durations

Harmonized with Access ControlHarmonized with the functionality of SAP BO Access Control Solution

Global Service Owner:Christian Wiegand M.A.Dr. Philipp Knüsel

Service HighlightsAutomated Implementation of Role Concepts for SAP ERP

MethodAutomated Implementation of Role Concepts

© 2011 SAP AG. All rights reserved. 10Confidential

MethodologyAutomated Implementation of Role Concepts

Prepare SAP role proposals User-role assignmentFunctional and organizational description

of SAP best-practice role proposals

Transaction usage data

Phase II Phase III

CollaborationRules

Phase IV

I. II. III.

Generate SAP role proposals

Functional SAProle proposals

Review functionalrole proposals / Map Y/Z TCDs

Create SAPreference roles

Template todocument org.requirements

Maintain profilesof reference roles/ Define organi-zational sets

Create SAP derived roles

Phase I

Template / Tool Supported Template / Tool Supported Template / Tool Supported

IV.

Define user-roleassignment

Realize user-role assignment

Cust

om

er

Review transaction usage data

Review user-roleassignment

© 2011 SAP AG. All rights reserved. 11Confidential

Deliverables and Activities

TaskTime Line

Activities Deliverables

Analysis Remote

1 Day Export transaction usage data Transaction usage analysis

Workshop Onsite

1 Day Present transaction usage analysis to customer

Analysis Remote

2 Day Generate SAP role proposals SAP role proposals

Workshop Onsite

1 DayPresent functional SAP role proposals to

customer

Analysis Remote

2 DayRealization of functional reference roles on

customer SAP reference roles

Analysis Remote

1 DayCreate template to document organizational

requirements SAP organizational matrics

Analysis Remote

3 Day Create derived roles on customer system Realization of derived roles

Analysis Remote

4 DayCalculate SAP role assignment proposals /

Realization of user role assignmentsRealization of user role assignments

© 2011 SAP AG. All rights reserved. 12Confidential

Project Team

SAP project manager Serves as a central contact person, from project initiation to

go-live and support On the SAP side, responsible for functional project

management, coordination, support, and coaching of the customer’s project manager, and so on

SAP Security consultants (Front- / Back-Office) Responsible for implementation of the agreed scope for the

SAP AIRC solution

© 2011 SAP AG. All rights reserved. 13Confidential

MethodologyAutomated Implementation of Role Concepts

Phase I. Analysis of transaction usage:

Transaction usage per user

Analysis of transaction usage

© 2011 SAP AG. All rights reserved. 14Confidential

MethodologyAutomated Implementation of Role Concepts

Phase II. SAP best-practices Rollencatalogue

Naming convention

Role Description

Organizational Level

Role proposal

Licence Type

Functional Area

Module

SoD critical

© 2011 SAP AG. All rights reserved. 15Confidential

MethodologyAutomated Implementation of Role Concepts

Transaction usage linked to SAP best-practices roles

Phase II. Functional role specification

© 2011 SAP AG. All rights reserved. 16Confidential

AdvantagesAutomated Implementation of Role Concepts

Lower operation costs Lower implementation costs Reduced complexity

– Standardization– Less redundancies– Smaller number of roles

Aligned with SAP BO Access Control solution

Adaptable to customer requirements:

- Required roles

- Required transactions

- Organizational specification

Master roles for ERP business processes

Template basedapproach:

– High standardization– High re-usability

Compliance– SoD consideration

from scratch

Rapid implementation with pre-defined and adaptable tools

Automated realization of:- Required ERP roles- User-role assignment

Genera

lFl

exib

ility

Tem

pla

tes

Tools

Competitive Advantages based on SAP best-practices

SAP best-practices Role Design Approach has been successfully applied with

many customers