Set in stone: save resources in SAP license and authorization management. [Shutterstock: 229664911, Inked Pixels]
The fear of security gaps and data leaks is costing more and more IT personnel their sleep at night. Sensitive corporate data needs to be protected by using sophisticated authorisation concepts. Peter Rattey from Voquz sums up the 10 commandments for SAP License & Authorization Management to save you time and money.
With the auditor breathing down their necks and constantly facing the SAP Audit, companies invest enough time and money in their license and authorisation management. The resource commitment is huge and is mostly also a guarantee of unwanted grey hair among Compliance Managers.
How can roles involved in running a business be depicted at the technical level? Which criteria should apply when issuing authorisations? Clearly, people look to see what the user is expected to be permitted to do and able to do, but also what that person is already processing in SAP.
What commitment of resources is behind this? Here’s an example: our exemplary team member, Michael from the Authorisations team, looks firstly into ST03N. There he finds out which transactions SAP user X has used in SAP system Y.
He’ll do this in about two minutes – after all he’s rather good at it. And intelligent too. That is why he also recognises straightaway, based on the transactions used, which license needs to be allocated to that user.
Yet this demands a little longer – he might need four minutes for this. He switches quickly into the SU01, entering there the license that he has worked out (or rather guessed?). This was all so quick that we can forget the amount of time involved.
But – as you might guess – User X is also involved in the SAP systems A, B, and C, etc. The game resumes from its starting-point. And because Michael also wants to know what result the LAW will later produce, he uses the licenses defined in the various systems to form the ultimate license required, for which a charge can be billed.
Did I mention that Michael is, er, pretty quick? This is all done in two minutes. So, bottom-line, per user and per SAP system he needs eight minutes. However, the firm has 4,500 SAP users on five different systems, i.e. eight minutes x 4,500 users x five systems. So, assuming an eight-hour day, this will keep Michael busy for 375 days, no problem at all. So you see the point: this just ain’t gonna work.
(…) you see the point: this just ain’t gonna work.
The year only has 365 days. So you find yourself easily needing a team of three to five people; after all, up to then nobody has been able to cast a glance at the authorisations. The defined roles must be structured according to compliance requirements and must be issued correctly.
Critical combinations must be recognised and prevented from the outset. So the overall view is needed. And then the team always needs to be one step ahead of the game, permanently recognising where authorisations are expiring or where they have been too eagerly or hastily issued.
At the end, the specialist departments are supposed to be in a position to issue the correct authorisations autonomously. All these processes demand a great deal of knowledge input. If one team member leaves, resources soon get tight in terms of manpower and expertise.
So it is no surprise that companies are seriously interested in a software solution for managing their licensing and authorisation affairs. If you then comply with the following Ten Commandments, this soon becomes a plan that really works:
|1. The issuing of a license must be transparent and the decision-making process traceable; it must stand up to SAP Audit scrutiny and must be accounts-audit-friendly.|
|2. Named-user licenses are automatically adapted if the task area is changed.|
|3. The conditions stated in the SAP List of Prices and Conditions is always entered into the system, kept right up-to-date.|
|4. Further costs generated by engines and packages are established and are visualised in a transparent way.|
|5. SAP authorisations are issued automatically and according to compliance requirements.|
|6. The two-pairs-of-eyes principle, where the technical department and the specialist department are both involved, is put into practice in a way that is comprehensible and can be robustly justified for all parties involved.|
|7. SAP users can administer themselves in accordance with the company’s rules.|
|8. Critical combinations are automatically prevented.|
|9. Authorisations are permanently checked to ensure that they are up-to-date; they are automatically adapted.|
|10. Authorisation concepts are automatically adapted according to the authorisations used.|