With the auditor breathing down their necks and constantly facing the SAP Audit, companies invest enough time and money in their license and authorisation management. The resource commitment is huge and is mostly also a guarantee of unwanted grey hair among Compliance Managers.
How can roles involved in running a business be depicted at the technical level? Which criteria should apply when issuing authorisations? Clearly, people look to see what the user is expected to be permitted to do and able to do, but also what that person is already processing in SAP.
What commitment of resources is behind this? Here’s an example: our exemplary team member, Michael from the Authorisations team, looks firstly into ST03N. There he finds out which transactions SAP user X has used in SAP system Y.
He’ll do this in about two minutes – after all he’s rather good at it. And intelligent too. That is why he also recognises straightaway, based on the transactions used, which license needs to be allocated to that user.
Yet this demands a little longer – he might need four minutes for this. He switches quickly into the SU01, entering there the license that he has worked out (or rather guessed?). This was all so quick that we can forget the amount of time involved.
But – as you might guess – User X is also involved in the SAP systems A, B, and C, etc. The game resumes from its starting-point. And because Michael also wants to know what result the LAW will later produce, he uses the licenses defined in the various systems to form the ultimate license required, for which a charge can be billed.
Did I mention that Michael is, er, pretty quick? This is all done in two minutes. So, bottom-line, per user and per SAP system he needs eight minutes. However, the firm has 4,500 SAP users on five different systems, i.e. eight minutes x 4,500 users x five systems. So, assuming an eight-hour day, this will keep Michael busy for 375 days, no problem at all. So you see the point: this just ain’t gonna work.
The year only has 365 days. So you find yourself easily needing a team of three to five people; after all, up to then nobody has been able to cast a glance at the authorisations. The defined roles must be structured according to compliance requirements and must be issued correctly.
Critical combinations must be recognised and prevented from the outset. So the overall view is needed. And then the team always needs to be one step ahead of the game, permanently recognising where authorisations are expiring or where they have been too eagerly or hastily issued.
At the end, the specialist departments are supposed to be in a position to issue the correct authorisations autonomously. All these processes demand a great deal of knowledge input. If one team member leaves, resources soon get tight in terms of manpower and expertise.
So it is no surprise that companies are seriously interested in a software solution for managing their licensing and authorisation affairs. If you then comply with the following Ten Commandments, this soon becomes a plan that really works.