Redesigning SAP Authorizations with Pathlock Role Template

Many companies have developed their authorization structures organically over time. As a result, users have often been given broader authorization privileges than necessary for their everyday work. This can pose a serious threat to data availability, integrity, and system availability. Authorization managers are increasingly recognizing the need for action to minimize the risk of SAP security incidents. However, the reality is that many more IT incidents go unreported compared to those reported in published cases. Redesigning your SAP roles is an effective way to streamline security. In this article, you will learn how Pathlock’s role templates enable you to efficiently execute a role redesign project for improved SAP security.

The Challenge: Major Differences Between Target and Actual Authorization Assignments

An authorization concept is highly complex and subject to dynamic changes. What’s more, audits and collecting information about users and processes take a great deal of time. SAP system users must be analyzed and configured depending on whether they should be read-only or able to create and change information they have access to.

At the same time, the definition of roles in transaction PFCG is extremely time-intensive. As a result, we repeatedly see major discrepancies between the actual and target situations in practice. But there is a solution: using a tried and tested role template that lets you achieve optimal results in the long term with minimal effort. The selection of the right role template is a key factor here.

The Pathlock Role Template with Roles in a Modular Architecture

Pathlock provides individual roles tailored to the primary functions of SAP S/4HANA and SAP ERP. Upon receiving a role, you will receive a role menu that closely resembles the typical SAP menu structure, ensuring a familiar user experience for customers. The roles come with a standardized specification of the documentation structure in the role long text, ensuring that the documented roles meet audit requirements and aid the user departments’ understanding. This makes our roles an efficient and reliable choice for your SAP needs.

The role design is based on the principle of separation of duties (SoD). Due to different SoD requirements between companies, the final SoD review takes place in the customer concept, based on a defined set of rules. Pathlock makes it possible to perform this check in a very short time, ultimately reducing time-consuming, manual efforts.

Naming Conventions of Pathlock Template Roles

We adapt the naming conventions of our template roles to individual customers. They are defined to give you information on whether a role is for display or change, which SAP module it belongs to, and which process step it maps.

30 characters are available for the names of the individual roles, which are defined as follows:

• character: Y = Reference role (parent role)
• 2nd and 3rd characters: SAP module
• 4th character: Separator
• 5th character: C = Change role, D = Display role
• 6th character: Separator
• 7th to 12th characters: Organizational assignment (OrgSet)
• 13th position: Separator
• 14th to 30th characters: Function description

Benefits of Using Pathlock Role Templates

• 900 individual roles for all SAP modules are already available, which means you don’t have to go through the time-consuming process of designing and creating them yourself.
• The objects have been defined and restricted following best practices.
• Critical objects and transactions are separated into single roles.
• Mnemonic naming conventions are predefined, with flags for SAP module, access type, and process descriptions.
• Module authorizations are contained in module roles, which makes it easier to establish role and data ownership.
• All roles are free of generally applicable SoD risks.

Increased Time Savings, Cost Reductions, and Improved Transparency

With our role template, you benefit from enormous time savings, which will also be reflected in your project budget. At the same time, you can grant access authorizations according to the need-to-know principle, which means each user is only assigned the authorizations they need to perform their day-to-day work. By automating your SAP role generation, you can conserve valuable internal resources while guaranteeing the security of your data and systems.

Are you interested in optimizing and transforming your existing roles into a transparent role management structure? Get in touch with us today.