Improve security by redesigning your SAP authorizations – the right role template can save you time and money

SAST Blog: Improve security by redesigning your SAP authorizations – the right role template can save you time and moneyThe authorization structures at many companies have grown organically. Over the course of time, users have often been granted wider authorization privileges than they actually need for their everyday work. As a result, data availability and integrity, as well as system availability, can be critically endangered. Authorization managers see an increasing need for action to minimize the risk of SAP security incidents. After all, many more IT incidents still remain unreported compared to published cases.


The challenge: major differences between target and actual authorization assignments

An authorization concept is highly complex and subject to dynamic changes. What’s more, audits and collecting information about users and processes take a great deal of time. SAP system users must be analyzed and configured depending on whether they should be read-only or also be able to create and change this information. At the same time, the definition of roles in transaction PFCG is extremely time-intensive. As a result, we repeatedly see major differences between the actual and target situations in practice. But a remedy is at hand: using a tried and tested role template that lets you achieve optimal results in the long term with a minimum of effort. The selection of the right role template is a key factor here.

The SAST SUITE role template with roles in a modular architecture

SAST Blog: Improve security by redesigning your SAP authorizations – the right role template can save you time and moneyWe provide the single roles that cover the major functions of SAP S/4HANA and SAP ERP. You get a role menu whose structure is usually similar to that of the SAP menu. The roles are delivered with a standardized specification of the documentation structure in the role long text. This means the documented roles also meet audit requirements and aid the comprehension of the user departments.

The role design is based on the principle of separation of duties (SoD). Due to different SoD requirements between companies, the final SoD review takes place in the customer concept, based on a defined set of rules. Our SAST SUITE and the features of Identity & User Access Management make it possible to perform this check in a very short time. 

Naming conventions of the SAST SUITE template roles

We adapt the naming conventions of our template roles to individual customers. They are defined to give you information as to whether a role is for display or change, which SAP module it belongs to, and which process step it maps.

SAST Blog: Improve security by redesigning your SAP authorizations – the right role template can save you time and money

30 characters are available for the names of the individual roles, which are defined as follows:

  • character: Y = Reference role (parent role)
  • 2nd and 3rd characters: SAP module
  • 4th character: Separator
  • 5th character: C = Change role, D = Display role
  • 6th character: Separator
  • 7th to 12th characters: Organizational assignment (OrgSet)
  • 13th position: Separator
  • 14th to 30th characters: Function description

Benefits from using SAST SUITE role templates

  • 900 individual roles for all SAP modules are already available, which means you don’t have to go through the time-consuming process of designing and creating them yourself
  • The objects have been defined and restricted in accordance with best practices
  • Critical objects and transactions are separated in single roles
  • Mnemonic naming conventions are predefined, with flags for SAP module, access type, and process descriptions
  • Module authorizations are contained in module roles, which makes it easier to establish role and data ownership
  • All roles are free of generally applicable SoD risks

Enormous time savings, cost reductions, and improved transparency

If you use our role template, you benefit from enormous time savings, which will also be reflected in your project budget. At the same time, you can grant access authorizations according to the need-to-know principle, which means each user is only assigned the authorizations they need to perform their day-to-day work. By automating your SAP role generation, you can conserve valuable internal resources while at the same time guaranteeing the security of your data and systems.

Are you interested in optimizing your existing roles and transforming them to a transparent role management structure? Our consultants will be happy to help lend a hand in preparing and implementing the SAST SUITE role template. Simply contact us or visit our website ahead of time.

Agnes Gutt (SAP Authorizations Consultant, SAST SOLUTIONS)


More articles on the topic:

Role adjustments for technical SAP users – how to handle authorizations safely and effectively

SAP authorization management put to the test at Berliner Wasserbetriebe