A survey was conducted during an ITOK expert talk on the greatest challenges for SAP security in March. It revealed that over half the participants see such challenges in the area of roles and authorizations. The integration of the authorization concept represents one of the core activities during SAP S/4HANA implementation and is a frequent reason for the failure of such projects as a whole. But how can you handle conflicts like resource bottlenecks, shifting priorities for subprojects, changes to tasks, and testing?
In an interview with Ulrich Parthier, publisher of it management magazine, Roozbeh Noori-Amoli, Deputy Head SAST CONSULTING, explains why the right authorization concept can be a decisive factor in the success and dynamism of the transformation, alongside the selected approach and the project management.
Mr. Noori-Amoli, you just completed a successful global role conversion project with PUMA SE. What are the most important things to consider before tackling an SAP S/4HANA migration?
Roozbeh Noori-Amoli: The first consideration, of course, is which approach is best for the project: greenfield, brownfield, or bluefield. For the methodology, you have to decide between classic and agile project management. And then comes the question: What will my authorization concept look like? Will it be based on the sole proposal from a consultant or a best-practice approach that fails to take your company and its project-specific needs into account, as is so often the case? Because that’s the cardinal mistake already: It is essential for you to familiarize yourself with the advantages and disadvantages of the various concepts, any of which could be feasible depending on the situation. If you made the wrong choice, you often won’t even notice until many days spent on implementation effort have already passed – or even worse, not until the system is being used for everyday work. The subsequent correction can demand a lot of costly effort.
How can you identify the right authorization concept among the wide variety that is available?
Roozbeh Noori-Amoli: To do so, the most important questions have to be clarified ahead of time: What are the company’s actual needs, what are the project objectives, and what level of security is required? How much budget, time, and staff resources are available? Limiting factors such as the existing organizational structures and processes, the number of SAP users, and the fundamental type and architecture of the system already provide a fixed framework. The objectives are then prioritized based on the selected IT strategy. Ultimately, the choice of authorization concept means striking a balance between the need for high security, with custom-tailored authorizations, and the desire to minimize the administrative effort needed. The trade-off could be formulated as the assignment of minimal authorizations versus the standardization of processes.
Can you describe a few scenarios in which a particular concept would be preferred?
Roozbeh Noori-Amoli: For an international organization with many identical business units and repetitive processes, for example, the template role approach with derivations by organizational unit or the menu/value role concept would work well. If a company has extremely high security requirements and the desire to grant authorizations precisely, while keeping the number of transactions for each user low and running a system with just a few, yet different processes, I recommend the 1 transaction – 1 role concept.
In your experience, are there specific examples of better and poorer choices?
Roozbeh Noori-Amoli: Yes, that can be demonstrated based on a well-considered and less well-considered decision in favor of the same authorization concept. Our customer PUMA, with around 14,000 employees in 50 countries, had many country-specific custom developments and interfaces, along with high compliance requirements. The project encompassed the launch of the migration in four countries and different SAP ERP systems to SAP S/4HANA. Due to the many organizational units, distributed processes, and critical country specifics, the challenge was to create a global authorization concept that could then be rolled out in-depth at the country level. We ultimately decided on process-based single roles with functional workplace composite roles for PUMA, because there are many units that are similar, administered centrally, with central auditing and a standard concept with special roles, as well as derivation via organizational levels. The customer is now very satisfied, particularly since we chose an agile project management approach that supported a rapid, dynamic, flexible implementation.
And what about the poorer decision?
Roozbeh Noori-Amoli: The same concept isn’t right for everyone, as a different S/4HANA project made clear: The customer insisted on implementing this authorization concept without any prior consultation. However, the workshops with the user departments quickly revealed that the options for separating users into homogeneous groups and implementing clear separation of the individual processes were actually quite limited. As a result, we were able to ultimately convince the customer to choose a hybrid authorization concept that better supported the given situation with country and department specifics.
Based on your lessons learned, what suggestions do you have for ensuring the success of a S/4HANA role conversion?
Roozbeh Noori-Amoli: It is important to schedule time for testing from the beginning and to ensure detailed coordination between test management, training management, and the authorization team. An agile project management structure delivers major advantages here: The integration tests, regression tests, and authorization tests are carried out in parallel, instead of being considered separately. The entire topic should be tackled at an early stage, together with the user departments. Your ultimate goal should be to reach decisions regarding the role contents for all departments and to create customer-specific catalogs and groups, to avoid having to fall back on the cluttered SAP standard. Another insight: away from authorization teams and towards user managers in each user department. We recommend using specific tool support. You will need standard templates for default roles for testing, as well as clean, SoD-free roles. In addition to testing authorizations to confirm they work, you also have to conduct negative tests. To avoid interruptions to everyday business, I highly recommend taking a safe go-live approach. Last but not least, it is important to allocate enough time and resources, because this isn’t something that you can simply do alongside your day-to-day business activities.
Mr. Noori-Amoli, thank you for the interview.
This article was originally published in IT Management magazine, July/August 2021 issue and is available free of charge from the online reader service on it-daily.net: https://www.it-daily.net/leser-service (in German).
Further postings on the topic:
SAP S/4HANA authorizations – it’s your choice: brownfield or greenfield