By Marlon Füller

Despite years of increased focus on security and compliance, there are still obvious problems and shortcomings with the management of access rights and privileges to company data.

Regardless of the architecture, concepts and programming language, the SAP role concept controls access to SAP software functions. These authorizations form the central element that enables employees to perform the activities required of their position / task profile. It is important to keep in mind that the authorization concept created during software implementation is subject to the same changes as the company and its IT. Changes that are not passed on inevitably result in a disparity between actual requirements and existing authorizations.

An empirical, industry-specific study of live SAP systems during the past ten years reveals these incongruent states in organizations. On average, eight percent of employees with access authorization have never logged on. What?s more, when observed over a period of several months, an average of 22 percent of employees performed not a single activity in the system. More importantly, employees with access authorization have a significant impact on authorizations. On average, 23 percent of authorization roles (single and composite) are not actively required by their employees. This discrepancy has qualitative ramifications on the business processes, not to mention a significant impact on security issues and costs. On average in the companies studied, more than 5,000 functions were distributed to employees who did not need them. In addition to security deficiencies and questionable compliance ? especially when critical functions or combinations of functions are assigned ? this points to complicated administration.

The empirical study shows that businesses routinely neglect the organization and maintenance of authorizations. This is true despite the important role appropriate access control plays in the complex environment of standard software like SAP ERP ? because of stored company data (e.g. on iternal and external accounting) and its major impact on the business processes ? and despite authorizations being critical to an organization?s security and success.

The solution to this paradox situation, in which security and compliance within an organization is becoming increasingly important, but access rights and privileges to the enterprise software ? with all its mission-critical data ? is neglected, calls for realtime insight into actual system usage and necessary authorizations.

The basic requirement for targeted examination is to identify the following:

•  The (anonymized) employees who use the software and have access authorization as a user,
• Their action scope within the software that is regulated via the authorizations (access authorizations).
• The principle of least privilege ? that users not be assigned more authorizations than necessary for their work ? should be applied when assigning authorizations to meet specific requirements. As a result, the functions that are documented as really being used need to be analyzed; this is the only way to track the actual activities.

A combination of the components user, authorization and activity are used to reveal the employee?s feasible action scope within the ERP solution. It is then compared against the real requirements (based on their activities and in-house rules, e.g. segregation of duties). The result is a well-tailored ?activity corset? for the organization. Security is bolstered and business?s effectivity and efficiency are increased ? by avoiding parallel processes, for instance.

The RBE Plus User and Role Analysis helps examine user behavior, security aspects, authorization assignment and usage, plus licensing. These in turn enable active authorization and license management and identification of cost-saving potential.

A holistic analysis of this issue provides key figures, detailed evaluations and specific drill-down options:

• Checking the authorization concept:
  Extensive insight into the actual use of the authorization concept. The RBE Plus User and Role Analysis documents authorizations based on user activities.
•  Assessing the license situation:
  RBE Plus User and Role Analysis enables you to compare license-specific user data with the user?s actual activities. In this way, valid licenses and cost-saving potential can be identified.
• Ensuring and bolstering security:
  The RBE Plus User and Role Analysis provides information on potentially critical transactions, authorizations and system settings. This helps you spot dual control violations and improve other security-related aspects.
• Optimizing system usage:
  RBE Plus User and Role Analysis results let you adapt your authorization concept to the users? actual requirements. Efficient SAP system usage starts here.