Self-Adjusting Authorizations

With Self-Adjusting Authorizations, companies get a tool and the necessary usage information at their fingertips and can address the issues: Unused transactions are removed automatically, which increases compliance and protection against data misuse while saving administrative effort.

Day-to-day business and authorization management

The idea for the development came from Frank Schröder, CIO of the transmission manufacturer Renk, a subsidiary of MAN. He was looking for a way to automatically keep authorization management clean during day-to-day business. And found the partner for this task in Akquinet.

Together we started the pilot phase. After fifteen months, the dynamic, self-aligning tool Self-Adjusting Authorizations is close to market maturity. In combination with the Sast Suite, the GRC software is the first on the market to deliver reliable key figures on the actual use of roles in SAP.

Because the tool relies on automation - transactions remain activated only when the user needs them - it is particularly useful for smaller and medium-sized companies, which generally have few specialist staff in the security and compliance environment.

But even larger companies can keep their many authorizations permanently up-to-date in this way. The pilot phase at Renk shows that there is demand for the tool on the market: around 75 percent of the authorizations issued are not needed by the users.

They exist partly because SAP systems in companies grow over the years, and partly because administrators tend to distribute too many transactions to users rather than too few.

But these unused authorizations not only significantly degrade clarity and maintainability, they also increase the potential for functional separation conflicts as well as higher SAP licensing costs.

Although these vulnerabilities are known, many IT managers have not yet tackled the optimization of user authorizations. This is because it is manually time-consuming and therefore ties up costs and resources.

The Self-Adjusting Authorizations provide a remedy here and reduce the internal effort, because after an observation phase, they leave only those transactions in a role that are actually required for the completion of a business process - unused transactions are safely removed. Renk also uses the tool for permanent user maintenance.

Optimization

In summary, the use of Self-Adjusting Authorizations has many advantages: companies can gain a clear overview of the scope of use of their employees' existing roles and then optimize the tailoring.

All iteration cycles from the observation phase can also be traced at any time, as they are documented in detail. This makes it possible to see what the employee was allowed to do and what he or she was not allowed to do at any point in time, which is important during an audit, for example.

The tidied-up permissions mean less administrative effort and a lower security risk by reducing segregation of duties conflicts.

If one wanted to condense the procedure to a formula, it would be called: Automate instead of doing everything yourself. Finally, optimizing user authorizations may also lead to potential savings on SAP licenses. In this way, IT decision-makers can look forward to future reviews by internal or external auditors with confidence.