The global and independent platform for the SAP community.
Business Management, MAG 15-07

Pilot project for new Compliance Suite

Who is allowed to do what? In SAP systems, SAP authorizations determine who can see or edit which data. The problem here is that the larger the company, the easier it is to lose track of SAP authorizations, also due to the use of too many roles.
E-3 Magazine
July 2, 2015
Content:
2015
avatar
This text has been automatically translated from German to English.

The system house Ciber has introduced a new SAP authorization concept with unique job roles at the transmission system operator TenneT TSO: Over 5000 roles have been reduced to around 200 job roles.

The redesign ensures transparency in SAP authorizations, simplifies and harmonizes SAP user administration processes and, together with Ciber's in-house Ciber Compliance Suite (CCS), guarantees continuous adherence to compliance guidelines.

Ciber has successfully implemented its in-house Compliance Suite at TenneT TSO in a global pilot project. Ciber has successively introduced the two components Ciber Usage Monitor and Ciber Access Control at the German electricity grid operator based in Bayreuth.

Phase 1: Redesign of the SAP authorization concept

The extensive project began in 2013 with the redesign of the SAP authorization concept. Ciber won the tender against several specialized competitors.

The main reason for choosing Ciber was the existing references from similar projects with highly satisfied customers. The well-structured approach proposed by Ciber for the implementation of the redesign project, the experienced team of consultants, the presentation of the project to the customer and the trust in Ciber as a proven CMS service provider were also convincing.

Castors drastically reduced

A core concern of the redesign was the adaptation of SAP authorizations to the new organization after TenneT had emerged from E.ON. The many roles that arose as a result, insufficient transparency for those responsible and the lack of SAP authorizations required new solutions.

Ciber therefore completely redefined the SAP authorizations using its own best practice roles on the ECC, SRM, BI and HCM systems in April 2014.

To this end, Ciber closely involved the TenneT key users in the role design. Thanks to this approach, they know their respective roles very well.

The segregation of duties (SoD) risks were jointly defined for the first time, taken into account when designing the roles and reduced as far as possible. Ciber's CCS constantly monitors these SoD risks.

Phase 2: Use of the Ciber Compliance Suite

In September 2014, the logical follow-up project was launched, in which the Heidelberg-based consultancy, together with Ciber Denmark, implemented the in-house Ciber Compliance Suite (CCS) at TenneT to control system usage and SoD risks in the ECC and HCM systems.

The CCS products were first customized step by step before the Ciber Usage Monitor was set up to optimize SAP system measurement.

The final stage of the project consisted of the subsequent implementation of the Ciber Access Control tool, which always directly identifies SoD risks in SAP authorizations and ensures continuous compliance for TenneT.

How Ciber Access Control works

An SoD matrix is stored in Ciber Access Control, whereby an SoD risk always consists of the combination of two SAP functions, e.g: "F1 - Process purchase orders" and "F2 - Post goods receipt". The associated SAP transactions, authorization objects and values are then stored in the tool.

The preventive SoD check should provide answers to the following questions: Which authorizations are newly entered? Do these themselves pose an SoD risk? Is there a risk in combination with existing authorizations for the user or in roles?

If risks are present, they appear in SAP depending on the CSS settings. Three actions are now possible: "Display risk only as a message", "A document must be attached to approve the risk" and "The change is blocked because the risk is not permitted".

The downstream SoD reporting examines the SAP users or SAP roles for existing risks. The stored SoD matrix is checked against the SAP users or SAP roles and the results are displayed in Excel format.

Risk assessment

Since February 2015, the electricity grid operator has been able to rely on a preventive check of SoD risks in the online maintenance of SAP users and SAP roles.

A downstream review of all SoD risks is also carried out each quarter using the Ciber Compliance Suite.

"We are very pleased to have also mastered the follow-up project for the introduction of our Compliance Suite to the satisfaction of our customer.

It is certainly not a matter of course that a global pilot project within the framework of an international collaboration runs so smoothly and successfully"

says Mario Hendrich, Project Manager and Team Lead "Compliance Services" at Ciber.

Project results

The following results were achieved for TenneT with the implementation of both projects:

  • Simplification of the SAP user administration process by reducing the number of roles in the TenneT role portal from over 5,000 to around 200 job roles
  • Transparency for TenneT role managers regarding role content and role assignments
  • Definition and reduction of segregation of duties (SoD) risks for TenneT in SAP user authorizations
  • Ensuring continuous compliance in SAP authorizations with the Ciber Access Control tool
  • Optimized allocation of SAP licenses to SAP users through structured job roles and monitoring of SAP usage via the Ciber Usage Monitor tool
avatar
E-3 Magazine

Information and educational outreach by and for the SAP community.


All articles of the author

Write a comment

Mastering the Challenges of Transformation

The woes of the young CIO

AI must be seen as a team initiative

Register here
*
*
Save password
Forgotten your password?
 

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.