Who Is Allowed To Do What and Why?

Unloved, but absolutely necessary: the SAP authorization concept

Under SAP R/3, the authorization concept was simpler and could therefore be mastered manually. With NetWeaver, Engines and Roles, SAP's authorization concept took on a complexity that was either hidden or could only be mastered with IT tools. Due to compliance, governance and security rules, the careful and traceable maintenance of the authorization concept of ERP/ECC 6.0 became the central task of SAP Basis. To cope with the complexity of a modern S/4 system, the administrator needs suitable IT tools.

Another important task of a consistent authorization concept is the distribution of roles with regard to user licenses. An ill-considered assignment of roles can quickly end in high license fees.

Why does the SAP authorization concept play a central role in the security strategy?

Phillip Latini, Sivis: The SAP system contains sensitive data and core processes. These must be protected not only against cyber attacks from outside, but also against internal risks. Access control is therefore essential to protect integrity, confidentiality and availability. In addition, there are external security requirements imposed by the legislature or by business partners that must also be mapped in the authorization concept.

SAP uses role-based access control. What is the challenge of Role Based Access Control?

Latini: The model of bundling authorizations into roles and then assigning roles to each user makes the creation of SAP authorization concepts complex. Even our consultants spend a lot of time in SAP projects building roles and populating tables with authorizations. Although we have developed some tools over the last few years to speed up such tasks, we were not satisfied. With the help of automation through evolutionary algorithms, much more is possible here - our new virtual role advisor, the Authorization Robot, is the result. It offers enormous efficiency potential throughout the entire lifecycle of SAP authorization concepts.

What are the three biggest advantages of automatically created authorization concepts for SAP customers?

Latini: First, speed. Based on the evaluation of our beta test phase, we assume that the Authorization Robot can save up to 95 percent of consultant hours for roll construction in the future. Second, it minimizes sources of error and security gaps. And third, automation ensures that best practices are reliably adhered to.

The authorization concept also plays a role in license measurement. Is it then a CIO or a CFO issue?

Latini: License measurement is particularly exciting during the migration to S/4 Hana: Since the license costs per user can no longer depend on actual usage, but on the scope of authorization, incalculable financial risks lie dormant in old authorization concepts. Redesign is therefore a highly topical CFO issue! Here, too, the virtual role consultant offers great potential, as it can calculate concept proposals specifically for the criterion of license cost savings - and do so faster and more accurately than any SAP consultant. 

Is the responsibility for SAP authorization concepts shifting towards management?

Latini: In any case, awareness of security risks has increased significantly in recent years, across all levels of the company. Technically and organizationally, the IT department is still responsible for authorization concepts, but input is increasingly being requested from the business departments. Automated solutions can build bridges here and relieve those responsible. Management has the important task of setting binding guidelines - for example, with principles such as "zero trust" - and communicating the issue of security transparently. 

Modern software landscapes often integrate other systems in addition to SAP. Are the authorization concepts also becoming hybrid?

Latini: Authorizations are a holistic topic, even today. Microsoft, ticket systems, and industry-specific stand-alone solutions, on-premises and in the cloud: every user moves in many different worlds in their everyday professional lives. Here, too, automation will be a useful approach to managing the growing complexity across systems. The Authorization Robot is technically designed so that we can transfer the virtual support for authorization concepts to other ecosystems at any time. 

Can the ongoing maintenance of authorizations in the SAP system also be automated? 

Latini: The virtual role consultant shows its full potential in the calculation of initial role concepts and complex redesign projects. But automation also offers performance advantages for selective reviews or annual updates. For the ongoing maintenance of the authorization concept, the Sivis platform comes with supplementary digital tools, such as the Role Manager or the Compliance Manager. 

What resources does the deployment of Authorization Robot require in terms of system requirements and manpower?

Latini: The Authorization Robot is connected to the SAP system via the user-friendly Sivis Web Manager. A Docker environment on a Linux server is also required - the computing power depends on the size of the company. The analysis and clustering of the tracing data as well as the creation of the concept proposals are fully automated. Human interactions are limited to specifying the desired target criteria - for example, "maximum security" or "license cost optimization" - and a final verification of the generated proposals. Use is intuitive and requires no extensive training.

Is the Svis Authorization Robot certified by SAP?

Latini: The new Authorization Robot is part of our SAP-certified platform that integrates numerous tools around Identity and Access Management, Compliance and Governance, Role Management and Authorization Concepts as well as License and Asset Management. Since April 2023, Authorization Robot can be licensed as Software as a Service for SAP environments.

E-3: Mr. Latini, thank you for the interview.