Business role and access provisioning management is a powerful tool to streamline and automate assignments in SAP systems, whilst reducing the number of users with inappropriate access.
SAP access can quickly get complicated as more roles get created for different reasons. Composite roles, which are a cluster of single roles, help to group access together in a particular system and can simplify access requests and provisioning.
However, composite roles are limited to single systems, whereas the roles of business users often stretch across multiple systems. This is where Business Role Management comes in useful, as they can be customised to business needs by grouping single and composite roles across several systems.
It also increases the efficiency of the end-to-end provisioning process by enabling central assignment, through tools like SAP GRC, to allow request raisers to specify access via a single Business Role. Furthermore, the access request workflow enabled in SAP GRC eliminates manual assignment in the backend, reducing the possibility of incorrect access.
Business Roles can also be integrated into wider Identity Access Management strategies as it aligns with IdAM goals of ensuring the right access is assigned to the right users through simplification and automation, based on HR actions for Joiners, Movers and Leavers.
This blog will walk through best practices for the first phase of Business Role Management implementation; Initial Analysis. Be sure to check out our follow-up article, where we address the best practices for the remaining phases.
Best practice for the ‘initial analysis’
The initial analysis is the stage where business roles should be defined, risk analysis carried out and future owners and approvers of these roles consulted. This is where tasks carried out by different job functions must be reflected accurately by the access in the system – as with all role design, the business process is the driver for the access.
- How does the business work?
The design team must be made up of people who understand how the business works and can draw out their needs and translate them into technical requirements. This balance of skill and knowledge bridging business and technical functions is what will make the difference between a good implementation and a great implementation; it enhances communication between teams and ensures the key issues are identified.
More technical and more business-focused users can always be consulted to understand the details, but it takes a team with a wider understanding of both areas to identify the critical links.
- Role review
If the design of the new Business Roles is based on the current user access, it may be necessary to perform a role review to verify if users actually require the access they are currently assigned. This is important if the previous process involved manual assignment of access, as duplication and unnecessary access is more likely to be granted.
This is particularly true in systems that have been in place for some time. If users have moved and switched roles in these systems, access creep is inevitable and should be addressed before a business role implementation.
During the analysis phase, beware of roles that do not include any transactions - this could seem like a redundant role, or a system user role, however business users may require it. For example, users who need to pull information cross-systems will require Remote Function Call authorisations, where no transactions will be defined.
- Access risks
Another important point to consider is the types of access risks, like Segregation of duties risk, that could arise within the new business roles. The initial design of each business role should undergo risk analysis at the role level within SAP GRC. This will identify risks that may appear as a result of cross-system access due to new combinations of technical roles.
If performing a risk analysis is included as part of the automated business role assignment workflow, these risks will need to be mitigated at the business role level. It is important to define within your reporting rules any risks which may be cross-system, such as maintaining master data within one system, while transacting upon that data within another.
- Approvers and owners
It is good practice to ensure defined owners and approvers are assigned to each new business role. Owners should be accountable for the content of the business role and the approvers should be responsible for approving assignments to users. This segregation of duties ensures that no one person can control the access within the role and also have the ability to assign it.
At the end of the initial analysis, there should be a newly designed business role to single role mapping that can be uploaded into the SAP GRC master data for automated provisioning and a clear document of owners and approvers.
The next phases of implementing Business Role Management effectively in SAP GRC are deployment and hypercare. Click here to read part two where we explore these next steps.
Or, if you’re looking for additional resources on how to effectively manage access for joiners, movers and leavers within SAP, you can read our full SAP Identity & Access Management guide here.