Key Insights Blog

Read the latest insights from our experts on GRC and risk management

8 November 2017

The Top 5 signs you need a role re-design


Consumers purchase cars to have the freedom to travel between destinations at will. However, cars require regular servicing to keep them running reliably and optimally. The frequency and type of maintenance required is determined by various factors including; the age of the vehicle, the distance driven, the type of fuel used, the terrain driven on, and so on. If servicing is neglected, poor performance and significant vehicle stress can amount to serious and costly issues. Owners may find themselves in the situation where their vehicle is no longer performing optimally, and ask themselves the question of whether it’s worth temporarily fixing the vehicle (as it continues to cause issues) or to purchase a new one that includes a proper maintenance plan.

Similarly, SAP roles are initially designed to support the processes and structures of a business at a point in time. However, over time many aspects of the business changes, including processes, leadership, support structures and system functionality. Impact assessments on SAP roles are frequently neglected during this process often resulting in a “band aid” approach being applied to address immediate access changes. Without proper governance, role management will inevitably increase in complexity, resulting in loss of productivity, disruption and even the potential for fraud.

As time goes by, this leaves many roles no longer fit for purpose with some accumulating access designed for old business requirements. Organisations must determine the suitability of their roles to support business requirements and decide whether they should retain and continue updating their existing roles, or redesign them for better alignment.

Below are five points we have found in our experience to be factors when considering a role redesign.

  1. Lack of Ownership

Does your organisation have formal ownership of its SAP roles? Do you have designated role owners/approvers? Does each business area know who has approved access to their process area? Does someone keep track and approve content changes to roles?

Clear ownership of SAP roles is the foundation of good security governance in an organisation, which enforces responsibility of role content changes and role assignment approvals back to key personnel. It is very important that the business understands the purpose of each role and play an active part in managing the access provided to users.  It is however, difficult for key business personnel to adopt ownership of existing roles if there is insufficient documentation, a lack of knowledge on the role design, and a lack of enforcing processes.

  1. Role Integrity

Do you have roles in your landscape that are classified as display only and yet contain maintenance access? Do your role descriptions accurately portray the purpose of each role in clear business language?

SAP roles accumulate access over time and are often adjusted to retrofit changes to the organisation and its processes. Sometimes inappropriate roles are chosen to be modified, based on being the most convenient to change but not always the most suitable. Without proper processes and governance, the integrity of roles can be undermined as the authorisations are changed to cater for new requirements. Over time, the same role could have been adjusted many times, by multiple security personnel, with the approval of multiple managers for different requirements.

  1. High volume of access requests

Are your users raising access requests too frequently? Do they sometimes request roles that are not deemed appropriate? Does it take multiple attempts for a user to get the access they actually need?

Requesting access can often be frustrating from a user’s perspective, particularly if it has taken multiple request attempts to get the right level of access, or if the roles being requested are not clear in name and description. Many organisations observe a high volume of access requests, even during times of the year where there is minimal organisation and process change. This indicates that there may be issues with role design and role assignments, which are not properly aligned to the current business structure.

  1. Excessive role assignments

Do your users require more than 10 role assignments to obtain the access they need in each system? Do you have a business role concept that supports task related roles?

In most cases, users tend to accumulate access over time as their job responsibilities change. If appropriate roles are not adjusted to align with organisational changes, then users may be assigned inappropriate roles in order to gain the smaller subset of authorisations they actually require for the task. This often results in duplicate functionality and excessive access being granted to a user, thereby making role management even more complex.

  1. Access risks

Do you have recurring access issues flagged by audit? Are you aware of which roles contain critical access? Have you struggled to remediate access issues because of poor visibility?

Roles are the building blocks of access in an SAP system. Roles can be assigned to users directly and indirectly, and can sometimes be inherited through other roles. Critical access that is allocated to roles is indirectly assigned to all users who obtain that role. A lack of visibility on the inherent risk often prevents roles from being cleansed placing a heavier reliance on reactive measures (audit findings). Addressing known risks also becomes increasingly challenging as change impacts are often not understood due to poor governance and ownership.

If at least two of the above categories are issues for your organisation, it is highly recommended that you consider a role redesign. A role redesign is a great way for organisations to address these common issues and better align their roles with current processes and introduce enhanced governance. Not performing a role redesign could expose the business to significant inefficiencies, poor service levels, and risk of fraud / unintentional errors.