Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
8 November 2017

The Top 5 signs you need a role re-design


Consumers purchase cars to have the freedom to travel between destinations at will. However, cars require regular servicing to keep them running reliably and optimally. The frequency and type of maintenance required is determined by various factors including; the age of the vehicle, the distance driven, the type of fuel used, the terrain driven on, and so on. If servicing is neglected, poor performance and significant vehicle stress can amount to serious and costly issues. Owners may find themselves in the situation where their vehicle is no longer performing optimally, and ask themselves the question of whether it’s worth temporarily fixing the vehicle (as it continues to cause issues) or to purchase a new one that includes a proper maintenance plan.

Similarly, SAP roles are initially designed to support the processes and structures of a business at a point in time. However, over time many aspects of the business changes, including processes, leadership, support structures and system functionality. Impact assessments on SAP roles are frequently neglected during this process often resulting in a “band aid” approach being applied to address immediate access changes. Without proper governance, role management will inevitably increase in complexity, resulting in loss of productivity, disruption and even the potential for fraud.

As time goes by, this leaves many roles no longer fit for purpose with some accumulating access designed for old business requirements. Organisations must determine the suitability of their roles to support business requirements and decide whether they should retain and continue updating their existing roles, or redesign them for better alignment.

Below are five points we have found in our experience to be factors when considering a role redesign.

  1. Lack of Ownership

Does your organisation have formal ownership of its SAP roles? Do you have designated role owners/approvers? Does each business area know who has approved access to their process area? Does someone keep track and approve content changes to roles?

Clear ownership of SAP roles is the foundation of good security governance in an organisation, which enforces responsibility of role content changes and role assignment approvals back to key personnel. It is very important that the business understands the purpose of each role and play an active part in managing the access provided to users.  It is however, difficult for key business personnel to adopt ownership of existing roles if there is insufficient documentation, a lack of knowledge on the role design, and a lack of enforcing processes.

  1. Role Integrity

Do you have roles in your landscape that are classified as display only and yet contain maintenance access? Do your role descriptions accurately portray the purpose of each role in clear business language?

SAP roles accumulate access over time and are often adjusted to retrofit changes to the organisation and its processes. Sometimes inappropriate roles are chosen to be modified, based on being the most convenient to change but not always the most suitable. Without proper processes and governance, the integrity of roles can be undermined as the authorisations are changed to cater for new requirements. Over time, the same role could have been adjusted many times, by multiple security personnel, with the approval of multiple managers for different requirements.

  1. High volume of access requests

Are your users raising access requests too frequently? Do they sometimes request roles that are not deemed appropriate? Does it take multiple attempts for a user to get the access they actually need?

Requesting access can often be frustrating from a user’s perspective, particularly if it has taken multiple request attempts to get the right level of access, or if the roles being requested are not clear in name and description. Many organisations observe a high volume of access requests, even during times of the year where there is minimal organisation and process change. This indicates that there may be issues with role design and role assignments, which are not properly aligned to the current business structure.

  1. Excessive role assignments

Do your users require more than 10 role assignments to obtain the access they need in each system? Do you have a business role concept that supports task related roles?

In most cases, users tend to accumulate access over time as their job responsibilities change. If appropriate roles are not adjusted to align with organisational changes, then users may be assigned inappropriate roles in order to gain the smaller subset of authorisations they actually require for the task. This often results in duplicate functionality and excessive access being granted to a user, thereby making role management even more complex.

  1. Access risks

Do you have recurring access issues flagged by audit? Are you aware of which roles contain critical access? Have you struggled to remediate access issues because of poor visibility?

Roles are the building blocks of access in an SAP system. Roles can be assigned to users directly and indirectly, and can sometimes be inherited through other roles. Critical access that is allocated to roles is indirectly assigned to all users who obtain that role. A lack of visibility on the inherent risk often prevents roles from being cleansed placing a heavier reliance on reactive measures (audit findings). Addressing known risks also becomes increasingly challenging as change impacts are often not understood due to poor governance and ownership.

If at least two of the above categories are issues for your organisation, it is highly recommended that you consider a role redesign. A role redesign is a great way for organisations to address these common issues and better align their roles with current processes and introduce enhanced governance. Not performing a role redesign could expose the business to significant inefficiencies, poor service levels, and risk of fraud / unintentional errors.