How do you choose the best single authorization role to grant a user who has just sent a request for additional authorizations?
This is a complicated process for most organizations as there are thousands of roles that exist. Even if there are only 15 roles that actually match the user’s request, you need to go over them one by one and check for possible issues such as, violations to Segregation of Duties, risks related to sensitive activities, company rules-of-thumb and even consider the possible impacts on licensing. This task can take a couple of hours in smaller organizations and up to 2 days in larger organizations – and it is usually the responsibility of one single person!
So, what is the root cause of these issues?
Well, it all stems from the fact that we do not grant single authorizations for each task but rather we combine authorizations into groups, give them a description, add menu entries and then call the groups “authorization roles”. “Authorization roles” are then granted to the end users. Now here is the catch – when you grant the “authorization role” you are also granting all the authorizations within that group. Sometimes there are hundreds or thousands of different authorizations in a single authorization role.
So, let’s say a user is requesting permissions to perform a “payment run” (T-Code F110), you will find that the required authorization exists in many different roles –roles assigned to accounting clerks, accounting managers as well as individual roles like “sensitive financials”, “very sensitive T-Codes” and “payment run”. Choosing the best role to grant is a very complicated task and requires taking into consideration all the factors explained above.
RoleAdvisor was created in order to help organizations find the best role to grant users in just a few clicks.
RoleAdvisor is able to filter and score all the relevant roles by different aspects such as standard guidelines (e.g. Segregation of Duties and others), risks of sensitive objects, the existing authorizations of the person and lastly the usage of the requester and their peers. It also can be “company customized” which would include sets of rules that individual organizations use, for example, “grant roles which are already used by others before granting new ones” or “prefer small roles over large roles”.
Here is RoleAdvisor in action
Step 1: User Request
The process begins when a user requests additional access permissions to an Activity by using a SAP T-Code, e.g. SE16 or by sending a message, e.g. “I would like permissions to release purchase orders similar to what James has”. The employee requests it using authorization request process or just by sending an email to the helpdesk team. The request is then inputted into the RoleAdvisor screen. You can limit the possibilities of certain values such as existing Company codes or Plant values in the “Organizational Level” dropdown.
You are also able to limit the possible roles to ones that include certain activities (T-Codes) to ones from a certain group of authorization roles (like local financial roles) in the “Role” search menu, or roles with/without specific organizational values like company codes, plants, etc. You can even use another user as a reference by using the “Reference User” search menu.
Step 2: RoleAdvisor Scores the Relevant Authorization Roles According to Risks
As you can see above there are four authorization roles that fit the user’s request.
Do you see the yellow triangles on the left?
These triangles indicate that 3 of the roles are sensitive and that adding any one of these will create a SoD conflict (“SoD Violations” column). It is easy to see that there is only one role that is not sensitive and does not create a SoD violation. However, you can also see that if this role is added, the user will receive 78 “Additional Activities” as well as 11 “High Risk Activities” (you can see the list of activities by clicking on the number). This way you can quickly understand the implications of granting each authorization role and choose the best one in a matter of seconds.
Step 3: Granting the Best Authorization Role directly from RoleAdvisor
The last step is to actually grant the role to the user. You can do this directly from within the tool so everything will be automatic, more secured and well documented in preparation for your next audit.
Click on “Switch to modify mode”, select the role you want to assign and then press “Apply”. This will open a new workflow in order to grant the role to the user – either in the production system or in QA for further tests (and then will be moved to the production system)
Notifying the user
The system automatically sends an email to the user notifying them that the additional authorization was granted and that they are able to start using the new function. This is important because sometimes users forget that they have requested the function, resulting in the task not being executed. Alerting the user of the approval by sending an email makes most users happy and increases overall satisfaction levels and productivity.