This blog discusses in short, four effective methods that give high value to security managers by reducing manual work and simultaneously increasing security levels. The idea for this blog came from speaking with senior SAP security individuals, CISOs as well as security team members who find themselves spending time on fulfilling auditors’ demands and less time on fulfilling their core functions. Consequently, they are not meeting deadlines or maintaining high security levels.
So, the four areas that we will be discussing in this blog are:
- Effectively optimize SAP authorizations
- Eliminate inactive user accounts
- Control your most critical events
- Automate periodic status reports in order to save time
Do not forget to read our previous blog: Put All Your Ducks in a Row Before the End of the Year, which includes additional effective methods that also show value and can be implemented before the end of the year.
Effectively Optimize SAP Authorizations
Optimization of SAP authorizations is a crucial task in most organizations, and is typically performed in two main methods. The first method is to optimize existing authorizations or to set policies that will reduce authorizations over time. The second option is choosing to optimize all authorizations, which from our experience has the tendency to become a very tedious project. Another way to implement the latter option is to optimize only the most critical authorizations first, and then to think about what the next step should be.
Now, optimizing authorizations can be a long process but with a usage-analysis tool such as, ProfileTailor Dynamics, it can become a much simpler task. You can easily produce a matrix of authorization roles for each user and identify which roles are being used and which are not.

However, when you have the ability to automatically track authorization usage a third option becomes available, which is much safer in terms of business continuity. Instead of reducing authorizations to the existing users (and avoiding confrontation with employees), new users will receive authorizations according to the used authorizations of the person that he or she will be replacing or working with.
For example, if a new employee John is recruited and his job description matches that of Jane then he will only get the 3 authorization roles that Jane actually uses, instead of getting all 13 of her authorization roles. This way over time the amount of authorizations is significantly reduced without creating any risk to the business.
Eliminate Inactive User Accounts
This might be the most effective thing to do in order to quickly increase security and reduce costs. Identifying dormant user accounts and invalidating them prevents any hacker from taking control over them – thus increasing security levels immediately. By doing this the organization also releases SAP licenses and allows the organization to use them for other employees (with only incurring the maintenance cost), instead of buying new licenses at full price.
Control your Most Critical Events
In every organization there are important events that the security team must monitor. These events include – logins during irregular hours or logins from external IP addresses, adding and removing authorizations over a short period of time, and granting sensitive authorizations to non-IT employees. All of these events should be taken seriously and be monitored carefully. Automating this monitoring process is a necessity in order to maximize attention to these events and avoid the risk that some will go unnoticed. Each critical event should be followed by a workflow process, which will ensure that each event is inspected carefully.
Automate Periodic Status Reports in Order to Save Time
Last but definitely not least, the handling of the periodical audit and security reports. In many organizations producing these reports manually can consume large amounts of employee hours which is why many organizations have chosen to automate this process. Additionally, it will ensure that the reports are received by the appropriate person or persons (i.e. the firm’s auditor or the security team) on time and on a regular basis. You can also require that the process be implemented into a workflow so if the receiver has not signed the report within 12 hours, the report will then be escalated.