Solved: Number of Users VS Number for Security Admins ?

Former Member · ‎10-09-2009

Hello Everyone,

Is there any benchmarking tool or any documentation/best practices available which would

show the proportion between number of users and number of security administrators needed to support those users ?

I would appreciate if some one can point me to any useful information.

I would also appreciate if some can forward me any documentation or useful pointers on setting up an off-shore

model for security for 24/7 support to cover all timezones.

Thanks,

SG

Former Member · ‎10-11-2009

Hi,

Just to add to the above, it is also very important to have exact requirements specified by client. For example, if a client starts some new projects which simply adds another 200 users or some new Portal installations and etc..

If you see Dipanjan post, he mentioned as 1:500 for production support. This depends on various conditions like how many new roles /positions you create , and what type of tickets(either user administration or authorization) do you get as well.

You also need to understand about the SLA's requested by the client.

Regards,

Gowrinadh C

sdipanjan · ‎10-09-2009

Can't show you any documentation.. but the proportion can be treated as 1:1000 for Security Admin : Active Users. For 24x7, it would be 1:500.

regards,

Dipanjan

Former Member · ‎10-09-2009

See my post above. 1:50000 should be theoretically possible with a good design and depending on the type of system and how many of them you have and how you manage ID's in them and their roles.

If you centralize and automate that which you as sec admin anyway don't need to see or only click away, then it is very scalable.

Cheers,

Julius

sdipanjan · ‎10-09-2009

In support scenario, it's really dependent on the solutions and it's design of course. But the figure I provided is considering the Prod users only (and idealizing the same group and number to be in use for Non-prod env also). It's a common ratio I used see in many and many support project scenario. For e.g. for total 5000 Prod users (and all other Non-prod users too) a 24x7 support project will atleast require 5 people.

Regards,

Dipanjan

P.S: In New releases with more automation (specially in Logon credential areas), it can be reduced upto 1:10000-15000.

Edited by: Dipanjan Sanpui on Oct 9, 2009 4:24 PM

Former Member · ‎10-09-2009

Perhaps we are comparing apples and pears...

How about differentiating between:

- Help desk -> passwords.

- User admin - > creating accounts.

- Role assignment -> approving roles.

- Deactivation and moves -> "Leavers and movers" within the user population.

These can largely by provisioned or automated.

- Security change management -> Creating roles, changing them and security settings.

- Infrastructure security -> Network aspects which influence application settings, design and procedures.

- Security QA -> Code reviews and project involvement.

- Upgrades and research -> Proactive testing and special tasks.

These are difficult to automate, and the skills required are a different set.

But in both cases they are very scalable.

A 1 : 500 ratio in my opinion has plenty of improvement possibilities to make security more efficient during normal operations (which includes patching cycles).

Cheers,

Julius

Former Member · ‎10-10-2009

Thank you both for your expert opinion that was very helpful.

I put quite a bit of effort in studying their clients metrics, like no of tickets per month, frequency of role changes,

approval process, no of user master updates, user provisioning process - all based on geographic location.

I think i did a pretty good analysis

Finally i came up with the numbers and the structure.

Client did agree with me for most of the part, BUT they are insisting on augmenting my analysis with some documentation from

SAP. May be they don't beleive me

Their argument is that when sap can provide sizing based on user count & processes, they should definately have some tools to come up with the support structure (numbers).

I would appreciate if you could please point me to some documentation (if exists)

Regards,

SG

Former Member · ‎10-10-2009

I guess it would be easy to get an indication of these metrics for SAP, but I doubt that they would publish such customer information or even collect such data systematically.

Perhaps there is a trend survey or best practice article out there somewhere to benchmark yourself against.

We can do a little plausibility check here in this thread if you want. I suggest that you go first...

Single-Sign-On: yes/no

Identity Management or CUA: yes/no

Number of employees:

Number of SAP systems:

Frequency of patching cycles:

Number of SAP user ID's (total, all clients):

Number of Full-time equivalent employees doing security admin:

Cheers,

Julius

Former Member · ‎10-12-2009

I guess it would be easy to get an indication of these metrics for SAP, but I doubt that they would publish such customer information or even collect such data systematically.

Perhaps there is a trend survey or best practice article out there somewhere to benchmark yourself against.

We can do a little plausibility check here in this thread if you want. I suggest that you go first...

Single-Sign-On: yes/no

Identity Management or CUA: yes/no

Number of employees:

Number of SAP systems:

Frequency of patching cycles:

Number of SAP user ID's (total, all clients):

Number of Full-time equivalent employees doing security admin:

Cheers,

Julius

Sure, that would be great.

Single-Sign-On: yes, through portal. Portal authenticates against LDAP, so no password re-set requests for production.

Identity Management or CUA: yes. We have 17 SAP instances. Some have CUA and some use GRC.

Number of employees: N/A

Number of SAP systems: 17 production instances

Frequency of patching cycles: Varies, but mostly once a year.

Number of SAP user ID's (total, all clients): around 17,000 . 7 ECC or R/3 instances with 8000 users, 5 SRM instances with around 4000 users, 5 BIW instances with around 5000 users, we have XI/PI but there are no end users on this instance (only support team). All instances mentioned above are production instances and have their own 3 tier architecture.

Number of Full-time equivalent employees doing security admin: Full-time employees do not involve in security administration,

they do approve all the changes. we have about 3 fulltime employees per region (AP, LAAM, EU, NA) = 12

Most of the systems are pretty much stable (not many role changes).

Major security tasks: Assist external audit teams (security audit once a year only for R/3 or ECC instances), Day to day user master changes (remove roles, add roles, create users, delete users), emergency access requests, security in Dev & QA (includes password re-sets) for development/support team (around 1000 users)

Thanks,

SG

Former Member · ‎10-09-2009

If you implement Single-Sign-On and have an intact sustainable authorization concept with workflows on some of the approvals, possible also using some exits to intervene... then you can scale it very easily and concentrate more on some infrastructural security topics.

Cheers,

Julius

Former Member · ‎10-11-2009

Hi,

Just to add to the above, it is also very important to have exact requirements specified by client. For example, if a client starts some new projects which simply adds another 200 users or some new Portal installations and etc..

If you see Dipanjan post, he mentioned as 1:500 for production support. This depends on various conditions like how many new roles /positions you create , and what type of tickets(either user administration or authorization) do you get as well.

You also need to understand about the SLA's requested by the client.

Regards,

Gowrinadh C