10-30-2009 12:04 PM
Hi All,
have you a good experience in reorganizing authorization roles? Which is the best methodology to implement? We have an R/3 system from 12 years and now we have a jungle of roles. Moreover we are planning to upgrade our R/3 4.6c to ECC 6.0. In your opinion the reorganizing of roles can be made before the upgrade or the best way is to make it after?
Thanks and regards
Bob
10-30-2009 12:58 PM
If you have plenty of time available before upgrade, then I would like to suggest you to Do a New Role design from scratch instead of modifying such old roles. I am quite sure that there are so many things already swallowed that would give lots of pain to re-organize them.
You may take them as reference to redesign the whole Role structure and after a success in Test and Go-Live (with a moderate time period for Hyper-care) you may be able to do the Sun Set of this 12 years Old role structure.
Regards,
Dipanjan
10-30-2009 3:35 PM
I agree with Dipanjan. 4.6 -> ECC6 is a reasonable jump so a redesign before hand will save time as you will be making plenty of changes irrespectively.
There are a few activities which you can leverage from the upgrade to save you having to repeat if you did the redesign afterwards. The main two are testing and post upgrade/reimp support.
11-02-2009 8:52 AM
Thank you. In your opinion which colud be the added value and how could be used SAP GRC in this reorganization?
Regards
Bob
11-02-2009 9:40 AM
Hi Bob,
Most useful is the ability to perform segregation of duties analysis. That way you know that your redesign will have clean roles from the start (or you know what you have to mitigate). SAP's RAR product is pretty good in this respect, but it is worth bearing in mind that they are not the sole providers of tools which provide SOD analysis. Currently RAR is the best one I have seen.
The ability to grant firefighting access is also very useful. SAP achieves this through their SPM tool. This is increasingly being used to grant temporary access to sensitive business functions (such as open & close periods, upload exchange rates). This way you can remove certain sensitive functions from your standard role design and give access to them on an "as needs" basis.
The GRC suite also has a role management tool which in theory can speed up a role build. All the reports I have got so far is that it is still rather buggy and the choice to use it should not be taken lightly.