09-27-2013 8:36 AM
Hi,
we are considering to switch the authorization administration from central to decentralized administration. As the number of modules increases on the machine, the administration should be decentralized manner by the developers in the modules. We use the module FI, CO, CATS, PS, MM, and some more.
Does anyone have a recommendation or experience for decentralized or centralized authorization administration?
thanks in advance
Henning
09-29-2013 8:09 PM
I would recommend to have a centralized authorization administrator with all business and technical knowledge.This person will maintain all the authorizations.
Besides this, a central security officer that will deal with all security issues.
For local user support it might be handy to have local user administrators. They can only assign local (company specific) roles to users and only with valid authorizations request forms. But it is also possible to have the user administrator centralized.
Meta
09-29-2013 5:55 PM
Hi Henning,
Both type have their advantages, some feel one is better than the other but in my experience I have seen how well you manage the authorization depending upon how many locations and landscape you have. From a standards and control perspective the Centralized management is considered to be more affective and easy to deal with as the decision makers and stakeholders are known to everyone and they have a good control and understanding of all.
Regards,
Nagarajan
09-30-2013 8:34 AM
Hi Nagarajan,
i have forgotten one important thing. We have about 700 Users at two locations.
When i read the rest of the replies i come to the thinking that a centralized administration will be the best way for role administration.
thanks all of you for the detailed answers.
Regards
Henning
09-30-2013 2:06 PM
You are welcome Henning. You will find centralized administration even more useful when you go with GRC AC also.
Thank you,
Nagarajan
09-29-2013 6:26 PM
How many decentral orgs do you have? Or are they global "modul" orgs, and can be grouped into 4 groups, which are actually 5 people and they also substitute each other?
Authorization management (building roles, maintaining SU24, processing upgrades, Harmonizing menus for the Business Client, etc) is certainly an expert skill. It also digs deep into the organizational elements (including colleric users and bullyish consultants), processes (which are often not harmonized in the real world) and the system architecture.
On IDM projects it is all to often a fiasco because the authorization concept to be provisioned is a dogs breakface...
If you decentralize authorization administration, then you should only go as far as S_USER_AGR for a namespace convention for their own roles and the ability to assign them (that is user admin actually) and the ability to create "delta roles" with object (S_USER_OBJ) and values "S_USER_VAL" to bridge emergencies. Everything else (such as real changes and transporting including eliminating emergency roles) should ideally be done centrally, otherwise you are almost guaranteed to have a big mess.
Rather offer a service level for change requests and delegate the approval via workflow to the remote owner of the role.
2 central and well trained gurus is a better option in all cases IMO.
Cheers,
Julius
09-29-2013 8:09 PM
I would recommend to have a centralized authorization administrator with all business and technical knowledge.This person will maintain all the authorizations.
Besides this, a central security officer that will deal with all security issues.
For local user support it might be handy to have local user administrators. They can only assign local (company specific) roles to users and only with valid authorizations request forms. But it is also possible to have the user administrator centralized.
Meta