I'm not aware SAP has set up guidelines for this. If I can remember correctly from a SAP security scan some years ago (performed by SAP) they stated that the user and role development may not be done by the same person. Otherwise a new user can be created and all authorizations can be assigned to this user. So to answer your question, at least two persons.

The number of role managers and user manager can vary. It depends on the size of your organization and how stable your role concept is. If you have many authorizations requests per day because of an newly implemented role concept you'll need more role managers. If your organizations is deperated on many locations/countries it can be useful to have local user managers and a central role manager.

Meta

Hi Henning,

Three security guys are required in order to correctly practise security services (1. User Creation. 2. Role Creation, 3. Role assignment to users). This was you don't give one individual all the privileges i.e. create user, create a role and assign it to the user. This makes execution of task efficient and every individual responsible for what they are appointed as. Now, if you have multiple modules implemented then you need more resources to manage them because having multi skilled people manage security for other modules gives them more privileges, there is one way to handle this is by using EAM via GRC.

Nagarajan

Hi,

There is no thumb rule to decide the no. of security administrators over no. of users to be maintained in SAP. It would depend on ample of parameters like security role design, user provisioning tools etc.

Most of the companies now are seeing IDM as a holistic solution for user provisioning. In such scenarios security admin work would be more towards role maintenance instead of user provisioning.

I can answer your question in a better way if you can elaborate on the SAP environment you are working.

Thanks, Nitin

Hi,

There are lots of variables which make it hard to give guidelines - number of environments, amount of project activity, staff turnover, maturity & complexity of role design, regulatory requirements (e.g. FDA will increase effort over & above no regs or simple stuff like SOX).

Very generally I would expect there to be 1 admin for 500-1000 users assuming a 3 tier landscape and ECC, BW and maybe one other module.  As Steve has mentioned I would also expect them to be doing other activities.  Typically there will be one or two other people who can provide cover during times of unavailability.

Cheers.

Hi Henning

Various constraints which we need to see in this scenario are

1. Landscapes

2. No of Users

3. What are the primary activities that are involved.

4.Importantly Client business ( Local or Global)

1.For landscapes more than 3 , like (CRM ,BW ,HR ,ECC, PI etc) you need definitely more than 2 administrators

2. Administrators for no of users depends on activities, If password resets requests are done by administrators , then for 500 -1000 it should be 2 full time and 1 may be part time

3.If your client or business is global and customers are around the globe , then you may require minimum of 3 administrators

our business is global (US , Europe , China , India and Japan )and we have 4 system landscape , we have 4 + 1 administrators

I hope this helps you