Help needed for SAP Security design for a project.

Former Member · ‎07-16-2015

Hello Experts!

I am reaching out to this forum in hope to get some help/input from you guys to finalized correct role structure for a company.

Right now they have 10% of their business on SAP and rest on legacy. Now they have started implementation SAP for rest of 90% business.

In their current production system they have assigned one Composite Role to one position with a single enabler role to control on organizational level.

So, basically they have removed all organizational level object from other single roles which they have assigned to composite roles.

And added all org. level value to one single role with no activity (01, 02, 03.. etc..) in it.

Based on experience, I generally design composite – Master – derived role and has worked correctly for multiple projects in all business type (Pharma, Fin etc.).

To let you know, I have implemented enabler role for FICO area (only) in one of my previous project and faced several issues after Go-live.

I have proposed Composite – Master – Derived role structure to management but they are not ready to increase their Composite roles as non-SAP people
are doing user/role provisioning here and they are afraid that there could be more chances of error if SAP security creates any complex structure.
So to make it easy they have one role (composite) – to one position , with one Profit center role (Org. level role).

E.g, General Manager (Position) has assigned one general manager composite role with his location so he can have only access to his
location. However when any other joining similar position(s) (GM) in company, it’s easy for them to provision user/role. This makes it easy for managing team to assign, and not to struggle on finding
correct role for every new joinee, instead just checking the position (e.g, GM ) corresponding composite role with his/her location from HR and assign it.

So my concern is, is there any other better structure(s) that I could propose them without increasing number of composite roles.

In case enabler role is the only solution here what could be the pros-cons and what kind of major precaution I should take while implementing it.

Thanks a lot in advance!

Colleen · ‎07-17-2015

Hi Nibha

I would try to argue the position the reason why enabler roles are bad and not just this is how I design/build. There seems to be a fixation wtih administrative overhead but no considered to security risk

Splitting out organisational values from other fields within in an authorisation is not best practise. It breaks the SAP Security Model for PFCG/SU24; upgrades/enhancement packs/etc. But more so, how are you able to restrict display and change access? Master data is a big one (and claiming you haven't given the transaction code is not going to be a guarantee that it's restricted).

Going from 10% to 100% transition to SAP calls out a need to revisit the security architecture. Part of solving this is to look at end to end provisioning as well as role build effort.

Personally, I don't like composite roles but am starting to revisit that view (in light of NWBC menus and IdM provisioning).


So, basically they have removed all organizational level object from other single roles which they have assigned to composite roles.

And added all org. level value to one single role with no activity (01, 02, 03.. etc..) in it.

Where does the Activity values go? Trying understand how they split out an object like F_BKPF_BUK.


 is there any other better structure(s) that I could propose them without increasing number of composite roles.

Number of roles in isolation should not be the argument. Again, how is this being provisioned and what is the user base? If the user base is increasing then perhaps automated provisioning could be useful with derived/single roles.

Good luck on your argument. If you search SCN you will see this discussion come up a bit.

Regards

Colleen