Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Role Mapping

Go to solution
Former Member

‎03-05-2008 7:41 AM

0 Kudos

My company is implementing SAP and we have this huge issue about role mapping. Being the junior member of a 2-person Security team, I would really appreciate your responses.

Functional teams identifies the roles and tcodes. Security creates the roles. But who is responsible for mapping roles to users? We have this huge issue about who should be driving this activity. Our Security Consultant said that our team should be responsible for this. But the Change Management team also wants ownership and have actually started the process. Based on your experience who should be responsible?

Thanks,

JB

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎03-05-2008 8:47 PM

0 Kudos

>

>But who is responsible for mapping roles to users? We have this huge issue about who should be driving this activity. Our Security Consultant said that our team should be responsible for this. But the Change Management team also wants ownership and have actually started the process. Based on your experience who should be responsible?

The Change Management team should own the mapping of roles to users. It is a business activity, not a technical one.

The Security team is responsible for performing those assignments in SAP.

Generally user mapping causes more issues at go-live than any other area in security. Usually the Change Management team will be in a better position to manage this business related function.

4 REPLIES 4

Go to solution
jurjen_heeck
Active Contributor

‎03-05-2008 7:49 AM

0 Kudos

I think you should distinguish between 'responsible' as in 'who signs off' and 'who does the actual work'.

Maybe creating a [raci diagram|http://en.wikipedia.org/wiki/RACI_diagram] could provide some additional insight.

This is definately not an easy one.

Go to solution
Former Member

‎03-05-2008 8:01 AM

0 Kudos

Hi,

Normally Security team will create the Roles, and its test plans.

then finally assign to the endusers.

if there is a integrated help desk, they will assign to the endusers.

Go to solution
Former Member
In response to Former Member

‎03-05-2008 8:30 AM

0 Kudos

Hi,

The guys before are talking in solutions. The person responsible for the employee and the work he is doing is also responsible that he/she gets the authorization they need. It should not be so that the person that create roles can also connect them to the user. It is a possible fraud moment. In principle you have a function that create the user, an other that connects roles to the user and a function that create/maintain roles(authorizations). What you must do is avoiding the possibilities of fraud. Not every organization is ready for this, you see often a combination. Segregation of duties is the magic word.

have fun

Bye

Jan van Roest

Go to solution
Former Member

‎03-05-2008 8:47 PM

0 Kudos

>

>But who is responsible for mapping roles to users? We have this huge issue about who should be driving this activity. Our Security Consultant said that our team should be responsible for this. But the Change Management team also wants ownership and have actually started the process. Based on your experience who should be responsible?

The Change Management team should own the mapping of roles to users. It is a business activity, not a technical one.

The Security team is responsible for performing those assignments in SAP.

Generally user mapping causes more issues at go-live than any other area in security. Usually the Change Management team will be in a better position to manage this business related function.