Ratio of roles to user

Former Member · ‎06-11-2008

Does someone knows what's the ideal roles per user ratio?

A security assesment done by SAP says that 1.3 security roles for every ID with interactive logon is considered as extremely high.

We have :

1485 user ID

1758 (roles and profiles)

- 1364 roles

- 394 not generated profiles

1.2 ratio (1758 / 1485)

Former Member · ‎06-11-2008

Well that might be a difficult question depending upohn what modules you have implemented, the controls environment - ie. SOX - and the size of your organization. But IMHO, the SAP assessment is correct - you have more roles than user ids. Technically speaking you could have just given everyone a unique role. Not sure if anyone else here has an idea of what the ratio would be but I would say that as soon as that ratio is approaching 1 - ie. 1 role per user. - then I think you would need to look at either the security design or how security maintenance is being done.

Former Member · ‎06-11-2008

Hi Louise,

This is one of those "how long is a piece of string" questions and can depend on many things including complexity of security requirements, organisational structure etc.

There is no magic number there, I have worked on implementations ranging from <100 roles for 16000 users to 30000 roles for 8000 users.

Out of preference, unless there are very complex requirements, I would really not want to get to the situation where the design necessitated anywhere close to 1 role per user unless the circumstances warranted it.

Roles get built in certain ways (am I right in thinking yours it at task level rather than job level) for a variety of reasons but what is most important is that they provide adequate control over the business processes, they are maintainable and the provisioning processes is manageable.

Former Member · ‎06-11-2008

Hi,

Thats a very good question!!

Roles to user ratio in our system is less than 1.

I made an extensive search and I got the results that for every 8 users 1 role would be the ideal scenario fewer the roles more efficient is the system.

Follow up the document which explains the scenario in detail.

http://findarticles.com/p/articles/mi_m4153/is_1_65/ai_n24377925/pg_2

Rakesh

Former Member · ‎06-11-2008

>


> I made an extensive search and I got the results that for every 8 users 1 role would be the ideal scenario fewer the roles more efficient is the system.

Hi Rakesh,

After reading that link you kindly provided I feel the need to make comment that in my opinion, the subject is too complex to be able say that 8 users/role is optimum as there are so many variables involved (good in BW, not in R/3...).

I would be interested in seeing a reference from the "experts" that are recommending that figure as the statement is a very broad one to make, especially for an intended audience who are not SAP Security design experts. While there is plenty of valid stuff in there, this quote jumps out at me straight away:

"in general, the fewer the roles, the more efficient the user provisioning process is and the better the system security"

I can think of plenty of cases where a low number of roles has created large numbers of important SOD's and given access to data and functions which should really be protected.

Contrary to what my post may appear to say, I am a huge advocate of having the minimum number of roles to do the job properly but "the job" has so many factors which need to be taken into consideration before deciding how to construct the logical access.

More worryingly (for me anyway) the increase in spread of automated provisioning tools such as access enforcer will reduce the administrative burden of user provisioning & I can see even more return to role design & build in small units as there is no longer so much concern over the accurate assignment.

Cheers

Alex