Authorization management

for SAP Systems

Access Manager Release 2016

The Access Manger is a component of

our software package SUIM-AIM

and is SAP certified.

The Big Picture

The Access Manger (AM) is a centralized Authorization Management System.

AM allows the administration of the entire SAP-portfolio (independant

of release status) out of a central system.

AM administrates, generates and transports SAP-roles, -profiles, struc-

tural authorizations, OLAP profiles or other groups in the entire sys-

tem landscape.

AM allows the configuration of the system landscape by customizing.

AM offers tools for:

the efficient administration of the

User Lifecycle Managements.

the execution of

Reorganizations as well as

Mergers & Acquisitions on

enterprise level.

the Quality Management of the

authorization objects.

6.40ERP 2004

FI LO

HR

CRMKM

B2B

SEM

APO

BI

CFM

mySAP.com components

Production systems landscape

Test systems landscape

6.40ERP 2004

FI LO

HR

CRMKM

B2B

SEM

APO

BI

CFM

mySAP.com components

Highlights

AM-Authorization-Matrix An authorization-officer is able to do all for his role typical tasks on one screen. Besides the assignment of all

needed authorization to an SAP-user, the SoD-verification and the approval process can be initiated.

AM allows a rule based (as well periodically recurring) assignment of authorizations.

The structuring by AM-organizations and AM-systems allows an ergonomic presentation in an authorization-

matrix.

AM-Roles An AM-Role is a reasonable combination of authorization-elements (ERP, BI, structural authorization, organiza-

tion management objects, Active directory, etc.) and systems.

The integration of the two dimensions system-architecture and authorization-elements allows the flexible repre-

sentation of complex authorization-requirements and at the same time simplifies the operative lifecycle-

management substantially.

AM-Role-Derivation / BI-Profile-Generation Automated generation of organization specific derivates of a master-role in the target system based on defined

derivation and distribution rules. No manual change is necessary.

AM-Role-Distribution

Real time role distribution via mapping of an authorization-role or an authorization-profile to a user in the target

system. Thereby is ensured that the user is granted all the needed authorizations (and not more). As well a tem-

porary unavailability of the target system is compensated by queuing.

AM-Organizations, -Systems, -Role-Catalog The structuring by organizations, systems and catalogs allows on one hand a very simple implementation of the

requirements and on the other hand even very complex scenarios can be represented.

AM-Organization-Level In the AM, authorization fields can not only be defined as a general organization field but as well as a role specific

one. That gives the necessary degree of freedom to find the right solution within the complex constellations.

AM-Mass-Role-derivation / BI-Profile-Mass-generation On changes on master-roles or the integration of a new organization in an enterprise the need of change is usual-

ly very extensive. With the possibility to adapt or recreate all relevant derivations automatically the amount of

work is minimal.

AM-Mass-Role-distribution The AM-distribution-mechanisms can be used for bulk processing.

AM-SoD-Analysis On the assignment of an authorization / a BI-profile to a user an automated analysis of the resulting constellation

can check if it contradicts the defined SoD-rules.

User Life Cycle: AM-Workplace

Authorization matrix The AM-authorization-matrix is the most used tool in the user life cycle management. This workplace serves to

display and maintain of all authorization assignments to the SAP-users. The SoD- and risk-analysis as well as the

defined workflow process steps from the request via approval to the physical assignment of the authorizations on

the decentralized systems are initiated out of this workspace. The authorization-matrix can be used via web as

well as via the SAP-GUI.

Main functions Assign authorization:

- Selection of authorizations by tagging the Checkbox in the matrix.

- Representation of complex time dependencies by the AM-time-rules.

Display assigned roles:

Target- / actual-comparison of the authorization-elements of the SAP-User in the respective target systems.

Distribute authorizations:

Distribution of the target-authorization-assignments of the SAP-user in the respective target systems.

Action log:

Display the change records of the selected SAP-User.

User Life Cycle: AM-Workflow

In the optional standard process,

the workflow is initiated when

the super user changes the AM-

role-assignment of a user.

The applicants supervisor is

determined and receives the

out of the authorization-request

originated work item in his in-

box where he can process it.

The authorization-request is

granted or denied by the super-

visor. The distribution of the

authorization-mapping (incl. the

creation of a possible derivate of

a master-role in the target sys-

tem) can be initiated directly out

of the work item processing.

AM-Standard-Process

Risk-Analysis & Quality-Management

Analysis of Risks and the Segregation of Duties Segregation of Duties (SoD) is the concept of having more than one person required to complete a task. (Source

Wikipedia)

AM is able to perform an SoD– and a risk-analysis to ensure that the authorization-constellation does not violate

the specified function segregation principles.

Quality-Management AM provides for the monitoring and management of the quality of authorization-objects the AM-Quality-Cockpit.

The the check– and revision-functions are focused on the following tasks:

Quality test of the specific roles in the SAP-landscape

Testing and securing of the authorization-consistency between the central AM-specification and the decentral-

ized target systems.

Testing and securing of the user-consistency between the central AM-specification and the decentralized target

systems.

AM uses for that purpose the extensive risk–

and SoD-analysis-mechanisms of the Com-

pliance Enforcer.

The in the Compliance Enforcer defined

rules and risks make sure that a potential

risk is identified.

In case of a risk, AM generates a workflow-

message which is forwarded to the responsi-

ble decider.

Project rollouts, reorganizations, fusions or takeovers can cause a high workload in the authorization-management.

Given how critical system security and authorization-management is to the success of these events, IM offers high

performing tools for reliable and efficient mass processing.

Mass-Generation The AM-Mass-Generation generates all derivates of master-roles under consideration of in the AM-Customizing

defined structure– and organization-elements without manual effort.

Generation of all roles for a new organization (e.g. accounting area or site).

Generation of derivates of a new role for all organizations.

Regeneration of all derivates after a change on a master-role or to revise manual changes on derivates on the

target systems.

Mass-Assignment The AM-mass-assignment generates the authorization-assignment for all selected users and systems without manu-

al effort.

Initial mass-assignment for new systems (based on already existing assignments in the AM or in terms of a data-

migration from a CSV-file).

Mass-assignment for the users of a new organization to an existing system.

Regeneration of authorization-assignments to revise manual changes on assignments on the target systems.

Mass-Transport The AM-mass-transport imports authorization-objects into the relevant target systems without manual effort.

Mass-Archiving / -Restore The AM-Mass-Archiving ensures that roles can be deleted and restored.

Rollouts, Reorganizations, Mergers & Acquisitions

Our Software-Products are additional modules for SAP or for front-end applications with

SAP-Integration. The focus is set on IT Service Management (ITSM) and the Internal Con-

trol System (ICS).

We cover in the ITSM area from service design, including calculation, acknowledgment

and reporting to accounting all customer oriented processes. Handling all Access– und

Identity Management needs, the User Login and Network security, our Identity Manage-

ment software and related products offer users reliable, efficient and highly adapted

solutions. Typical Users are IT-Organizational units and Shared Services Centers.

The ICS is supported in the definition of requirements (risks) and in the compliance

check by our tools. We also cover the manual and automatic controls on the process level

as well the general IT-Control. Typical Users are external and internal controller or IKS-

and Process officer.

«The requirements in the domain of

security are complex. To be successful,

halfway solutions are not an option.».

Patrick Tambourgi

CEO SUIM

«Coming together is a beginning;

keeping together is progress; working together is success». Zitat Henry Ford

Mirjam Stalder

Project manager CCE AG

Our Software Products

SUIM LTD Chemin du Marguery 15

1802 Corseaux,

Switzerland

www.suim.ch

info@suim.ch

Our collaboration

We offer a network of partners, each contributing expertise and experience in the area of

product development, client solution advice and customization and implementation. Our

networked approach means we can draw on our teams to respond to client's requests

and to work with them through the design and implementation phases. Crucially, we also

ensure that each client has a dedicated contact person for their day to day needs and for

future development.