Access Manager - SUIM
Transcript of Access Manager - SUIM
Authorization management
for SAP Systems
Access Manager Release 2016
The Access Manger is a component of
our software package SUIM-AIM
and is SAP certified.
The Big Picture
The Access Manger (AM) is a centralized Authorization Management System.
AM allows the administration of the entire SAP-portfolio (independant
of release status) out of a central system.
AM administrates, generates and transports SAP-roles, -profiles, struc-
tural authorizations, OLAP profiles or other groups in the entire sys-
tem landscape.
AM allows the configuration of the system landscape by customizing.
AM offers tools for:
the efficient administration of the
User Lifecycle Managements.
the execution of
Reorganizations as well as
Mergers & Acquisitions on
enterprise level.
the Quality Management of the
authorization objects.
6.40ERP 2004
FI LO
HR
CRMKM
B2B
SEM
APO
BI
CFM
mySAP.com components
Production systems landscape
Test systems landscape
6.40ERP 2004
FI LO
HR
CRMKM
B2B
SEM
APO
BI
CFM
mySAP.com components
Highlights
AM-Authorization-Matrix An authorization-officer is able to do all for his role typical tasks on one screen. Besides the assignment of all
needed authorization to an SAP-user, the SoD-verification and the approval process can be initiated.
AM allows a rule based (as well periodically recurring) assignment of authorizations.
The structuring by AM-organizations and AM-systems allows an ergonomic presentation in an authorization-
matrix.
AM-Roles An AM-Role is a reasonable combination of authorization-elements (ERP, BI, structural authorization, organiza-
tion management objects, Active directory, etc.) and systems.
The integration of the two dimensions system-architecture and authorization-elements allows the flexible repre-
sentation of complex authorization-requirements and at the same time simplifies the operative lifecycle-
management substantially.
AM-Role-Derivation / BI-Profile-Generation Automated generation of organization specific derivates of a master-role in the target system based on defined
derivation and distribution rules. No manual change is necessary.
AM-Role-Distribution
Real time role distribution via mapping of an authorization-role or an authorization-profile to a user in the target
system. Thereby is ensured that the user is granted all the needed authorizations (and not more). As well a tem-
porary unavailability of the target system is compensated by queuing.
AM-Organizations, -Systems, -Role-Catalog The structuring by organizations, systems and catalogs allows on one hand a very simple implementation of the
requirements and on the other hand even very complex scenarios can be represented.
AM-Organization-Level In the AM, authorization fields can not only be defined as a general organization field but as well as a role specific
one. That gives the necessary degree of freedom to find the right solution within the complex constellations.
AM-Mass-Role-derivation / BI-Profile-Mass-generation On changes on master-roles or the integration of a new organization in an enterprise the need of change is usual-
ly very extensive. With the possibility to adapt or recreate all relevant derivations automatically the amount of
work is minimal.
AM-Mass-Role-distribution The AM-distribution-mechanisms can be used for bulk processing.
AM-SoD-Analysis On the assignment of an authorization / a BI-profile to a user an automated analysis of the resulting constellation
can check if it contradicts the defined SoD-rules.
User Life Cycle: AM-Workplace
Authorization matrix The AM-authorization-matrix is the most used tool in the user life cycle management. This workplace serves to
display and maintain of all authorization assignments to the SAP-users. The SoD- and risk-analysis as well as the
defined workflow process steps from the request via approval to the physical assignment of the authorizations on
the decentralized systems are initiated out of this workspace. The authorization-matrix can be used via web as
well as via the SAP-GUI.
Main functions Assign authorization:
- Selection of authorizations by tagging the Checkbox in the matrix.
- Representation of complex time dependencies by the AM-time-rules.
Display assigned roles:
Target- / actual-comparison of the authorization-elements of the SAP-User in the respective target systems.
Distribute authorizations:
Distribution of the target-authorization-assignments of the SAP-user in the respective target systems.
Action log:
Display the change records of the selected SAP-User.
User Life Cycle: AM-Workflow
In the optional standard process,
the workflow is initiated when
the super user changes the AM-
role-assignment of a user.
The applicants supervisor is
determined and receives the
out of the authorization-request
originated work item in his in-
box where he can process it.
The authorization-request is
granted or denied by the super-
visor. The distribution of the
authorization-mapping (incl. the
creation of a possible derivate of
a master-role in the target sys-
tem) can be initiated directly out
of the work item processing.
AM-Standard-Process
Risk-Analysis & Quality-Management
Analysis of Risks and the Segregation of Duties Segregation of Duties (SoD) is the concept of having more than one person required to complete a task. (Source
Wikipedia)
AM is able to perform an SoD– and a risk-analysis to ensure that the authorization-constellation does not violate
the specified function segregation principles.
Quality-Management AM provides for the monitoring and management of the quality of authorization-objects the AM-Quality-Cockpit.
The the check– and revision-functions are focused on the following tasks:
Quality test of the specific roles in the SAP-landscape
Testing and securing of the authorization-consistency between the central AM-specification and the decentral-
ized target systems.
Testing and securing of the user-consistency between the central AM-specification and the decentralized target
systems.
AM uses for that purpose the extensive risk–
and SoD-analysis-mechanisms of the Com-
pliance Enforcer.
The in the Compliance Enforcer defined
rules and risks make sure that a potential
risk is identified.
In case of a risk, AM generates a workflow-
message which is forwarded to the responsi-
ble decider.
Project rollouts, reorganizations, fusions or takeovers can cause a high workload in the authorization-management.
Given how critical system security and authorization-management is to the success of these events, IM offers high
performing tools for reliable and efficient mass processing.
Mass-Generation The AM-Mass-Generation generates all derivates of master-roles under consideration of in the AM-Customizing
defined structure– and organization-elements without manual effort.
Generation of all roles for a new organization (e.g. accounting area or site).
Generation of derivates of a new role for all organizations.
Regeneration of all derivates after a change on a master-role or to revise manual changes on derivates on the
target systems.
Mass-Assignment The AM-mass-assignment generates the authorization-assignment for all selected users and systems without manu-
al effort.
Initial mass-assignment for new systems (based on already existing assignments in the AM or in terms of a data-
migration from a CSV-file).
Mass-assignment for the users of a new organization to an existing system.
Regeneration of authorization-assignments to revise manual changes on assignments on the target systems.
Mass-Transport The AM-mass-transport imports authorization-objects into the relevant target systems without manual effort.
Mass-Archiving / -Restore The AM-Mass-Archiving ensures that roles can be deleted and restored.
Rollouts, Reorganizations, Mergers & Acquisitions
Our Software-Products are additional modules for SAP or for front-end applications with
SAP-Integration. The focus is set on IT Service Management (ITSM) and the Internal Con-
trol System (ICS).
We cover in the ITSM area from service design, including calculation, acknowledgment
and reporting to accounting all customer oriented processes. Handling all Access– und
Identity Management needs, the User Login and Network security, our Identity Manage-
ment software and related products offer users reliable, efficient and highly adapted
solutions. Typical Users are IT-Organizational units and Shared Services Centers.
The ICS is supported in the definition of requirements (risks) and in the compliance
check by our tools. We also cover the manual and automatic controls on the process level
as well the general IT-Control. Typical Users are external and internal controller or IKS-
and Process officer.
«The requirements in the domain of
security are complex. To be successful,
halfway solutions are not an option.».
Patrick Tambourgi
CEO SUIM
«Coming together is a beginning;
keeping together is progress; working together is success». Zitat Henry Ford
Mirjam Stalder
Project manager CCE AG
Our Software Products
SUIM LTD Chemin du Marguery 15
1802 Corseaux,
Switzerland
www.suim.ch
Our collaboration
We offer a network of partners, each contributing expertise and experience in the area of
product development, client solution advice and customization and implementation. Our
networked approach means we can draw on our teams to respond to client's requests
and to work with them through the design and implementation phases. Crucially, we also
ensure that each client has a dedicated contact person for their day to day needs and for
future development.