Role Designer for SAP

SAP Role Engineering Solution

May 2014
 SAP role design is complex and costly

๏ SAP authorizations are notoriously

complex. Maintaining SAP roles is a
constant challenge.
Time for another SAP
๏ SAP roles become mis-aligned with role re-design.

the business as organizations and

business processes change.

๏ SAP security architects work with

home-grown, spreadsheets and ad-
hoc databases; productivity suffers
and project risk is high.

Role Designer for SAP 2

 Are your SAP roles still fit for use?

Bloated Roles Redundant Roles Outdated Roles Catch-all Roles

Roles grow over time Roles get “cloned”, and The organization Exceptions and work-
and get “bloated”. overlap. changes and roles lose arounds become
their business permanent.
• Users have more • More work to audit
relevance, but remain
access permissions and review users and • Not secure
in production.
than they require roles • Not compliant
• Difficult to assign
users the right roles

SAP roles are no longer transparent, manageable and secure.

Access management and compliance processes suffer.

Well-conceived SAP roles are critical for robust

and secure SAP business processes!

Role Designer for SAP 3

 Role Designer for SAP
Role Designer for SAP is a
powerful, visual tool for SAP
security architects.

๏ Assess the quality of existing

SAP roles.

๏ Design new SAP roles that are

more secure and transparent.

๏ Enforce access policies and

promote compliance. Reduce the cost and complexity of
SAP role engineering.
๏ Subscription solution available
as Cloud service on Amazon
EC2 or onsite deployment.

Role Designer for SAP 4

 Why choose Role Designer for SAP

Role Designer is better than your in-house tools

Benefits
for SAP role design because you can:
✓ Reduce the cost and
๏ Consolidate SAP authorizations and business
frequency of SAP role
meta-data in a single reference repository.
re-design.
๏ Visualize complex SAP authorizations to discover ✓ Design better SAP
and validate their business structure.
roles that streamline
๏ Use SAP-aware role-mining to find business-
authorization and
relevant SAP role candidates. reduce the cost of
compliance.
๏ Formalize and enforce your SAP role design
standards. ✓ Stop maintaining

ad-hoc in-house tools
๏ Facilitate team collaboration with concurrent for role design.
multi-user access to a single reference repository.

Role Designer for SAP 5

 Customer Case Study
Nobel Biocare redesigns SAP roles with Bay31

Benefits achieved:
“With Bay31, our SAP role redesign
๏ Provisioning time for a new SAP took about 50% less time than with
account reduced from days to minutes
the conventional approach, and we
achieved a higher quality result.”
๏ Unique transactions assigned in SAP
roles reduced from 6500 to 2500 – Jeffrey Archer, Head of SAP
Security, Nobel Biocare AG
๏ Single non-derived roles reduced from
450 to 15

๏ Massive reduction in role maintenance

overhead

Role Designer for SAP 6

Role Engineering with Role Designer for SAP

Role
Assessment
• Import role and
business data
• Roles ranked by
quality Role Analysis

• Categorize roles, users

and transactions

Maintain Roles • Correlate roles with

organizational and
• Maintain roles and functional categories
business attributes
• Check transaction
• Cross-system roles 
 usage patterns
and policies Role engineering with
• Role versioning
Role Designer for SAP

• Role Design

Deploy Roles
• Role instantiation
and composition
• Export roles and policies • Role mining
• Re-provision authorizations • Refactor and optimize
• Enforce SoD

Role Designer for SAP 7

Role Designer Integration with SAP

Bay31 ABAP

Security Reader

Role definitions out

SAP ABAP
Role definitions back in

Role engineering report Role Designer

for PFCG entry; PFCG
integration planned

SAP GRC SoD Rules

GRC export files – SAP

GRC 5.3 or 10.0

Role Designer for SAP 8

 Delivery and Licensing

Role Designer for SAP is available as a subscription:

๏ Cloud subscriptions are hosted and

managed by Bay31 on Amazon EC2.

๏ On-Site subscriptions can be

deployed on your laptop or desktop,
or in your data-center.

Role Designer for SAP 9

 Not only for SAP

Role Designer for SAP works across the whole enterprise:

✓ Any Identity Management (IAM) solution – Oracle, IBM,

NetIQ, etc.

✓ Directories – Active Directory, LDAP, etc.

✓ Enterprise roles, enterprise SoD and general Identity

compliance.

Role Designer for SAP 10

 Rich interactive user interface

List View shows

users, roles, and
Business metadata entitlements: Matrix View:
categorizes users, roles • List, filter and sort • Pattern recognition clusters
and entitlements: entities entitlement assignments
• Navigate dataset by • Automatically • Visualize and analyze roles
category mines role
candidates • Interactive role definition
• Unlimited business
hierarchies

Role Designer for SAP 11

Role Designer for SAP models roles and authorizations down
to the lowest levels of the SAP authorization model.

Authorization values in detail.

SAP roles and their

authorizations.

Role Designer for SAP 12

Correlate SAP roles with business structure.

See distribution of role across

business categories. 7 out of 10
assignments of this role are in the
the “Global Sales” OU.

This role’s permissions are

concentrated in the Sales and
Distribution module.

Role Designer for SAP 13

Visualize SAP roles with the interactive permission matrix

A pattern recognition algorithm

automatically sorts permission
assignments to show roles as contiguous.

Role Designer for SAP 14

Visualize historical transaction usage statistics

Role Designer leverages historical transaction usage logs

to help you distinguish used transactions (dark blue cells)
and unused transaction (light blue cells). So you can
simplify existing roles, or role-mine new roles based only
on actually used transactions.

Role Designer for SAP 15

 Role-mine business-relevant roles

Department

1
Role Designer automatically mines
role candidates. But you have to
decide if it represents a relevant
business abstraction.

3
The entitlements correspond to
management of Profit Center
records. This is definitely a
business-relevant role. Now define
the role with 1 click!
2
This role candidate correlates with
membership in a specific OU. This
may indicate a business-relevant role.

Role Designer for SAP 16

 Segregation of Duties is built in!

Roles and users with SoD

violations are highlighted in red.
The SoD analysis is done at the
See the violations for a particular role
authorization object level and is
and inspect the business functions
compatible with SAP GRC rules.
and actions that are responsible for
the conflict.

Role Designer for SAP 17

 Analyze the sources of compliance violations

The Sankey diagram shows

how business actions and
functions contribute to risks.

Here you can see that the actions

VA02 and VA01 enable the function
ZSD5, which contributes to 4 risks
(Z031, Z030, Z019, Z022). So if you
can disable these actions, you can
remove 4 risks from the role at once!

Role Designer for SAP 18

Role Overlaps report – discover redundant roles and assignments

When two roles have a lot of authorizations objects

or users in common, you may be able to merge
them, or combine them in a composite role.

Role Designer for SAP 19

Role Designer for SAP Security Reader

Role Designer for SAP 20

SAP tables accessed by the Bay31 Security Reader

Role Designer for SAP 21

 Questions?

For more information contact:

Cris Merritt

email: cris@bay31.com

mob: +33 631 08 10 09