It is a familiar story: the accountant indicates that the access control in the SAP system is not in order. Unauthorized authorizations have never been withdrawn. Users have too much or a wrong combination of rights.

The result is that the auditor has to carry out more checks to be able to approve the annual figures. Of course that means more costs. In addition, one must take into account the risks of fraud and theft of confidential data. With the introduction of the AVG (in English called GDPR) legislation, the theft of personal data is very up-to-date.

Complexity

The complexity of the access control of an SAP system is a problem for many companies. A SAP system has many functions to which, no or partial authorizations can be given. Depending on the implemented SAP modules, more than 10,000 (!) different authorizations (transaction codes) are possible. In addition, a company can also have custom made applications added to the SAP system with possibly poorly documented authorizations.

SAP has invested a great deal in the integration of modules. For example, someone in the HR department can enter a new employee in SAP. The payroll can then take place in SAP. In the financial department, the wage costs are processed in the general ledger administration of SAP. To make this process possible, employees from different departments must have access to SAP, but with the right authorization. For the ICT department, SAP authorisation management is complex and this becomes even more complex if the company grows or changes significantly and the mutation rate among employees is high, many changes on the authorization level are required. This makes SAP access management a labor-intensive process.

Improvement

Access control in SAP is often not in order, which is a business risk. This access management is technically complex, takes place in a complex organization and is related to various business processes.

What possible improvements can be made? The first step is to investigate whether the SAP roles are still satisfactory. SAP roles are the building blocks of SAP access management. These roles must be maintained and adjusted when the organization changes. The SAP roles may have to be redesigned.

Sometimes this first step is not enough. If the level of change at a company is high, or if the risks of bad access management are high, then implementing an SAP system with associated IAM processes is an option. Especially when access control for non-SAP systems is also an issue. We at Navaio can help you with this.