Last week I visited a large European telecomm company in order to assist and consult them on their SAP system access rights.
In the first couple of days, we dedicated the time to analyze the data that was imported into Eurekify/Sage and generate many cleansing reports. A cleansing project is an essential process before any RBAC project.
By the way, the import of data was done by using the Eurekify built-in connectors to SAP.
The cleansing analysis was done on 2 levels:
1. Roles (complex and simple)
2. Authorization objects and fields.
The second phase of the analysis revealed astounding facts about their current roles:
1. The complex roles covered only 2% of the users!!
2. Most of the access rights were not via complex roles, but rather directly to simple roles. Only 4% of the access rights to simple roles where via complex roles.
3. They had many dual access rights to “simple role” which means that a user had access to the simple role directly and also via a complex role.
4. They found that they had many simple roles that could be merged.
5. Many simple roles could be deleted since they were not used any more.
The highlight of the project was the SAP complex role re-engineering. We reversed engineered the “complex roles” and deleted the roles.
Within 1 day of (partial!!) role engineering, we managed to create new complex roles (less than what they had before by 20%), however:
1. The new roles covered 40% of the users!!
2. The new roles covered 26% of the access rights to “Simple Roles”!!
In the upcoming weeks the project will continue in 2 layers:
1. Cleansing the SAP access rights data from complex roles down to the fields.
2. Continuing with the Role Engineering in order to create a full model of complex roles.
Are you interested in applying this experience to your SAP system?
If yes, feel free to contact me.
Ilan Sharoni
http://www.eurekify.com/
