Automation is crucial for repetitive tasks. Power users and process owners often complain that their daily routines involve numerous straightforward transactions, consuming a substantial amount of time. Within the SAP Environment, these routines are often streamlined by applying customizing solutions. Naturally, these efforts require time and resources. Therefore, applying solutions within the borders of SAP’s standards is the real deal.
In terms of access management in SAP or similar ERP Systems, role provisioning is one of the most critical responsibilities to hand over to a user. Even though it is such a simple task, it requires the supervision of an expert, or the consequences might be serious since this action sets boundaries of what a user can or cannot do in the system.
During their S/4 HANA transformation, our client which is a well-known multinational professional management consulting giant, has noted attention to the need for role provisioning to be partially automated since they waste a vast amount of qualified workforce on such a simple task. As the number of users increases when collaborating with such a global organization, the urgency of automation also increases. This blog post tells the success story behind how to structure automation in SAP Access Management within the boundaries of SAP Standard functionalities.
Measure the required level of Automation
Automation in such business applications is only (cost) effective when it’s designed properly considering the requirements. While a limited level of automation does not provide the desired improvement, chasing an excessive amount of automation would make it impossible to maintain and control applications.
For role management, it’s better to focus on identifying patterns with similar transactional backgrounds. Many users in these systems share similar access needs. Design preset default roles for groups with identical access levels, especially for users handling routine tasks like reporting, leave requests, or viewing their own payrolls. These users only need such Fiori applications (if managed on Fiori) with commonly used transaction codes such as SU53, SU3, SP02, etc. Then why bother assigning multiple roles and do it manually when you can set default composite roles for the required number of patterns of use, and then let SAP assign roles to the users by checking their user’s HR information?
This approach ensures that even new employees quickly receive SAP accounts with the necessary authorizations. Creating a user that contains the correct HR data is the only effort before letting the user start using the system with the correct authorizations.
Constructing the Background
In order to achieve a successful result, collaboration with the HR module is extremely critical since SAP allows you to assign pre-built roles to all existing and prospective users automatically, by leveraging the HR information identified behind.
Here, it is possible to use seven types of agents in order to design identification of roles to appropriate groups. The agent type that contains fractions of user groups will be used to construct the logic of automatic role provisioning.
For instance, let’s say the company is operating in ten different locations which all have different organizational unit codes assigned to the users. Each of the different locations are also using common transactions within their location. Then using this functionality, it will be possible to assign a role automatically.
(Z_DEFAULT_LOCATION01) to where Organizational Unit = Location 1
(Z_DEFAULT_LOCATION02) to where Organizational Unit = Location 2
…
(Z_DEFAULT_LOCATION10) to where Organizational Unit = Location 10
Results & Maintenance
In summary, our client asked for a solution to design a role structure that includes default roles for common-use purposes and wanted to assign these roles to users automatically when new employees join them. Without requiring any development efforts, transactional history was analyzed and useful default composite roles were constructed. By using SAP’s standard approach to assign roles according to HR information behind the users, automation of these default roles was achieved. The repetitive workload over the qualified access management team was relieved.
By activating this automation, thousands of new users will own their authorizations as well, as soon as they step into the company. The advantage that we have leveraged here is the fact that our client was undertaking an S/4 transformation, and their new system was built from scratch. Therefore, re-construction of the HR master data was also possible and this construction followed the requirements. However, if there is a strong HR infrastructure behind, this approach is applicable to any organization.
Last but not least, continuous collaboration between Access Management and HR module teams is crucial for ongoing improvement. Depending on the changes made in the HR structure, roles might need some adjustments as well in order to keep the automation effective.
Can Sözen
GRC Consultant