SAP Security – how to completely change maintaining multiple locations

Start Here

Get in touch with a
TriCore Solutions specialist

Blog | Mar 2, 2016

SAP Security – How to Completely Change Maintaining Multiple Locations


The ‘enabler’ role provides tighter controls for the organizational units from Company Codes, Sales Organizations, Plants, Ship to, and any other configured Organizational level within the Corporate SAP configurations.

Over the various releases of SAP ECC (ERP) there have been many approaches to SAP Security. Most of them include multiple ‘task’ roles for each location (ex: AR Clerk in Germany, AP Clerk in North America etc.). Invariably, we wind up with an entire set of roles per location or a set of ‘task’ roles that are derived using a template role. Either way – once a new location is added to the company a whole new set of roles for each location need to be created.  This can be time consuming and challenging for any SAP Security Administrator.

Streamline the Process - Enabler Role

A few years ago, I was introduced to the concept of ‘Enabler Roles’ which I had read about in an article from SAP Insider – and the model it presented spoke to my years of role maintenance and role re-design in SAP Security. The article explained two pieces to create when granting access to end users are: what they can do and where they can do it.  This model of ‘enabler role’ is an authorization only role that grants access to ‘where’.  Similar to 'derived roles', 'enabler' roles have a ‘one to many’ relationship with ‘task’ roles (creating invoices for example) roles. One enabler role should give the ‘where’ access for all the ‘task’ roles a user has assigned to them.


SAP_Secure

Tighter Security Controls

The ‘enabler’ role provides tighter controls for the organizational units from Company Codes, Sales Organizations, Plants, Ship to, and any other configured Organizational level within the Corporate SAP configurations. Simply put, it is possible to view  who has access to North America by reviewing  which users have access to that ‘enabler’ role. In addition, there can be multiple access such as Japan, North America, using two ‘enabler’ roles. The task role does not use any ‘organizational’ levels and is related to the user’s job tasks.

 

Reduction in Number of Roles Required

I have used this model for clients and the results have been successful. The amount of roles overall had been reduced because of the one to many relationship of the enabler roles. Typically, the ‘task’ roles are also reduced. Clients were able to maintain both ‘enabler’ roles as well as ‘task’ roles easily.  SAP Upgrades are also maintainable because the enabler role only needs to add the new organizational objects brought in by the support pack or upgrade.

Governance, Risk and Compliance rulesets will look at the ‘activity’ of the task roles, and the ‘enabler’ roles can use mitigating controls if needed to explain their purpose.

Simplify the Addition of a New Location

Overall, the ‘enabler’ model has made role and user maintenance simplify the addition of a new office, location, plant or organization practically seamless.

Learn more about TriCore’s SAP Services

For any questions on the topic click below:
Ask Judy Sign up for an SAP assessment today:

Take our SAP Security Assessment