Access Manager. Authorization management for SAP Systems. Release 2016

Transcription

1 Access Manager Release 2016 The Access Manger is a component of our software package SUIM-AIM and is SAP certified. Authorization management for SAP Systems

2 The Big Picture The Access Manger (AM) is a centralized Authorization Management System. AM offers tools for: the efficient administration of the User Lifecycle Managements. the execution of Reorganizations as well as Mergers & Acquisitions on enterprise level. the Quality Management of the authorization objects. AM allows the administration of the entire SAP-portfolio (independant of release status) out of a central system. Production systems landscape 6.40 ERP 2004 FI LO SEM HR APO CFM AM administrates, generates and transports SAP-roles, -profiles, structural authorizations, OLAP profiles or other groups in the entire system landscape. B2B mysap.com components KM BI CRM 6.40 ERP 2004 FI AM allows the configuration of the system landscape by customizing. LO SEM HR Test systems landscape APO CFM B2B mysap.com components KM CRM BI

3 Highlights AM-Authorization-Matrix An authorization-officer is able to do all for his role typical tasks on one screen. Besides the assignment of all needed authorization to an SAP-user, the SoD-verification and the approval process can be initiated. AM allows a rule based (as well periodically recurring) assignment of authorizations. The structuring by AM-organizations and AM-systems allows an ergonomic presentation in an authorizationmatrix. AM-Roles An AM-Role is a reasonable combination of authorization-elements (ERP, BI, structural authorization, organization management objects, Active directory, etc.) and systems. The integration of the two dimensions system-architecture and authorization-elements allows the flexible representation of complex authorization-requirements and at the same time simplifies the operative lifecyclemanagement substantially. AM-Role-Derivation / BI-Profile-Generation Automated generation of organization specific derivates of a master-role in the target system based on defined derivation and distribution rules. No manual change is necessary. AM-Role-Distribution Real time role distribution via mapping of an authorization-role or an authorization-profile to a user in the target system. Thereby is ensured that the user is granted all the needed authorizations (and not more). As well a temporary unavailability of the target system is compensated by queuing. AM-Organizations, -Systems, -Role-Catalog The structuring by organizations, systems and catalogs allows on one hand a very simple implementation of the requirements and on the other hand even very complex scenarios can be represented. AM-Organization-Level In the AM, authorization fields can not only be defined as a general organization field but as well as a role specific one. That gives the necessary degree of freedom to find the right solution within the complex constellations. AM-Mass-Role-derivation / BI-Profile-Mass-generation On changes on master-roles or the integration of a new organization in an enterprise the need of change is usually very extensive. With the possibility to adapt or recreate all relevant derivations automatically the amount of work is minimal. AM-Mass-Role-distribution The AM-distribution-mechanisms can be used for bulk processing. AM-SoD-Analysis On the assignment of an authorization / a BI-profile to a user an automated analysis of the resulting constellation can check if it contradicts the defined SoD-rules.

4 User Life Cycle: AM-Workplace Authorization matrix The AM-authorization-matrix is the most used tool in the user life cycle management. This workplace serves to display and maintain of all authorization assignments to the SAP-users. The SoD- and risk-analysis as well as the defined workflow process steps from the request via approval to the physical assignment of the authorizations on the decentralized systems are initiated out of this workspace. The authorization-matrix can be used via web as well as via the SAP-GUI. Main functions Assign authorization: - Selection of authorizations by tagging the Checkbox in the matrix. - Representation of complex time dependencies by the AM-time-rules. Display assigned roles: Target- / actual-comparison of the authorization-elements of the SAP-User in the respective target systems. Distribute authorizations: Distribution of the target-authorization-assignments of the SAP-user in the respective target systems. Action log: Display the change records of the selected SAP-User.

5 User Life Cycle: AM-Workflow AM-Standard-Process In the optional standard process, the workflow is initiated when the super user changes the AMrole-assignment of a user. The applicants supervisor is determined and receives the out of the authorization-request originated work item in his inbox where he can process it. The authorization-request is granted or denied by the supervisor. The distribution of the authorization-mapping (incl. the creation of a possible derivate of a master-role in the target system) can be initiated directly out of the work item processing.

6 Risk-Analysis & Quality-Management Analysis of Risks and the Segregation of Duties Segregation of Duties (SoD) is the concept of having more than one person required to complete a task. (Source Wikipedia) AM is able to perform an SoD and a risk-analysis to ensure that the authorization-constellation does not violate the specified function segregation principles. AM uses for that purpose the extensive risk and SoD-analysis-mechanisms of the Compliance Enforcer. The in the Compliance Enforcer defined rules and risks make sure that a potential risk is identified. In case of a risk, AM generates a workflowmessage which is forwarded to the responsible decider. Quality-Management AM provides for the monitoring and management of the quality of authorization-objects the AM-Quality-Cockpit. The the check and revision-functions are focused on the following tasks: Quality test of the specific roles in the SAP-landscape Testing and securing of the authorization-consistency between the central AM-specification and the decentralized target systems. Testing and securing of the user-consistency between the central AM-specification and the decentralized target systems.

7 Rollouts, Reorganizations, Mergers & Acquisitions Project rollouts, reorganizations, fusions or takeovers can cause a high workload in the authorization-management. Given how critical system security and authorization-management is to the success of these events, IM offers high performing tools for reliable and efficient mass processing. Mass-Generation The AM-Mass-Generation generates all derivates of master-roles under consideration of in the AM-Customizing defined structure and organization-elements without manual effort. Generation of all roles for a new organization (e.g. accounting area or site). Generation of derivates of a new role for all organizations. Regeneration of all derivates after a change on a master-role or to revise manual changes on derivates on the target systems. Mass-Assignment The AM-mass-assignment generates the authorization-assignment for all selected users and systems without manual effort. Initial mass-assignment for new systems (based on already existing assignments in the AM or in terms of a datamigration from a CSV-file). Mass-assignment for the users of a new organization to an existing system. Regeneration of authorization-assignments to revise manual changes on assignments on the target systems. Mass-Transport The AM-mass-transport imports authorization-objects into the relevant target systems without manual effort. Mass-Archiving / -Restore The AM-Mass-Archiving ensures that roles can be deleted and restored.

8 Our Software Products Our Software-Products are additional modules for SAP or for front-end applications with SAP-Integration. The focus is set on IT Service Management (ITSM) and the Internal Control System (ICS). We cover in the ITSM area from service design, including calculation, acknowledgment and reporting to accounting all customer oriented processes. Handling all Access und Identity Management needs, the User Login and Network security, our Identity Management software and related products offer users reliable, efficient and highly adapted solutions. Typical Users are IT-Organizational units and Shared Services Centers. The ICS is supported in the definition of requirements (risks) and in the compliance check by our tools. We also cover the manual and automatic controls on the process level as well the general IT-Control. Typical Users are external and internal controller or IKSand Process officer. Patrick Tambourgi CEO SUIM «The requirements in the domain of security are complex. To be successful, halfway solutions are not an option.». Our collaboration We offer a network of partners, each contributing expertise and experience in the area of product development, client solution advice and customization and implementation. Our networked approach means we can draw on our teams to respond to client's requests and to work with them through the design and implementation phases. Crucially, we also ensure that each client has a dedicated contact person for their day to day needs and for future development. Mirjam Stalder Project manager CCE AG «Coming together is a beginning; keeping together is progress; working together is success». Zitat Henry Ford SUIM LTD Chemin du Marguery Corseaux, Switzerland info@suim.ch