As companies globalize and consolidate their SAP systems, they face an increasing need to control access to sensitive data based on fine grained user profiles. Traditionally, companies have managed this access by defining fine grained roles, leading to an explosion of roles that are inconsistent and hard to manage.
In this webinar series, attendees will learn:
- The key trends driving role explosion
- The challenges of role explosion
- Example use cases that drive role explosion
- How attribute-based access control (ABAC) can alleviate the problem
Attendees will also see demonstrations of use cases illustrating how role explosion happens, and how ABAC can help reduce role explosion.
And whether you are trying to protect data within different teams inside your company or trying to protect the information being shared outside your company, more information shared translates to more information controls.You have multiple functional teams in your company. Every department produces different kind of data in your and shares them across departments and sometime outside your company.Take the example I have above. Finance creates a cost analysis for a project and shares the information with the Purchasing department with approval for the project. Now this information is proprietary and cannot be shared outside the project, department and even company. How do you control the usage of this information once a authorized user accesses the information.Similarly, Engineering design documents and BOM Structures are generally shared across multiple departments. Lets further refine the example for just access controls on Engineering design documents. We understand that your Engineering, Manufacturing, Suppliers and Partners all need access to appropriate transactions in your SAP landscape. But is this just a transactional level access to all departments? Would you imagine providing access to all users in different functional roles to the Engineering Design documents will suffice given the complexity of your growing business?
And whether you are trying to protect data within different teams inside your company or trying to protect the information being shared outside your company, more information shared translates to more information controls.You have multiple functional teams in your company. Every department produces different kind of data in your and shares them across departments and sometime outside your company.Take the example I have above. Finance creates a cost analysis for a project and shares the information with the Purchasing department with approval for the project. Now this information is proprietary and cannot be shared outside the project, department and even company. How do you control the usage of this information once a authorized user accesses the information.Similarly, Engineering design documents and BOM Structures are generally shared across multiple departments. Lets further refine the example for just access controls on Engineering design documents. We understand that your Engineering, Manufacturing, Suppliers and Partners all need access to appropriate transactions in your SAP landscape. But is this just a transactional level access to all departments? Would you imagine providing access to all users in different functional roles to the Engineering Design documents will suffice given the complexity of your growing business?
Now lets take this example to a level closer to the complexity in your organization and see how much more complex the role design gets. Imagine your company needs to control access based not just based on functional roles but also based on Project Membership, Citizenship, Location, Export Licenses, NDAs and Usage of data. Imagine Engineers, Partners, Supplier are part of 10 different projects. And the data access is restricted based on 2 possible values of Citizenship. Also, these users are spread across 5 countries and some information like the BOM structures is restricted access for a user in specific country. Also, access to non-us citizens can be extended using some Export Licenses and your company maintains 5 such licenses. In addition to this the usage of data should also be restricted based on details like project, location and functional role. Now with all these access control restrictions, you will have to create 10,000 role combinations for users in these different departments irrespective of their functional roles. And given the fact that these authorizations are not part of your standard authorization model, you will have to design custom authorization models to cater to these needs.
We can achieve the same level of organizational controls using the attributes such as Company and Department attached to the user and mapping that to the organization attributes of the resource being accessed. With dynamic matching of attributes, we can achieve the same result with just 50 functional role and 1 policy. The policy will match appropriate resource and user attributes to provide access to users for a specific resource.Even if we have to extend the requirements to a finer grained level such as user location and export controlled data, it is just another attribute that needs to be matched in a policy, not create another set of roles for different types of citizens.This results in reducing the number of roles created and managed by a minimum of 97% in the best possible scenario we discussed so far with Roles. That’s a huge reduction in cost and management time with 97% less roles to manage and maintain.
And when we expand this to an actual landscape with a number of different systems, you are creating multiple roles for users for different systems and application. Whats important to note here is the users who are given access to different systems are the same users with a set of attributes like department, role etc., already attached to them. These attributes define the kind of access they are allowed Irrespective of the role. And even so, users are attached to static roles and everytime these attributes are changed, they are assigned to new roles which reflect the attributes. Wouldn’t it be easy to write permissions by directly using the user attributes?
What is the current state SAP Users compared to roles?What is the average role assignment per user?What is the average assignment of transaction codes assigned per user?Of the transaction codes assigned, what is the percentage of use?