Nowadays big data, Industry 4.0 and the Internet of Things are setting the agenda. Organizations use available data to support corporate activities and structure new business models. Most companies have ERP systems such as SAP; so, wouldn’t it make sense to use data from these systems to create role concepts? And if so – when and how?
Today’s corporations focus less on implementation of ERP systems and more on their continuous optimization. One major imperative has been – and still is – to design authorizations that support a company’s business processes and reflect them accurately. Regardless of the underlying architecture, the SAP role concept controls which employees are granted access to specific system functions, and is modelled on role-based access control (RBAC). Despite recent developments – particularly in attribute-based access control (ABAC) – the role concept remains the approach organizations take – even the accepted standard – to deploy access control in their ERP solutions.
The Basic Principle
The idea behind the role-based approach (RBAC) is to group functions within roles so that they can be assigned in line with a user’s job-related tasks – making authorization management easy and efficient. In addition to complying with regulations and directives regarding security, data protection and segregation of duties, the design and maintenance of authorizations must always adhere to two fundamental principles. First, chief focus must be on business-related criteria. This means that functions and transactions allocated to roles must align with the employee’s professional responsibilities (business-related rule). Second, roles must be assigned according to the least privilege rule – which means users are granted only the authorizations needed to perform their daily tasks. Too few authorizations interfere with users’ work; too many pose a security risk.
Role design in the past: A Greenfield Approach
When implementing an ERP solution in an organization, physical and network access control is normally deployed using a “greenfield approach”. No constraints are imposed. Emphasis is primarily on two processes: one for structuring and one for management. The first process implements requirements that stem from organizational regulations or legal directives. It defines the scope relevant for administrative processes, which in turn comprise the management of authorizations and users in day-to-day business (Figure 1). Structuring activities are normally done as part of a project. One core issue that impacts who is assigned to the project team and how roles are structured is whether roles are to be top-down (directive/regulation- and management-driven), bottom-up (function-driven), or whether a hybrid approach is taken.
The Necessity of Revision
The idea behind the RBAC approach is to allocate access authorizations in line with a user’s responsibilities within the enterprise at any given time. Meaning that access centers on the user’s job. An employee can only perform actions specified in their task profile.
But authorization concepts change as quickly as does the enterprise and IT in general. If changes are overlooked or disregarded, the cleft between actual requirements and configured authorizations inevitably grows wider over time, resulting in incongruities and unmonitored access. Too many activities in the SAP system go unregulated. Does this mean a role concept needs redesigning? A rule-based and key-metric-oriented examination, such as RBE Plus Compliance analysis, can determine this – in real time and in a cost-effective manner (cf. Figure 2).
Experience shows that the most common reasons for redesign include:
• A substantial discrepancy between target concept and real-world conditions,
• A role concept that incorporates obsolete technology,
• A model that has grown over many years and become too complex to be managed effectively,
• An explosion of static roles that inhibit effective management of these,
• A need to harmonize systems with disparate role concepts because of buyouts or mergers,
• Consolidation of systems and respective authorizations,
• A desire to implement a sustainable role concept.
Role Design Today: Data-Driven
When deviations from a defined target concept become too great, redesign is essential. The process should exploit the benefits a live ERP solution offers. It contains all information required for optimal redesign. No longer is it necessary, advantageous – or even advisable – to create a “greenfield” role concept.
Designing roles based on a live ERP system requires an uncoupling from existing role concepts and implemented roles. Instead, focus is on analysis of relevant data objects: users, activities and authorizations (identity and access intelligence – IAI). A solid study – spanning several months – mines the data that will lay the foundation for the new authorization concept. The analysis findings guide the redesign or re-alignment process (cf. Figure 2).
Regarding the principles mentioned, data-driven design determines which authorizations are needed by looking at employees’ real system usage. In other words, users’ actual function-related demands define the roles (least privilege rule).
What is more, the authorizations must be designed so that the roles created do not merely reflect current demands. They must be flexible enough to be adaptable to future requirements. Again, the employee’s system usage is key. Grouping together similar activity profiles makes it easy to create “authorization packages” within an enterprise. So, for example, employees in one department who share a common task profile will have essentially the same activity profile in the ERP system. In turn, the specific tasks will determine which authorizations this particular group receives.
This integrates the two critical aspects in role design – the least privilege and business-related rules. While collective roles focus on areas of responsibility within the organization, a foundation of module- and/or department-specific single roles allows for more flexibility, re-use and derived functionality.
Flexibility and Sustainability
Thanks to data-driven redesign that incorporates holistic analyses, RBAC rules and SAP ERP logic, heads of IT profit from authorizations implemented promptly. Plus, the redesigned concept reflects an organization’s reality and simplifies administration through an easy-to-understand method. Redesign diverts attention from existing roles. But regular re-alignment moves roles to the forefront by making them the point from which deviations from the ideal model are examined. In the hybrid approach, data from the identity and access intelligence analysis (IAI) supplies information, just as in a bottom-up approach. When combined with input concerning governance- and compliance-related directives and other regulations (top-down), this enables the role competency center (RCC) to create a sustainable concept from the outset. This also facilitates monitoring, maintenance and realignment of roles.
Both processes – redesign and re-alignment – are anchored in real-time, objective data revealing the system’s actual state, which is what reflects the organization’s reality (cf. Figure 2). A data-driven IAI analysis is critical for keeping abreast of changes over time. It employs key metrics and a set of rules to automatically examine at regular intervals whether redesign or re-alignment is needed. The IAI analysis is indispensable for an organization that wants real-time modeling of its corporate reality in its ERP solution – and expects to meet ever mounting demands concerning issues of governance, risk, compliance and the like.