In SAP, user provisioning is normally reserved for system administrators, those few, special people with access to transaction SU01. From this one transaction, the User Maintenance screen, an administrator has the ability to create, edit and delete user access. Normally, these special users live in IT, but that’s not a requirement. Users with access to transaction SU01 can be from any department across the SAP system. This siloing of user provisioning creates a disconnect between business process owners and the access they, and their employees, need. This can make access changes a long process, resulting in inefficiencies across the platform, as well as increasing the likelihood of fraudulent activity and preventable mistakes.
Whether you’re a public company needing to comply with regulations like Sarbanes-Oxley or a private entity maintaining security, user provisioning can be an area of great risk. From a security standpoint, any edits to user access should be reviewed for potential segregation of duties (SOD) conflicts, but is it the responsibility of the IT staff to know whether or not an AP clerk should have access to both vendor creation and purchase order approval? Possibly, but it’s certainly not ideal. Wouldn’t it be better if a manager in the accounting department had that provisioning capability? It would be even better if that provisioning capability came with a segregation of duties rule set and a conflict library that a user can use to review access risk. Still, that could be a lot of manual checking just to setup a user.
When setting up an access process keep these in mind:
How can organizations secure and speed up the user maintenance process? Many issues can be solved just by implementing or improving the access request process.
- Does each department need a different form? Include IT and department heads to insure the forms have all the information necessary
- Who’s on the approval list for each department?
- Who should be responsible for signing off on access and therefore in charge of maintaining segregation of duties?
- How will you maintain records of signatures?
Understanding the complexities of this process, Fastpath created Identity Manager (IDM) for SAP. IDM takes control of SU01, and after setup, can streamline the process by putting business process owners back in control. With IDM, business process owners and managers can request access and build a user approval. The requestor simply inputs the user’s information, or if editing a current user, opens their file. From there the requestor adds access from a prepopulated list of existing roles. Once the user is built or changed, Fastpath’s Assure tool analyzes the access requested and reports any SOD conflicts, before the request is even submitted for approval. Should a conflict exist the requestor can edit it or note options for addressing the conflicts. After the requestor submits the changes, IDM uses an approval workflow to ensure proper approval and SOD. With final approval, the setup or changes are automatically completed in SAP. By enabling business process owners to take control of this process, the process can move faster, with fewer bottlenecks, and risks can be addressed earlier in the process.
With Identity Manager the approval process is automated and easily trackable. Based on the department and access being requested, IDM sends out approvals to all the necessary people for signature. These approval notices can automatically be sent as emails that include the full request along with the risk analysis, so approvers are notified immediately of the request. When the approver signs off in Identity Manager with approve or reject, the resulting access is immediate. Going one step further, the signature is recorded and kept for auditors, assisting in regulation compliance like Sarbanes-Oxley (SOX).
Moving user provisioning closer to business users provides a number of benefits and using Fastpath’s Identity Manager for provision can ultimately make the process, faster, and more secure.