If you’re reading this post, you probably have a good idea how difficult good role management can be. As tough as role management can be, sometimes just slight changes can make a big difference in terms of improved efficiency and reduced frustration.
Here are a couple tips that will likely make role management responsibilities easier – if you are not already doing them:
Use consistent and intuitive naming conventions
How roles are named can either help keep your role inventory organized or make a complete mess of it. Roles that are named inconsistently or with no consideration to a role’s purpose can make it incredibly difficult to track down specific roles – like trying to find a polar bear in a snowstorm.
If you’re like me and you would rather leave detective work to …well…detectives… then sticking to a consistent and understandable role naming convention is the way to go. Start by thinking about how you want your roles to sort in reports (e.g. geographies, business functions, SAP modules, etc.) and then build your naming system to support those reports.
Bite the bullet, use authorization objects in all transactions
Sometimes administrators feel that authorization objects are not necessary for custom transactions and programs because they are typically built for specific groups. While this may seem an acceptable shortcut, after all why go through a full role design process for a niche special interest request, it can lead to big problems over time. Here are two of the several reasons why:
- First, if the custom transaction or program becomes useful for one group, there is a good chance it will be seen as useful by other groups and then miscommunication (or more likely no communication) over what checks are taking place can easily lead to more access being granted than intended. For example, suppose a custom program involves data about vendors that shouldn’t be accessed by anyone outside of the target group. The only way to ensure that data is protected when another group ends up using that same (increasingly popular) program is to ensure the authorization objects are in place.
- Second, many implementations of SAP give access to a wide range of transactions. These transactions rely on non-transactional authorization checks to secure data. If those authorization checks are missing, the data is not protected.
The best way to avoid these issues is to ensure that authorization objects are present in every transaction or program, including custom ones, before they are ever incorporated into a role and made accessible to any users. Doing so will help you avoid frustration around these hidden security/compliance gaps and improve the overall efficiency of your role management process.
Use the folder mechanism
Roles aren’t just about protecting access to a system, they are also about enabling users to do their job. The ability for a user to easily see the functionality they have is a nice benefit from good role design.
There are few things more frustrating to a user than having to scroll through a long list of transaction codes looking for the one they need. Using the root folders mechanism in your role design makes it easier for users to find those transaction codes they have been assigned and now need. It’s also important to stick to a consistent folder naming convention, so the folders will sort logically on a user menu. If a role has a large number of transactions in it, use sub-folders to simplify the process further. It’s surprising how much more productive everyone can be (and the number of emails and phone calls that are eliminated) when users don’t need to ask for help because the folder mechanism is well configured.
If you’ve already mastered these tips, then you are above average and we would like to hear from you. What tips and tricks have you found useful in making role management efficient?
Don’t forget to visit our Role Management product page to see for yourself some of the reasons why Security Weaver was the only SOD controls monitoring vendor Gartner named, "a preferred choice for any SAP-centric organization looking for a reasonable total cost of ownership solution with advanced role life cycle management".