The concept of authorization in SAP is not widely discussed. This is a specific “éminence grise” which – although often neglected – is one of key indicators of business data security. How to approach the issue of authorization in a professional manner, especially in the light of the changes introduced with the GDPR?

Authorization is a cross-sectional subject: it has its place wherever potentially sensitive data appear, i.e.,… practically in each module of the SAP systems. The concept of authorization implies the meeting of requirements related to a limited access to data or business operations. It allows permissions to be managed so that different groups of employees can have access to different levels of resources relevant for their tasks and needs.

Example: a Personnel Department employee works with employee personal data related to remuneration. Access to this information must be restricted and granted only to that employee, excluding employees of other teams. Thanks to the permissions obtained, the employee has full access to the data necessary for the performance of the business processes he/she participates in.

Technically: how does authorization work?

Thanks to a well-organized authorization processes, the organization is flexible: we can freely set up access rights to configure the relevant permissions for the tasks and competences of individual employee groups and manage them in line with the changing requirements of the business.
Every SAP module has its own specification arising from the fact that we work on different objects. Therefore, the scope of authorization and its elements are different – although, importantly, the procedure to create permissions remains unchanged.

Hint: The CRM module is the most comprehensive in terms of authorization

Authorization well carried out: how to choose the service provider?

Apart from the standard process of selection of the supplier who will ensure the proper management of the authorization processes, we should look at the team which will work on the project. The experience of consultants implementing authorization is particularly important in operations on many SAP modules at the same time.
Thanks to such competencies, the consultant has the necessary knowledge regarding work with different objects as well as groups of people and areas with which he/she is going to work; he/she also knows the authorization objects controlling the data and process.
From the perspective of the customer’s expectations, it is crucial that the authorization team should know his objectives and business requirements and be able to link them effectively with the possibilities (and limitations) of the existing SAP system, and also – that he should be able to perform operations on his own business objects.

Benefits of the proper management of authorizations

The authorization itself is an element of a greater whole: security governance policy. This is a set of actions and tools designed to ensure a certain level of security for business data and knowhow in the company: both inside and outside.

Correct management of authorization processes is an essential element of security policy, and its efficient handling brings specific benefits for the organization:

  • The possibility of limiting errors in data management.
  • Management of permissions requires being aware of process organization, as it is necessary to map them accurately and combine with authorization.
  • Confidence that business objectives of the company within specific are implemented by appropriate processes. Authorizations provide a filter to verify whether an organizational change is required.
  • The possibility to control business knowledge and its reasonable management.

Risks, or what happens without authorization?

Let us reverse the situation: what may happen if the company fails to ensure proper authorization management?

  • Companies cannot streamline the organization’s functioning without full knowledge about the owners of specific processes and their course.
  • The organization may gradually lose control of different processes in different departments.
  • No control of data which is critical for the company (customer data, financial data, personnel data).
  • The company is in real danger that system resources could be accessed by tens or even hundreds of unauthorized persons.
  • The entity may not meet the requirements of the legislation (e.g., as regards personal data protection).

What can Hicron do for your company?

With our team of specialists with great experience in the field of authorization, we provide not only the services of implementation and configuration of authorization in the SAP environment.
We also deal with the optimization of existing authorizations by comparing the specific organizational unit, its development and tasks with the reflection of the current situation found in the SAP system.
If you want to manage authorization in SAP effectively, contact us and schedule a meeting with our consultant: [email protected]