Role Clean-up vs Role Redesign: Which is Right for your Organisation?
In a recent episode of Soterion’s SAP Security & GRC Podcast, the conversation was dedicated to the critical decision-making process surrounding choosing between an SAP role clean-up or role redesign. Managing SAP roles presents significant challenges. Issues like over-assigning access during a role design, or authorisation creep where SAP users cumulate unnecessary access over time, can arise. Eventually, audits reveal the risks associated with these problems, including increased fraud potential and obstacles to compliance activities such as user access reviews. So, how does one decide on whether to embark on an SAP role clean-up or role redesign.
This blog explores the nuances of these approaches, highlighting their respective pros and cons, timing considerations, and scenarios where one may be more suitable than the other.
What is an SAP role clean-up?
An SAP role clean-up is performed when SAP users have wide or in-appropriate access, but this is mainly due to the over-allocation of roles. In other words, the existing role design is one that is sound and / or robust (possibly only minor changes to a handful of roles are required). The primary clean-up activity will be the removal of un-used (over-allocated) roles.
The pros and cons of a role clean up
Pros
- Immediate Solutions: A role clean-up offers a quicker, less disruptive solution compared to a role redesign. It targets the removal of superfluous or unused access from existing roles, streamlining the authorisation landscape.
- Cost-Effectiveness: For organisations with a solid underlying role design, clean-up projects can be more cost-effective. By focusing on eliminating excess privileges, they mitigate risks associated with authorisation creep without overhauling the entire system.
Cons
- Limitations: A role clean-up may not yield desired results if the underlying role design is flawed or outdated. Organisations risk investing time and resources in a clean-up effort that fails to address systemic issues.
- Temporary Fix: While a role clean-up provides immediate relief, it may not address long-term security and governance needs. Without addressing root causes, organisations may find themselves faced with similar challenges in the future.
What is a role redesign in SAP?
An SAP role redesign is where the underlying role design is outdated and providing the users with inappropriate access. Cleaning up such a solution will take more effort than starting the SAP role build from scratch i.e. performing an SAP role redesign. In such cases, the SAP roles are built from the ground up, possibly using a different role methodology and naming convention.
The pros and cons of a role redesign
Pros
- Holistic Overhaul: A role redesign offers the opportunity to overhaul an outdated role design and incorporate newer and more modern methodologies. By redefining role structures and access levels, organisations can future-proof their SAP security practices.
- Enhanced Governance: Redesign projects allow for the introduction of new controlling fields and descriptive role naming conventions. This fosters greater transparency and accountability, enhancing governance practices.
- Improved efficiency: Having well designed roles, with a modern methodology can lead to improved efficiency in the Joiner-Mover-Leaver process as well as the continued role maintenance activities.
Cons
- Upfront Costs and Timelines: An SAP role redesign involves more significant upfront costs and longer project timelines compared to clean-up efforts. Thorough testing and implementation may lead to extended periods of business disruption.
- Complexity: The complexity of role redesign projects can pose challenges, particularly when dealing with legacy systems or intricate authorisation landscapes. Organisations must carefully navigate testing and user acceptance processes to ensure seamless implementation.
When to choose a role clean-up or a role redesign
A role clean-up is ideal for organisations with a sound underlying role design facing issues of authorisation creep. If excess privileges can be efficiently removed without overhauling the entire system, clean-up projects offer a cost-effective solution.
A role redesign is recommended when the existing role design is outdated or fundamentally flawed. Organisations preparing for system migrations, such as SAP S/4HANA, can leverage redesign projects to align security practices with evolving business needs. Redesign projects provide an opportunity to address underlying issues, enhance governance practices, and future-proof SAP security strategies.
Role clean-up, role redesign, and transitioning to S/4HANA
When deciding between a role clean-up or a role redesign to facilitate your transition to S/4HANA, it’s important to consider these factors:
- S/4HANA has many additional layers of authorisation
The increased complexity introduced by the additional layers in S/4HANA and Fiori significantly complicates the SAP authorisations. Moving beyond traditional single roles and composite roles, the inclusion of Fiori apps, catalogs, pages, groups, spaces, and other elements necessitates a comprehensive consideration in role design.
- Transitioning to S/4HANA isn’t going to fix the underlying role design
If the current role design lacks the necessary control capabilities within ECC or any other SAP version, it will not be adequate for the transition to S/4HANA.
- A role clean-up might not be enough to smooth out your transition to S/4HANA.
Numerous organisations opt for a role clean-up rather than investing in a role redesign during the transition to S/4HANA in order to save costs. However, this approach may lead to increased expenses in the long run. The additional support costs incurred could potentially negate initial savings gained from bypassing a role redesign prior to the transition.
In conclusion, whether opting for a role clean-up or a role redesign, organisations should prioritise aligning SAP security practices with evolving business needs and industry best practices. By carefully evaluating the pros and cons of each approach and considering factors such as business objectives, compliance requirements, and system migrations, organisations can build a resilient foundation for effective access risk management and governance in their SAP environments.
Soterion is ready to strengthen your organisation’s GRC
If you’re still unsure of whether you should proceed with a role clean-up or role redesign, or you need assistance with another GRC challenge, be sure to reach out to Soterion’s SAP security consultants.
Our experts are ready to assist you with SAP security and risk management using business-centric solutions that address SAP security, efficiency, compliance, and accountability with SAP user access management, data privacy management, licence management, and other solutions.
Contact us to learn more about how we can help your organisation with SAP and GRC challenges.