[German]When converting to S/4HANA and the new SAP licensing model, strategic optimization of user authorizations is essential. What do companies need to consider when optimizing their authorization management?
Björn Rolka, Associate Partner & Manager of the Center of Excellence "Governance, Risk and Compliance" (GRC) at Convista, sent me an article some time ago describing what companies need to pay attention to when optimizing their authorization management when converting to S/4HANA and SAP's new licensing model and how they can design it in such a way that they reduce their license costs and improve their compliance at the same time. I'll post the information here in the blog – perhaps it will be helpful for some readers.
ERP-Suite S/4HANA from SAP
S/4HANA provides companies with a modern ERP suite with a focus on real-time data analysis and processing, enabling them to gain insights from their data for business decisions and automate processes using artificial intelligence and machine learning.
As support and maintenance for SAP Enterprise Resource Planning (ERP) is coming to an end, SAP customers will have to migrate to S/4HANA by 2027, or by 2030 at the latest. SAP is already reducing the credits for legacy licenses by ten percent each year, which will make the switch to S/4HANA inexorably more expensive if the migration is delayed.
SAP license costs based on user
The fact that license costs at SAP will no longer be calculated on the basis of actual usage behaviour, but on the basis of the authorizations granted, means that too many unnecessary authorizations can quickly lead to a more expensive license category and result in a cost explosion. In addition, too many or incorrect authorizations create compliance risks, as this increases the risk of security incidents and breaches of regulatory requirements.
Companies planning to switch to S/4HANA should therefore first clean up existing structures and restructure authorization management before switching to S/4HANA. By systematically optimizing authorizations, companies can turn the aforementioned challenges into opportunities
Reduce business risks and license costs
Proper authorization management with correct, granular assignment of roles and permissions is essential to ensure that users can only access the data and functions they need to perform their tasks efficiently. This ensures that employees are neither restricted in their work processes nor acting outside of their competencies, and that the security and integrity of company data and systems are maintained.
Damage caused by inadvertent actions, such as the lifting of a delivery block or the incorrect use of a mass change function, can thus be prevented. It also ensures that, for example, balance sheets are not embellished, stakeholders or tax authorities are not harmed and the company is not threatened with economic and criminal consequences. Last but not least, accounts with excessive authorizations also pose a risk if accounts are compromised by cyber attacks, allowing attackers to exfiltrate sensitive company data unnoticed or infect entire systems with ransomware in order to extort a ransom.
The argument that employees should have more authorizations than absolutely necessary in order to be as widely available as possible can therefore be costly for compliance and security reasons, as well as if these authorizations were assigned on the basis of an old SAP license cost model. As licensing has been neglected in the technical assignment of authorizations in most companies, many now need to review and adapt their authorization structures to keep costs under control. Below are three steps that companies can take to optimize their authorization management.
Roadmap for authorization optimization
Step 1: Inventory of authorizations
First, companies should analyze the status quo and check which permissions are currently assigned and identify inactive users or roles that are not being used. To do this, they can use analysis tools to gain detailed insights into their authorizations. Tip: Historical authorizations that have not been cleaned up over the years should also be taken into account.
Step 2: Optimizing permissions
In the second step, companies should define and create granular, specific roles with clear authorizations for each user group. The assignment of overly extensive authorizations that are not even required for a user group should be avoided. This can possibly lead to a more expensive license category. During role clean-up, unnecessary authorizations are removed from the roles and reduced to the necessary minimum. This approach follows the need-to-know principle, a security concept in data protection in which access to sensitive data should only be granted to those people who absolutely need this information for their work. The fine-tuning of authorizations at user level avoids over-licensing and ensures the optimal use of licenses.
Step 3: Implementation of a continuous optimization process
The use of monitoring tools makes it possible to continuously monitor user authorizations and react quickly to changes. In addition, a regular review should be carried out to ensure that the authorizations meet the current requirements of the company and SAP licensing. Automated assignment and checking of authorizations can minimize the administrative effort. A clearly defined escalation process for over-authorizations also saves time and ensures that no new cost pitfalls arise.
What is the bottom line?
The changeover to SAP S/4HANA offers companies an opportunity to revise their SAP authorization structures and bring them up to date. Identifying and removing unnecessary authorizations can not only significantly reduce SAP license costs. Consistent adherence to best practices in authorization management also minimizes security risks, improves transparency and supports adherence to compliance requirements.
Question to the readers: Is anyone affected by this change? If so, how did you approach the above question or problem? Is authorization management standard in this area?
Similar articles:
SAP: Why enterprises should soon upgrade to SAP S/4HANA
SAP ECC RP: SAP customers without support in 2030?
