Tag Archive | Optimize
October 13, 2014  

SAP – SU24 is the blueprint for your security setup

A key element in maintaining SAP roles correctly is knowing how your transactions and authorization objects are linked. In technincal terms SU24. It is an aspect that many underestimate, mainly because it is hard to get a grip on. With this post I want to clarify why it is important to use and which aspects needs to be taken into consideration – in coming posts I will take a deep dive into each of the aspect.

1) Why is an updated SU24 base important?

The only place that transaction codes are linked to authorization objects and suggested values are in SU24. You can use this information for a number of things, but especially during maintenance of roles is an updated SU24 database important, cause how will you otherwise know which objects and values to add into your roles? If you don’t update SU24, you might as well not use PFCG and just create profiles.

The following areas emphasizes why this is an important area

2) Understand and use the authorization object status in connection with PFCG

Status on the authorization objects inside each role has a clear meaning. If you don’t understand the message each status represents you will run into problems with maintenance. Especially you need to have an eye on objects with status changed or manually – but more on this in a coming post :)

3) Build a process for reviewing roles after each SU24 update

Once you have a hold on SU24 and the authorization object status you need to have a process for reviewing all roles containing the transaction that has been updated in SU24. This includes updates you do in the daily maintenance and house cleaning, but also when you update the system. Only by reviewing and updating all affected roles will you have full control over you concept. In another coming post, I will dive into details on how to use the role maintenance options on the authorization folder in PFCG.

4) Information is king

Once SU24 is fully updated, utilize the information any way you can. I often use the information to identify currently used authorization objects, obsolete own developed objects, optimization of test and many other things. In any case the foundation is an updated SU24 data base.

March 3, 2014  

SAP: How to manage user licenses

SAP user licenses are often the most expensive in the IT operation budget, hence using the licenses correctly can mean large savings. The problem is that managing the license structure is complex, so the right expertise is needed.
Therefore I always encouraged my clients, to invest in outside help for the initial setup of the license structure. Once the initial setup is completed, maintaining it is a manageable task.

But how is the user licenses counted in SAP?
Of course it depends on the SAP contact, which can be built on several different license models. Typically I either run into unit contract, where any SAP user has the same price. It is simply a matter of counting the number of SAP users. The other typical license model is a solution where the users’ accesses determine the cost. So if a user only recording time in SAP, has a lower license cost than a hard-core finance SAP user.

So how can I optimize our license usage?
It’s quite easy – if a user has a large number of accesses, an expensive license is needed. So to save on the license cost, optimization on the authorization concept is needed. Often I run into clients where 30% or more of the users’ accesses have not been used for a full year. Unfortunately, that does not mean that it’s possible to cut 30% of license costs. But typically a review of assigned accesses result in around 5 to 10% user license saving.

Below is my quick guide you can use to asses you SAP licenses

  1. Get your hands on the SAP license contact
  2. Read and understand the license model
  3. If you have a unit license model, count the number of SAP users, if your SAP population is below the number of licenses, concentrate on other areas than licenses – no savings are possible
  4. If you are billed on user types, take 50 random users and evaluate if they have accesses assigned that they are not using
  5. If you can save on at least 1 of the 50 users, your business case for the remaining SAP population has already written it self
  6. If you don’t have any SAP license experts – get outside assistance to complete the initial setup
  7. Update SOP for SAP license management
  8. Continuously review and update access (and license) allocation