Tag Archive | process
October 13, 2014  

SAP – SU24 is the blueprint for your security setup

A key element in maintaining SAP roles correctly is knowing how your transactions and authorization objects are linked. In technincal terms SU24. It is an aspect that many underestimate, mainly because it is hard to get a grip on. With this post I want to clarify why it is important to use and which aspects needs to be taken into consideration – in coming posts I will take a deep dive into each of the aspect.

1) Why is an updated SU24 base important?

The only place that transaction codes are linked to authorization objects and suggested values are in SU24. You can use this information for a number of things, but especially during maintenance of roles is an updated SU24 database important, cause how will you otherwise know which objects and values to add into your roles? If you don’t update SU24, you might as well not use PFCG and just create profiles.

The following areas emphasizes why this is an important area

2) Understand and use the authorization object status in connection with PFCG

Status on the authorization objects inside each role has a clear meaning. If you don’t understand the message each status represents you will run into problems with maintenance. Especially you need to have an eye on objects with status changed or manually – but more on this in a coming post :)

3) Build a process for reviewing roles after each SU24 update

Once you have a hold on SU24 and the authorization object status you need to have a process for reviewing all roles containing the transaction that has been updated in SU24. This includes updates you do in the daily maintenance and house cleaning, but also when you update the system. Only by reviewing and updating all affected roles will you have full control over you concept. In another coming post, I will dive into details on how to use the role maintenance options on the authorization folder in PFCG.

4) Information is king

Once SU24 is fully updated, utilize the information any way you can. I often use the information to identify currently used authorization objects, obsolete own developed objects, optimization of test and many other things. In any case the foundation is an updated SU24 data base.

June 13, 2014  

IAM Use Cases, why is “retainer” always missing?

I keep getting surprised about the 3 standard user cases everyone talks about; joiner, mover, leaver (JML). Everyone in the IAM sphere seems to have the same idea. Try and do a quick google search and you will find many many descriptions around the 3 areas. Just take the below.

It seems that joiner, mover, leaver is the foundation… or is it?

In my world it is a bid more diverse than that, especially if you also look into the time consumption within each use case. What I am trying to tell you is that usually an important and time consuming use case is missing – the retain use case

From my point of view the following use cases are needed by everyone looking into an identity & access management solution.

  1. Joiner – How new people joining your organization are granted accesses
  2. Retainer – The illegitimate child, covering especially governance activities
  3. Mover – When people move around inside your organization
  4. Leaver – How to handle people leaving the organization

The retain use case

In my world retainment of employees needs to be a separate use case area in any IAM solution. All other areas covers when something changes for the people in the organization; when they are hired, changes position inside the organization or leaves. But what happens when nothing changes for the employee?

Nothing, right?

But what if the same person has the same job over a 10 years period. Does nothing actually change for that employee? Just think what you were working on 10 years ago, not the same as today right? But if no attributes are changed for a person it is not a given that the IAM solution will capture the employees development. Hence the retainment use case becomes relevant.

What should be included in the retainment use case?

When talking about the retainment use case, I suggest that you at least evaluate the following use cases.

  • Periodic certification of accesses and SoD violations
  • Periodic certification of job role content
  • Employee development without attribute changes