So, the fourth quarter has just started and you should remember that it is not too late to make minor improvements before the end of the year. Statistics do show that typically no major projects are executed in the fourth quarter since most IT teams and their organizations are preparing for annual audits. This means that no one is able to make any big changes, let alone sign off on any new projects. However, small improvements are always welcome and they can create a significant impact, so why not encourage them?
What we have learned from CIO's
We have asked a few CIOs from mid-size companies, who are Xpandion customers to tell us which three small activities they would execute in October and November in order to improve their company’s situation before December 31. Their answers focused on user life-cycle management, Segregation of Duties (SoD), risk assessment and SAP licensing. After listening to their ideas we thought it may be helpful to others if we summarize their advices. So here are the three activities that have the capability of being executed in a 1-2 month time-frame as well as have a positive impact on the overall state of the IT department:
Segregation of Duties
Check for new Z and Y T-Codes that have been added to the production systems after you last updated your SoD rules. Once you have identified the new codes apply them to their appropriate SoD group. This task is crucial since new T-Codes come into production from time to time and if they are not applied to the right groups they can be ignored. If they are ignored the risks for that particular code is not controlled or mitigated.
Here is an example, imagine that your team just created a new T-Code “ZMIGO” for a special goods movement activity – if this T-Code is not included in the “Goods movement” SoD group together with MIGO then it will be ignored and will not be a part of the risk monitoring resulting from the issuance of goods. This is the reason that identifying new T-Codes and classifying them to the right SoD group must be done from time to time – and the sooner the better.
ProfileTailor Dynamics will cover you from two different angels.
1.You will automatically receive an alert for each new activity (T-Code) that comes into the production system so you can be aware of the new activity and its place within the SoD groups.
2.The system can automatically open a workflow in order to classify the new activity correctly, as well as automatically notify the respective SoD manager.
It is very important to verify that all users are classified correctly according to the SAP licensing rule-set. Doing the job right may take time, but the first step is easy. You should first classify user accounts which do not have any classifications in their user record (T-Code SU01). These accounts are counted as “Professional” licenses in SAP audits – which is the most expensive license type. If you have a good methodology to assign users to their appropriate license type then you are in good shape.
On the other hand, if you do not then this is a good time to start thinking about one. SAP audits are becoming more and more thorough and issues like duplicate logons and indirect access are major issues recently (for example Diageo's case with SAP).
If you have LicenseAuditor software – you can automatically find unallocated users by issuing the “users with no classification” report. If you do not have this tool then the process should be done manually.
Contact us if you are interested in seeing a demo of this tool.
Eliminate/Invalidate Inactive Users:
A company should always be sure to close inactive user accounts for two reasons. The first reason is to increase security levels and the second is to reduce licensing costs. Inactive accounts are good candidates for hackers because nobody traces the activity on inactive accounts, but no hacker can take over an account that does not exist.
Additionally, and this may surprise you but in all pre-audits that we perform for our customers prior to their SAP Licensing Audit we identify inactive accounts. These accounts are a waste of money from a licensing point of view and therefore closing them is an immediate savings in your SAP licensing fees.
If you have ProfileTailor Dynamics, then you have an out-of-the-box workflow that can be a continuous automated procedure and this way you do not have to worry about inactive accounts at all. If you do not have the software, this process should be executed manually each month.