If you haven’t already noticed, in some SAP support packages several T-Codes have been replaced with other T-Codes. These changes create a challenge in maintaining your company’s authorizations, and there are also implications to the GRC module. So, what do you do?
Follow these two main steps:
1. Update user authorizations so they match the T-Code changes
2. Update the relevant GRC rules and add the new T-Codes
Step #1: Updating User Authorizations
An authorization manager, a customer of ours, was requested to modify all employee authorization roles to accommodate for the T-Code changes during a support package upgrade project. But, considering the amount of users and the amount of roles in the organization, the task was estimated to take at least three weeks worth of work.
The current user authorizations had already been bothering him. He felt that the user authorizations were too widespread and for some time he’d wanted to narrow them down according to actual de-facto usage. Replacing the T-Codes now would be prolonging a situation that was not efficient.
He decided to use the opportunity to his advantage and came up with a better idea from a security point of view – one that would be much more efficient in terms of SAP authorizations. He would replace the T-Codes only for the users who really use these T-Codes, and delete them from users who don’t. This would get the job done well, and increase the security level. Great idea.
So now Step 1 (Update user authorizations so they match the T-Code changes) has become two sub-steps:
1a. Identify who really used the old T-Codes
1b. Update user roles and authorizations according to actual usage
Step 1a: Identify who really used the old T-Codes
How would this authorization manager know which T-Codes were in use, and by whom?
He could have used ST03N in order to identify the T-Codes that were recently used, but not only would that have taken him a significant amount of time, he would also have had to work hard on the raw data in order to get usable results for the project. Because he was using ProfileTailor Dynamics anyway, he was able to identify within a matter of minutes who really used the old T-Codes. He created an Activity Group “Old T-Codes” and produced the report called “Activity to Users (Real Use).” Since the software is based on user behavior analysis, the report showed him a list of users and the T-Codes they’d been using over the past year including the amount of use. He was able to see the most active T-Codes (see image below) and also the most active users with these T-Codes, so he could easily know where to put his focus.
This report showing activities and their corresponding usage percentages allows the authorization manager to focus on the most active ones. The tabs at the bottom of the spreadsheet include the raw data.
Step 1a? Check.
Now the authorization manager is on his way to updating SAP authorization roles for the SAP support package upgrade.
Look for our next posts to see how he accomplished 1b and Step 2.
See how ProfileTailor Dynamics can help you put your authorizations in order.