How to Consciously Uncouple in the SAP Authorizations World

How to Consciously Uncouple in the SAP Authorizations World

“Conscious uncoupling,” (see goop) the fancy new age words that Gwyneth Paltrow and Chris Martin are using instead of the word “divorce” do feel a bit weird, but there is some truth to the approach that I think can actually highly benefit certain events the SAP world. In fact, without a “conscious uncoupling” approach to employees in the SAP world, a great deal of work might go to waste.

I’m talking about when the Authorization Manager leaves. While in large enterprises the authorizations team can be a couple of people, in small and medium businesses it can easily be a one-man show that deals with everything: allocating authorizations to new employees, changing authorizations, and eliminating authorizations for employees who have left the organization. While most of the areas in SAP are covered by procedures and regulations – especially on the business end, like Finance and Logistics, and also Development – Basis and Authorizations are usually not covered. Who opens an SAP productive client for customization in SMBs, and how do they do it? Who approves the granting of new authorizations in the SMB and how this is done? Those questions seem to be totally unimportant… until the authorization guy leaves.

For Want of a Nail

The authorizations guy is a crucial element in the large integrated environment of SAP and other business applications; however in most cases he doesn’t seem to be as important to management as, for instance, the financial consultant or the logistics implementer. Although his non-importance may be true from a business-continuity point of view, it is not true when it’s time for him to leave. Years of work, including de-facto procedures and arrangements that are stored only in his mind can disappear forever. Like the proverbial children’s song, “For Want of a Nail,” goes, small actions can result in large consequences, so the small departure can create a large hole in the authorization area, even if the organization has just finished a role-redesign process and everything seems to be neat and tidy. The “next guy” will not be able to use the first guy’s inherent knowledge and the loss will be significant.

Therefore, it is important to verify beforehand that at least the following things are well documented – or better – embedded in a system like ProfileTailor Dynamics:

• The process of granting authorizations – who opens the request, who approves it, what should be done if the request is for sensitive authorization (like T-code F110 for payment run or SE16 for browsing data in SAP tables). What should be done if granting the requested authorizations will violate a Segregation of Duties (SoD) rule? Note that this happens to be one of the most inspected issues in an audit. Best to automate it using a dedicated workflow system like ProfileTailor Dynamics Authorization Request.

• The process of granting authorizations to new employees and eliminating authorizations from departing employees. Like the above – these processes are “beloved” by IT auditors to investigate and comment on, and they better be automated.

• Any “common knowledge” about authorizations in the specific organization. For example: a list of sensitive activities that need special approval, a list of special company codes and bank accounts like management monies and personal expenses, a list of power users that really need power user authorizations (and the ones who don’t), a list of common activities for each role, and so on.

• Last but not least, a good piece of advice is to conduct a semi-yearly access review process, above and beyond the regulatory obligation. This will ensure that all employees’ authorizations are checked and are still valid, and will enable the “next guy” in authorizations to start from a good standing point. In order to conduct a winning one, read our free ebook: How to Conduct a Successful Authorization Review.

Conscious Uncoupling

No less important, like our friends Gwyneth and Chris, it is recommended to leave with good feelings. Even if things are documented and working fine, you’ll need the authorization guy for the yearly audit, so it’s for the best if you can keep a good relationship with him before and after he leaves. Never assume that all of the employee’s knowledge can be documented and it’s always wise to maintain good relationships, anyway.

What’s your experience? Have you ever faced a hole in procedure caused by a departing employee? Leave your comments here.

Click to Tweet this post!