SAP Authorizations simple and safe Does the following sound familiar? Historic growth of an organization’s SAP user roles creates risk and ma- nagement challenges, that are rarely remediated without large-scale efforts or negative impacts on day-to- day operations. A clear and centralized picture about who currently has (and should have) which authoriza- tions tends to become fuzzier with every passing year of SAP usage. One contributor to this challenge is a common workaround: employees and developers request and are provided more access than they require to perform job duties. But there is a better way: setQ Authorization Manager centralizes your system-wide role management while kicking security & compliance issues to the curb once and for all.
Transcript
SAPAuthorizationssimple and safeDoes the following sound familiar? Historic growth of an organization’s SAP user roles creates risk and ma-nagement challenges, that are rarely remediated without large-scale efforts or negative impacts on day-to-day operations. A clear and centralized picture about who currently has (and should have) which authoriza-tions tends to become fuzzier with every passing year of SAP usage. One contributor to this challenge is a common workaround: employees and developers request and are provided more access than they require to perform job duties. But there is a better way: setQ Authorization Manager centralizes your system-wide role management while kicking security & compliance issues to the curb once and for all.
Figure 1: setQ user interface – your cockpit for easy authorization management
SAP Authorization and Identity Management – easy as 1-2-3setQ Authorization Manager for SAP Software automates role approval and assignment processes while making all related proces-ses fully transparent for the business. Assignments are managed from a central dashboard – ensuring you have complete control over all connected systems. Managing your role design on an on-going basis also gets the setQ treatment: SAP admins can use the familiar SAP GUI while business stakeholders gain access via a simple web interface to receive intelligent real-time information on how to remediate SOD confl icts.
Compliance & Security – setQ Keeps You Safe on Many LevelsSecurity, SOX, and GDPR? Compliance and privacy topics are gaining increased momentum, creating a need for a robust toolkit you can trust. setQ ensures that access to SAP is assigned reliably and securely – using a vast array of templates for job positions, org elements, and SOD rulesets. The contents of org-wide authorizations objects and roles are made transparent and traceable, allowing you to build a compliant end-to-end process for the SAP landscape at large. It’s fi nally your turn to show auditors who’s boss.
Design and Migrate to a New Role Concept on the FlysetQ employs a reference model that drastically accelerates initial Role-Design and Re-Design using a modular architecture. Hund-reds of templates simplify the functional aspects of designing, maintaining and reducing excess access of a best-practice authori-zation concept, without requiring large-scale efforts or the help of external consultants.
Even during the plug-and-play creation of new roles and concepts, setQ runs real-time checks for critical SOD confl icts in the back-ground and can prevent them from being pushed to production automatically. The deployment of your new roles follows a transpa-rent ruleset and does not require complicated tinkering to get started. While legacy Identity Management for SAP requires complex knowledge and months of setup and refi nement, a setQ install is fast and simple.
Figure 2: That‘s how centralized authoriization management works
Lowering Costs by Knowing the Right CombinationsCreating order out of chaos deep inside the inner workings of your SAP systems was never an easy feat. Adding fuel to the fire are SAP’s regular policy changes that can complicate SAP User Licensing and Authorization management further – driving up your Total Cost of Ownership unless correctly managed. Investing in a best-in-class Authorization and License Management Solution positively impacts your bottom line while solving top-of-mind challenges.
Reap the benefits from a perfectly tuned SAP Identity Management solution using VOQUZ’s intelligent suite of SAP add-ons. Tap into the connective tissue between SAP Licensing and Authorization management: using our optional samQ License Optimizer for SAP you can identify unused transaction codes in roles for automatic removal using setQ.
Reduce costs and simplify your SAP: Historically, SAP’s contractual user definitions were written to be assigned based on perfor-med activities (executed functions and transactions codes)
u i.e. low-cost license for low SAP usage
SAP‘s new approach: Current and future contracts are reworded to force license assignments based on the potential access a user has (regardless of whether it’s used or not)
u risk of unexpected ballooning costs following an SAP audit + an opportunity to clean up your role concept in anticipation of SAP’s upcoming changes.
Advantages at-a-glance � Quick installation and unparalleled usability � Centralized and simple control mechanisms for roles and authorizations � Reduction of costs and management efforts through automation � Compliance & Security assurance � SOX-Compliant Authorization Management � Automatic prevention of critical combinations and SOD conflicts � Dramatic workload reduction for Basis and Security Teams � Request, approval and assignment processes for authorizations are accelerated significantly for new
About VOQUZ LabsVOQUZ Labs is a sub-division of the larger VOQUZ Group and the leading provider of Software Asset Management (SAM) and Authorization Management (GRC) add-ons for SAP, with bases in Berlin, New York and Mexico City. VOQUZ Labs combines best-in-class SAP User Management solutions and a strong Consulting Expertise in License Advisory, Compliance, Security, Access Control and Efficient User Management.
Central License ManagementsamQ facilitates central management of all SAP user licenses. There is no need to edit user profiles in each individual system. Instead, samQ enables information to be updated across all connected SAP systems. samQ identifies inactive SAP users and deactivates their accounts. Double user accounts are consolidated so that every SAP user has exactly one named user license across all SAP systems. The licenses freed in the process eliminate the need to purchase new ones and enable you to reassign unused licenses.
Named-User License OptimizationsamQ thoroughly analyzes the usage data of all individual SAP users and determines who uses SAP in which way. The transaction data is used to determine the optimal license type. samQ automatically recognizes changes in users’ usage behavior that would be difficult to detect without a software tool, and it modifies the licenses accordingly. This permanently ensures that your licensing status is always as low as possible.
Transaction DatabasesamQ uses a dynamic transaction database known as the Optimization Engine to determine the optimal license types. It contains all the transactions executable in SAP that were evaluated with a specific named-user license type. The transaction database is constantly modified, expanded, and updated to include new transactions, for example, when SAP makes changes to its price and condition lists. samQ checks the usage data collected for individual users against the transactional database and automatically switches to the correct type of license if the current license does not suit their usage behavior.
CustomizingsamQ enables customers to take into account all the details from company-specific SAP contracts in order to create a precise model of their business conditions. An extensive range of customizing options are available to the client for this purpose. For example, prices and conditions, ratio-based rules (ratio of professional to limited professional user licenses), special licenses, transaction evaluations for customer-specific transactions, and more can all be precisely configured. This information provides a framework for optimizing the SAP licenses.
Management Reports based on SAP FiorisamQ versions 2.0 and later offer a special Fiori dashboard for a quick overview. Tables provide the most important licensing information and KPIs, while charts show trends in license usage. Alerts warn the user when a critical state has been reached. The Fiori add-on also makes it possible to use samQ on mobile devices, such as tablets.
Automatic System MeasurementThe optional module helps users conduct the annual system measurement. It automates both engine and user measurement centrally across all systems from a single point. Engine measurement makes it possible to generate and save full USMM reports. In the process, samQ saves the date-stamped USMM measurement results (full result logs) and makes them available at all times for all kinds of evaluations. This module is especially useful for monitoring engine usage.
LAW WorkbenchThis module makes it very easy for you to check the results of your LAW reports. samQ compares your calculations with the LAW results, identifies any deviations, and enables a drilldown all the way to the user/client level. Consequently, you can always be sure that the reported results match your calculations.
Analysis Mode and ‘What-if’ ScenariosEvaluations can be run in samQ with fully customized settings without changing existing customized settings or deactivating daily optimization. samQ offers a variety of license templates for this purpose. Advantageous configurations can be saved or used directly in customized settings, as required. This makes it possible to develop scenarios that factor in license types that are not yet part of the customer’s license inventory.
Indirect Access AnalysisWith samQ you can find out which third-party systems and add-ons access your SAP data. samQ auto-matically analyzes all RFC connections and the data exchanged over them. It evaluates the interfaces to determine actual usage and identifies critical situations based on this information. As a result, you receive a regularly updated risk overview that serves as a basis for further evaluations.
Authorization AnalysisTo determine the correct named-user license based on authorizations or to optimize your role and authori-zation concept, samQ provides a special module for authorization analysis. samQ calculates the license key a user is assigned with if licenses are distributed according to authorizations rather than real activities. The analysis provides transparency about the different license calculations and determines which permissions or transactions are unused.
