Defining Technical and Business Roles

Imagine that you work in a company that uses SAP systems to manage various business areas. Each business area has its own specific requirements and roles that must be assigned to users in the systems. Previously, administrators managed permissions manually, leading to issues such as incorrect permissions or delays. Now, an internal audit is due to ensure that all users have the correct permissions and that these permissions comply with the company's policies and security standards. It is an enormous task to manually verify that each user permission is correct and appropriate, and matches the requirements of the business area. However, Business Role Management allows for the creation of custom roles that consider the specific requirements of each business area.

The Business Role Management component of SAP Access Control automates role definition and the management of roles. It simplifies the maintenance and documentation of important role attributes whether you are an SAP Security Administrator, Role Designer, or Role Owner.

Through Business Role Management, you, as a Role Designer can manage roles from multiple systems in one role repository. Roles can be defined, documented, and designed. Besides that, you can analyze risks that can occur due to the maintained authorizations. This enables a standardized process to ensure that the definition, design, test, and changing of roles is consistent throughout the company. Role Management is an important task when supporting a software solution, especially when multiple landscapes are introduced into the enterprise.

Access Control can be the central repository for all SAP systems connected in the landscape. Business Role Management (BRM) can:

• Ensure consistency in naming conventions.
• Track the status of the role during maintenance.
• Be the central repository for role management.
• Identify duplicate or nearly duplicate roles.
• Identify roles that may no longer be needed.

Business Role Management is tightly integrated with the Access Request Management engine, so when roles are maintained in BRM, these same roles are updated immediately for use in access requests.

The preceding figure shows a typical Role Management process in a company. This process can be customized by defining the Role Methodology step by step. It can have more or less steps and depends on the company's guidelines. In advance, the naming convention of roles must be defined. Also, the responsibilities must be defined during role definition. This includes a role designer, a role owner, a security administrator and, a user admin.

You as a role owner or security admin can track the progress of role implementation and monitor the quality of implementation. You can perform a risk analysis at role design time and set up a workflow for role approval. A history shows role modifications over time. After generation, editing roles is also possible to keep the roles up to date.

Let's say there is a business need that is already identified and communicated. After evaluating the requirement, you as a Role Designer want to define the role. But previously you want to take a look at roles that are already existing.

To look at all the existing roles, you, as a user must use the Role Maintenance app of SAP Access Control. The app contains all roles that are already defined including Role Name, Application Type, and the landscape which includes the systems. It also shows the Role Type, Business Process and Subprocess, the Current Phase of the Role Methodology and the last updated time as well as the user who updated it. Role Types, which are shown in the list, are: 

• Business roles
• Single roles
• Composite roles
• Groups
• Profiles

These are also the role types that can be created.

You can sort the list of all defined roles by column. However, as a user, you may want to start a query to find specific roles according to certain criteria. There is a Personal Object Worklist (POWL) for this purpose.

POWL is a query-driven worklist that contains business objects from the respective work area and allows you to view details in a personalized way. You can:

• Hide or rearrange columns.
• Filter data.
• Export results into a spreadsheet.
• Search roles, including range search.

You can also define a new query and maintaining specific criteria. Queries can also be changed and deleted if they're no longer needed.

Let's say that you looked through the roles and saw that a new role must be created to implement the authorization requirements.

To define the new role, you, as a user must use the Role Maintenance app of SAP Access Control.

Single roles, also known as Technical Roles, define the authorization and access to a specific application function. The role designer defines the role-related attributes. You as a role designer define authorizations in the PFCG of the back-end system and synchronize them into Business Role Management of SAP Access Control. You can also derive a role using a guided activity flow to create the derived role with the same authorizations as in the source role but with different organizational values.

Before defining a single role, the following prerequisites must be met.

• Role Methodology is defined.
• Workflow approval is defined, if workflow approval is required.
• Role attributes like business process and subprocess are defined.
• Naming convention is defined, if one is being enforced.

You can create roles by a guided process of Role Methodology. Role Methodology can be configured to include or exclude particular steps. When creating and maintaining roles, the current phase is always visible and completed steps are clearly marked. The Go To Phase option allows you to jump to a specific step in the methodology.

The single role creation process starts with the Define Role phase. When defining roles, you must fill in all mandatory attributes such as system and role name. There are also optional attributes that you can fill in.

The Properties subtab includes attribute fields for defining certification periods, the criticality of the role, and more.

The certification period, in days, enables a periodic review of Role Content and Definition. The Role Owner certifies the role on a periodic basis. The next certification is calculated based on the period and the last certification date. Also, e-mail reminders are sent to role owners. The Role certification can also be tracked for audit purposes. The Certify button is visible in all the phases, once the role definition is maintained.

You can define new sensitivity values in the SAP Customizing Implementation Guide (IMG) of your Access Control system. You can use the IMG to configure multiple processes in Access Control. We look at other configuration options later in this course. 

Define multiple optional values like the Functional Area of the role, the Company, and Custom Fields, as needed.

The tab Owners/Approvers marks the user who approves the assignment or the content of the role and is used when a request is sent. Make sure that you assign the approver, so that your request can be submitted in the later phase. 

Switching to the Role Mapping subtab, you can map related roles to a single role. In this way, related roles can be provisioned to a user when a particular role is assigned. This means that if a role is assigned to the user in the system that is specified as the Source Connector, the user also gets the role in the system that is specified as the Target Connector.

Switching to the Additional Details tab, you can determine the provisioning of roles in the Provisioning subtab. The Role status determines the availability of the role for provisioning. Only roles with production status are enabled for provisioning. 

In the section Systems of the sub tab, if Provisioning Allowed is set to Yes, a role can be provisioned for a specific system. If Allow Auto-provisioning is set to No, the role cannot be provisioned normally through an access request and manual intervention is required after the access request is approved.

Role validity specifies the period of validity of the system and you can set it at the system level.

In the Where-Used Roles tab, users can see where the role is being used, for example, in business or composite roles. The Assigned Users tab tracks users who have been assigned the role.

After defining the role, you must maintain the authorizations of the role.

In the Maintain Authorizations tab, you as a role designer, select the button Maintain Authorization Data. Then SAP Access Control launches a new GUI session with the role opened in PFCG transaction of the target system. You fill authorization data and close the GUI session with PFCG. To get information about data entered in PFCG to role details in SAP Access Control, you run a synchronization by selecting the button Sync with PFCG. There is also an option to push the role authorization data from SAP Access Control to the target system if data in the target system was changed and you want to recover it. In case of derived roles existence, you can propagate changes at the master role to the derived role by selecting the button Propagate to Derived Roles.

In the next phase, which involves analyzing access risks, you analyze the role for access risks based on the authorizations you maintained in the prior step.

You can analyze the roles on action/permission level, for critical actions/permissions, critical role/profile and start the report in the foreground or background. You will then be shown the results, which you can also filter.

During role creation, you can derive a role. Role derivation allows administrators to derive roles from a single master role. The following video guides you through the process.

In the Generate Roles phase, you can submit roles for generation.

It is a guided activity that provides step-by-step instructions for generating roles. You can select either foreground or background jobs. The list of Generated Roles provides information, such as:

• Where the role was generated.
• Time of generation.
• User who performed generation (source of generation).

This was the role creation process of a single role. Let's look at the differences when creating a business role.

A business role represents a job function in an organization. It serves as a shortcut for assigning related technical (single) roles in the back-end system by containing one or more technical roles and business roles. Through business roles-related roles can all be assigned at once, which makes the provisioning and managing easier. While defining a business role, use the Roles subtab to add roles which constitute the business role. Refer to the screenshot below. Also, since a business role is a collection of roles, there are no Maintain Authorizations, Derive Role and Generate Roles phases in the role methodology.

Example:

AP Clerk is a job function that performs the following activities:

• Maintain vendors.
• Display account balance.
• Post outgoing payments.

Generally, each of these activities are created as single roles. Using a business role named AP Clerk, all these related roles are associated to it. Users who perform an AP Clerk job are assigned one business role instead of three single roles. The benefit is that roles can be modeled based on job functions. The business-friendly role names help Business Analysts and Security Administrators to collaboratively define roles. In addition, the risk analysis can be executed for the business role to make the roles complaint at the job function level.

Prerequisites:

Before creating a business role, ensure that the following prerequisites have been met:

• Technical roles to be associated to the business role are defined.
• Role methodology is created, if one is to be enforced.
• Naming convention is defined, if enforced.
• Workflow approval is defined, if approval is required.

It is possible to create the business role as a shell before creating the technical roles. However, we recommend creating the technical roles first.