Role Designer for SAP

SAP Role Engineering Solution

July 2013

About Bay31
Bay31 is a vendor of next-generation
Access Governance solutions.

What makes Bay31 unique

Unique data-mining technology

reveals business structure in
ne grained access data.

Flexible delivery and pricing

supports smaller projects, yet
scales for the enterprise.

Cloud and private-cloud model

is faster and less costly to
implement.

Based in Switzerland
International customer base and
partner network
Technology based on proprietary
research in the eld of datamining for access control

Role Designer for SAP

Maintaining SAP roles: complex and costly

SAP authorizations are notoriously
complex. Maintaining SAP roles is a
major challenge.
SAP roles become mis-aligned with
the business as organizations and
business processes change.

Time for another SAP

role re-design.

SAP security architects work with

home-grown, spreadsheets and adhoc databases; productivity suers
and project risk is high.

Role Designer for SAP

Are your SAP roles still fit for use?

Bloated Roles

Redundant Roles

Outdated Roles

Catch-all Roles

Roles grow over time

and get bloated.

Roles get cloned, and

overlap.

The organization
changes and roles lose
their business
relevance, but remain
in production.

Exceptions and workarounds become

permanent.

Users have more

access permissions
than they require

More work to audit

and review users
and roles

Dicult to assign
users the right roles

Not secure
Not compliant

SAP roles are no longer transparent, manageable and secure.

Access management and compliance processes suer.
Well-conceived SAP roles are critical for robust and secure SAP business processes!

Role Designer for SAP

Role Designer for SAP

Role Designer for SAP is a
powerful productivity tool for
SAP security architects.

Reduce the cost and complexity of

SAP role engineering.

Identify existing SAP roles that

require maintenance or
redesign.
Users

Design new SAP roles that are

more secure and transparent.

Transactions

Keep SAP roles aligned with

your organization.
Enforce SoD policies and
promote compliance.

Role Designers matrix visualization

reveals the relationships among SAP
users, roles and authorizations.

Role Designer for SAP

Why choose Role Designer for SAP

Role Designer is better than your in-house tools
for SAP role design because you can:

Consolidate SAP authorizations and business

meta-data in a single reference repository.

Visualize complex SAP authorizations to discover

and validate their business structure.

Use SAP-aware role-mining to nd businessrelevant SAP role candidates.

Formalize and enforce your SAP role design

standards.

Facilitate team collaboration with concurrent

multi-user access to a single reference repository.

Role Designer for SAP

Benets

Reduce the cost and

frequency of SAP role
re-design.

Design better SAP

roles that streamline
authorization and
reduce the cost of
compliance.

Stop maintaining
ad-hoc in-house tools
for role design.

Role Engineering with Role Designer for SAP

Role
Assessment

Import role and

business data

Roles ranked by
quality

Role Analysis

Categorize roles, users

and transactions

Correlate roles with

Manage Roles

organizational and
functional categories

Manage roles and

business attributes

Check transaction

Cross-system roles
and policies

Role versioning

Role engineering with

usage patterns

Role Designer for SAP

Role Design

Role instantiation

Deploy Roles

and composition

Export roles and policies

Role mining
Refactor and optimize
Enforce SoD

Re-provision authorizations

Role Designer for SAP

Role Designer Integration with SAP

Bay31 ABAP
Security Reader
Role deni*ons out

SAP ABAP

Role deni*ons back in

Role engineering report

for PFCG entry; PFCG
integration planned

SAP GRC

Role Designer

SoD Rules

GRC export les

SAP GRC 5.3 or 10.0

Role Designer for SAP

Pricing and Delivery

Role Designer for SAP is Software as a Service:

Cloud subscriptions are

hosted and managed by
Bay31 in our data-center.
Cloud subscriptions are
limited to 20000 identities.

Role Designer for SAP

Price per user

Cloud (Amazon EC2)

950 / month

On-Site

1250 / month

On-Site subscriptions can be

deployed on your laptop or
desktop, or in your datacenter. On-site subscriptions
support an unlimited
number of identities.

Role Designer Presentation

Rich interactive user interface

Business metadata
categorizes users, roles
and entitlements:

Navigate dataset by
category

Unlimited business

List View shows

users, roles, and
entitlements:

List, lter and sort

entities

Automatically
mines role
candidates

Matrix View:

Pattern recognition clusters

entitlement assignments

Visualize and analyze roles

Interactive role denition

hierarchies

Role Designer Presentation

10

Role Designer for SAP models roles and authorizations down

to the lowest levels of the SAP authorization model.

Authoriza2on values in detail.

SAP roles and their authoriza2ons.

Role Designer Presentation

11

Correlate SAP roles with business structure.

See distribu2on of role across business

categories. 7 out of 10 assignments of
this role are in the the Global Sales OU.

This roles permissions are concentrated

in the Sales and Distribu2on module.

Role Designer Presentation

12

Visualize SAP roles with the interactive permission matrix

A paFern recogni2on algorithm automa2cally

sorts permission assignments to show roles as
con2guous.

Role Designer Presentation

13

Visualize historical transaction usage statistics

Role Designer leverages historical transac2on usage logs to help

you dis2nguish used transac2ons (dark blue cells) and unused
transac2on (light blue cells). So you can simplify exis2ng roles, or
role-mine new roles based only on actually used transac2ons.

Role Designer Presentation

14

Role-mine business-relevant roles

Department

1
Role Designer automa2cally mines role
candidates. But you have to decide if it
represents a relevant business
abstrac2on.

3
The en2tlements correspond to
management of Prot Center records.
This is denitely a business-relevant
role. Now dene the role with 1 click!

2
This role candidate correlates with
membership in a specic OU. This may
indicate a business-relevant role.

Role Designer Presentation

15

Segregation of Duties Report

Role Designer Presentation

16

Role Designer for SAP Security Reader

Role Designer Presentation

17

SAP tables accessed by the Bay31 Security Reader

Role Designer Presentation

18

Questions?
For more information or a free trial contact:
Cris Merritt
email: cris@bay31.com
mob: +33 631 08 10 09