Direct vs. Indirect Role Assignments

by

In this article, I’ll the discuss the differences between direct vs. indirect role assignment in the context of SAP authorizations. Each assignment scenario has its pros and cons, and you can use both independently or in combination to complementary each other.

What are direct role assignments?

Authorization roles (and profiles) are directly assigned to the user master record via individual transactions (SU01/SU10/PFCG), SAP Access Control (Access Request Management module), Central User Administration (CUA), or other tools like SAP Identity Management (IdM). As a result, the user gains SAP access rights through roles/profiles that are directly assigned to their user ID.

What are the pros?

  • Flexible – users that hold the same job function can have different authorizations assigned to them
  • Widely used – it is considered best practice and fully supported by SAP Access Control (GRC) and SAP IdM
  • SAP Access Control Access Risk Analysis (ARA) and remediation are performed on the user level
  • HR user master is not required (only SAP user account)

What are the cons?

  • Historical assignments often remain undetected and result in too far-reaching authorizations
  • Role admins may have to assign the same authorizations to users, even if they share the same job role
  • Roles/Profiles must be requested and assigned manually

What are indirect role assignments?

Authorization roles (and profiles) are attached to positions, employees, or organizational units in the organization structure. The end user gains the access rights based on the assignment to the position in the HR organization. The user gains SAP access rights based on the position(s) that the personnel HR record is attached to.

What are the pros?

  • Same authorizations for everyone who is assigned to the same job role
  • Authorization gets removed automatically if a person moves around the organization
  • New authorizations  are added automatically if a person moves around the organization
  • Newly hired employees get authorizations automatically when they start their job
  • Less effort for administrators to initiate and manage access requests

What are the cons?

  • Inflexibility – everyone assigned to a position gets the same authorization (differences in authorizations need to be addressed separately)
  • Each SAP user needs to have a record in HR that is assigned to a position
  • SAP users need to be mapped with the personnel record in HR (info type 0105 (Communication), subtype 0001 (SAP User))
  • Changes in organizational management will have an impact on end user access
  • Additional training for administrators and approvers
  • Encourages the use of composite roles
  • Requires extra effort in HR to maintain the organizational data, while it doesn’t add value to HR to keep that type of data
  • Practically only works in organizations with a low rate of changes (e.g. public sector)

Combining direct and indirect role assignment

Both scenarios can be used in combination, eliminating some of the cons of individual assignment scenarios. Combining both scenarios (direct and indirect assignment) means that you can assign basic access indirectly, via the job position(s) but then assign additional authorizations to the user master record directly.

How does the combined scenario look like?

A user gains SAP access rights based on the position(s) that their personnel HR record is attached to, as well as through roles/profiles that are directly assigned to the user ID.

What are the pros?

  • Combines the best of both scenarios
  • Allows for a more flexible authorization design as compared to indirect role assignments
  • Automatically grants basic authorizations with the ability to assign additional access rights on a per-user basis

What are the cons?

  • Since access is not entirely distributed through the HR positions, individual roles/profiles must be requested
  • In case SAP Access Control is used, role owners have to be aware of different types of assignment (either a role gets assigned to a user directly, or to a position that might have an effect for more than one user)
  • HR Administrators and SAP User/Authorization Administrators must work together closely

Conclusion

Each scenario has its pros and cons, and therefore it’s hard to tell which scenario fits your requirements best. If you have a strong focus on HR and you rely on position-based authorizations, that might be the right choice. In case your HR data, which is the foundation for position-based authorizations is not properly maintained nor kept up-to-date, indirect authorizations might not work. A hybrid approach, however, combines both and hence is in many cases an accepted first move towards granting indirect authorizations. Xiting has successfully implemented hybrid models where basic authorizations were indirectly assigned (e.g. ESS/MSS authorizations), but additional roles were directly assigned through SU01 or workflows.

Alessandro Banzer

Alessandro has worked in the field of IT since 2004, specializing in SAP in 2009 and working on global SAP projects in various roles since that date. Alessandro is an active contributor and moderator in the Governance, Risk and Compliance space on SAP SCN. Alessandro is in charge of Xiting's operations in the United States and a subject matter expert in SAP Access Control and SAP Security.