Testing changes to roles and authorizations have never been an easy task in SAP. Typically, the testing of such changes is a time-consuming and a labor-intensive process. Security administrators often have to deal with such tasks as:
- Creating a test user (or users),
- Identifying testers,
- Evaluating the test results,
- Administer role and SU24 updates,
- Documenting the test results, and finally
- Providing go-live support.
From the business (or test user) perspective, they must take time away from their day-to-day job to conduct testing, communicate with security administrators about any issues, and conduct retesting. But, what if there were a way to eliminate a large chunk of the testing overhead, have better test results, and not require the business user to stop their day-to-day work while testing? Sound too good to be true? It’s not. Xiting has developed a solution, the Xiting Authorizations Management Suite (XAMS), aimed at making security administration faster and easier. As part of the XAMS, Xiting Times allows security administrators to conduct focused testing of role changes without impacting business users. Another benefit of using Xiting Times is the ability to ensure a risk-free go-live. Xiting Times offers three distinct modes to support functionality I described above.
At its core, Xiting Times leverages standard SAP reference users to simulate and compare roles, as well as to provide go-live support. To enable those features, administrators need to perform a few configuration steps, including:
- Creation of at least two RFC destinations and
- A system user with the required authorization roles.
Additionally, XAMS administrators have to configure the reference to dialog user mapping, using an easy-to-follow setup wizard. Once completed, admins can enable one of the three available modes supported by Xiting Times:
- Normal mode
- Simulation mode
- Comparison mode
In this mode, Xiting Times assigns reference users to dialog users, on-demand and based on pre-defined mappings. The two primary use cases of the normal mode include:
- Protected Go-Live: In the event of authorization errors during go-live, end-users can check out their old roles through a self-service mechanism and keep them for a temporary period
- Emergency Access Management (EAM): Dialog users can request a reference user that comes with elevated or critical authorizations to perform tasks the dialog user would typically not be authorized for.
In simulation mode, Xiting Times assigns reference users to predefined dialog users and starts a background job that logs all authorization checks that were not successful from reference user’s point of view. You could use this mode to simulate how well the roles of the reference user would work for the dialog user if they were directly assigned. The assumption in simulation mode is that the roles assigned to the reference user may be missing specific authorizations that are required by the dialog user. Using Xiting Times, admins can identify that authorization delta and tune the new roles before go-live.
Xiting Times stores the logged data in a dedicated table that admins can efficiently analyze to identify the delta between the roles of the reference and dialog user. Another module of the XAMS, the Xiting Role Builder handles all the reporting and acts as the analysis engine for Xiting Times.
Comparison mode works similar to simulation mode, but Xiting Times handles the data collection slightly differently. The assumption in comparison mode is that the reference user may have more powerful roles than the dialog user. For example, you may assign a dialog user’s old roles to its reference user for go-live while directly assigning the newly created, and potentially less powerful, roles to the dialog user. Using the trace data produced by Xiting Times and the reporting engine of Xiting Role Builder, admins can then identify what, if any, authorizations were used from the roles of the reference user during go-live. That way, role admins can fine-tune the roles of the dialog user without negatively impacting them with failed authority checks.
You can also use comparison mode for extended access management (EAM) as it can report on which authorization checks belong to the emergency user and which are part of the user’s normal authorizations.
The three modes available to the XAMS Administrator in Xiting Times provide a powerful set of tools to test and implement role changes.
For more information about Xiting Times or the entire Xiting Authorizations Management Suite, please contact us directly and schedule a live-demo.
Latest posts by Stefan Wohlschlag (see all)
- Next Generation Role Testing – Reduce Time and Effort with Xiting Times - January 29, 2018