With the help of the Xiting Authorizations Management Suite (XAMS), Bosch Sicherheitssysteme GmbH was able to completely redesign the roles of one of its central ERP systems in only six months and thereby drastically reduce them in number—all without disrupting operations.
Bosch Sicherheitssysteme GmbH was able to completely redesign the authorizations of its SAP system in only six months without disrupting operations.
This project was made possible by a new, automated tool for constructing roles, the Xiting Role Designer. “Producing only the best of the best”: This motto from the company’s founder, Robert Bosch, continues to define the outlook of Bosch Sicherheitssysteme GmbH to this day. As a one hundred percent subsidiary of Robert Bosch GmbH, the company is one of the top five providers of electronic security technology. Bosch Sicherheitssysteme GmbH provides its customers with the installation, services and consulting necessary to equip them with innovative security solutions—from video surveillance to access control systems. While Bosch Sicherheitssysteme GmbH helps its customers to secure their buildings from the outside, it also actively protects its company from the inside, as shown by its recent overhaul of the access and authorizations concept for its SAP landscape.
Security through Authorizations
Users of IT systems are all too frequently granted excessive authorizations. This finding was also supported by an analysis conducted by Bosch Sicherheitssysteme GmbH and Xiting in the middle of 2015 on the role concept used for about 1,200 users in the central SAP ERP system. Excessive authorizations can violate the segregation of duties (SoD) principle, which can entail serious security risks, like the violation of applicable laws or data privacy regulations.
To provide sustainable protection against such risks, Bosch Sicherheitssysteme GmbH sought to redesign its role concept. Many companies avoid such authorizations projects for fear of excessive project durations and downtimes, for the extra work placed on employees in the business divisions and for the high costs. Bosch Sicherheitssysteme GmbH has therefore chosen to rely on the automated tools of the Xiting Authorizations Management Suite (XAMS). It was able to agree on a fixed schedule and a fixed price for the implementation of the suite and the current role project with Xiting AG. The redesign was started in September 2015. The most time-consuming parts of a authorizations project are the workstation analyses, the role design—consisting of defining the contents of the role and then creating it in the technical system—and the testing phase. Xiting, therefore, developed highly specialized tools for precisely these tasks.
XAMS Tools: Automated, Time Saving, Effective
Bosch Sicherheitssysteme GmbH was able to take advantage of the Xiting Role Designer, newly integrated into the XAMS, to capture the processes used and generate suggested roles from these processes. These purely virtual roles were then verified and modified with an eye to the final user mapping (degree of coverage). In making these modifications, the Xiting Role Designer follows general requirements for SoD and critical authorizations, but also internal SoD policies from the Bosch corporation, proven SAP best practices and the test guidelines of the German-Speaking SAP User Group organization (DSAG). In the end, per the goal of the project, as few roles as possible were retained to make administration of the future authorizations system as easy as possible.
When verifying the suggested roles, the Xiting tool also took into account Bosch’s custom developments within the SAP system. To accommodate the real processes used at Bosch Sicherheitssysteme, some of the new roles contain what are known as “Z transactions,” which allow the user to run custom applications. But should a user from Germany be able to view data for the subsidiary in Switzerland? An authorization check must be stored in the custom application to either allow or prevent such access. The Xiting ABAP Alchemist tool checks at the source code level whether authorization checks are missing in the custom applications and also specifies which checks need to be implemented. The custom applications are also subjected to an SU24 analysis and clean-up, and the roles are then automatically populated with the correct authorization objects and values. Once all necessary roles have been created virtually, they are transferred to the SAP system and tested. Xiting developed the “productive test simulation” for this purpose: This procedure simulates the use of the new authorization roles in the productive system while they are monitored by the automated Xiting Role Builder and Xiting Times tools. This allows imprecisions in the new authorization design to be immediately detected and corrected. The new design goes live without any risk for productive operations since users retain their old roles in the background during the transition phase (protected go-live) and can use these roles temporarily should problems arise.
Sustainable Authorization Management
A manual approach would have made the redesign project less sustainable. In the current project, the number of roles was reduced from about 2,000 to around 120, and in the future, Bosch Sicherheitssysteme GmbH will be able to manage its authorizations on its own using the Xiting Authorizations Management Suite. The automated processes also meant only minimal work for the employees in the business division. Without Xiting Times, the business division of Bosch Sicherheitssysteme GmbH would have been very wary of such a go-live. But Xiting allowed them to carry out the redesign project with only minimal work for the employees.
Bosch Sicherheitssysteme was also able to solve a problem that many companies struggle with: How can you map a company’s dynamic cost center processes onto the user roles? If a cost center is deleted, for example, the system must ensure that its roles are revoked as well. Xiting has therefore implemented a cost center authorizations generator in the XAMS, which automatically adjusts the affected roles when something about a cost center changes.
The Xiting Authorizations Management Suite’s innovative functions combined with professional implementation by Xiting allowed Bosch Sicherheitssysteme GmbH to meet a very tight project schedule and to achieve a clear ROI over the course of the project.