Authorization Redesign of Technical RFC Users

With the help of Xiting’s role test automation solutions, Siemens AG was able to redesign the roles of 400 technical RFC users on 20 productive clients with virtually no manual testing or involvement from the business. The Xiting Authorizations Management Suite (XAMS) streamlined and simplified the analysis and reassignment of authorizations and made sure that the ongoing business operations were not impacted.

Siemens is a leading technology corporation that has stood for technical excellence, innovation, quality, and reliability for 170 years.

“Ingenuity for life”: In line with this motto, Siemens AG is finding ways to improve life in many areas. It is the passion for technology that drives the company to set standards and add value in the long term – for its customers, society, and individuals.

The company operates globally, with a focus on electrification, automation, and digitization, and is one of the largest manufacturers of energy-efficient & resource-efficient technologies. The company is a leading provider of efficient power generation and power transmission solutions, a pioneer in infrastructure solutions and automation, drive, and software solutions for different industries. Also, with its listed subsidiary Siemens Healthineers AG, the company is a leading provider of imaging, medical devices and laboratory diagnostics and clinical IT.

About Siemens AG – siemens.com

  • Location: Munich, Germany
  • Industry: Electronics and electrical engineering
  • Sales: 83,049 Million Euros (in 2017)
  • Employees: approx. 377,000 worldwide, 118,000 of them in Germany

In 2016, Siemens decided to streamline their SAP landscape to improve audit compliance and to minimize risk by optimizing the authorizations of all RFC-interface and batch-job users in their productive clients.

Project Objectives

  • Redesign the SAP authorizations for 400 technical users on seven landscapes with 20 productive clients
  • Minimize the risks by streamlining the authorization management
  • Optimize the Return on Investment (ROI)

Challenges

  • Redesign of historically-grown roles that included far-reaching authorizations
  • Evaluation, remediation, and documentation of faulty interface and system users scheduled in periodic jobs
  • Monitoring and authorization analysis of interfaces and jobs during the project period
  • Maintenance of the SU24 default values for interface functions
  • Creation of sustainable and secure authorizations in the context of Siemens specifications
  • Minimal business involvement
  • Go-live without affecting productive operations

SAP Systems in Scope

  • SAP ERP
  • Various Business Intelligence (BI) systems in the HR environment

Project Highlights

  • Role testing was completely automated using XAMS’s Productive Test Simulation (PTS)
  • Zero manual testing efforts
  • Minimal involvement of business users
  • Automatic creation of tailor-made roles for technical users

Results and Achievements

  • Transfer of new authorizations with zero disruption to business processes
  • Significant cost- and time-savings through Xiting’s automation solutions
  • Deactivation of unused system users
  • Mitigation of identified vulnerabilities in target systems
  • Design of SU24-compliant roles for all technical users
  • Guaranteed sustainability
  • Project was completed and delivered on-time

Security of SAP interface and batch users

RFC interfaces play a crucial role in many SAP implementations by enabling data exchange between SAP systems as well as between SAP and non-SAP systems. Unfortunately, many RFC interfaces are “over-authorized” and have more powerful roles than they need. This opens up critical vulnerabilities in your SAP landscape.

In 2016, Siemens engaged in a role remediation project with the goal of building new roles for technical RFC and batch users based on the least-privilege principle. Before the redesign, Siemens and Xiting analyzed the current situation to identify the risks. As part of the analysis, it became clear that the project could not focus only on individual systems because of the interconnected nature of RFC interfaces. As a result, the project scope was expanded to include all seven system landscapes with over 540 RFC interfaces.

Many organizations avoid RFC redesign projects as they fear long project durations, downtime of the systems, workforce burdens, and high costs. To prevent that, Siemens AG relied on the automation tools of the Xiting Authorizations Management Suite (XAMS) and was able to pursue a very aggressive timetable for implementing their new role concept for technical users. The redesign started in September 2016 and ended in July 2017. The most significant amount of time was spent analyzing the technical users regarding their functions, as well as tracing the activities so that production operations were not affected later in the project.

The XAMS: automated, time-saving, effective

At Siemens, the Xiting Role Designer, part of the XAMS, was used to analyze the technical users and to come up with a new role design. During that step, role administrators built the roles virtually to check their design and user coverage. The role design followed general guidelines for critical authorizations, but also Siemens’ internal SOD rules, SAP best practices, as well as the guidelines of the German SAP User Group (DSAG). In the end, and following the project objectives, new compliant roles were created to simplify the administration of technical users in the future.

Thanks to the numerous analysis reports of another XAMS module, the Xiting Role Profiler, it was possible to increase the maturity of the roles even before testing, as well as verifying the correctness of the content. Also, qualitative aspects of the roles could be reviewed such as the integration of the SU24 default values for all interface functions. By using the Role Profiler, the SU24 values could be optimized according to the requirements of Siemens. This crucial step has improved the quality of the role concept and simplified the creation of new roles.

After all the necessary roles were created virtually, they were automatically transferred into PFCG, and the Productive Test Simulation (PTS) began. Using the PTS, Siemens could simulate the new roles to identify any missing authorizations, including individual authorization fields or values, based on interface activity in the production system. As a result, Siemens and Xiting could identify gaps in the new authorization design and correct them without impacting the interface’s operation.

Sustainable management of authorizations

Thanks to the functionalities of the Xiting Authorizations Management Suite (XAMS) in conjunction with the implementation partner Xiting, Siemens completed their role redesign project successfully, and within time and budget. With a traditional role redesign approach, the redesigned role concept would have been less sustainable, taken much longer to implement, imposed a higher risk to business processes, and ultimately cost more. As part of this project, Siemens could reduce the number of technical users from 540 to approximately 400, while at the same time assigning new and compliant roles to each interface. Additional savings were realized during the project by keeping business user involvement at a minimum.