What kind of authorization concepts does the Authorization Robot create? The following example should clarify this. An authorization concept for a group of 13 users is calculated. The users are all in a similar field of activity.

Starting point

As a starting point for the use of the Authorization Robot, all relevant activities in the SAP ERP system are recorded in the relevant department over a certain period of time. The recordings in form of so-called SAP traces were provided to SIVIS for the development by a partner company. In total, several hundred traces are available as a database in this practical example. In a first step, a user-authorization assignment is derived from the traces (activity logs from SAP). An authorization consists of a combination of authorization objects, fields and field values.

Machine Learning

With the help of an Evolutionary Algorithm and the latest application from Machine Learning, the Authorization Robot is able to design a completely new role concept for the considered department. This role concept includes single roles that bundle authorizations, composite roles that combine single roles and an assignment of composite roles to users. According to the authorizations that are included in the roles, the Authorization Robot performs an automated naming of composite and single roles. In the name of the roles, the SAP module assignment and the function of the role can be seen at a glance. By integrating naming conventions, this mechanism ensures consistent role names across all areas of application of the Authorization Robot. Many functions can be customized. For example, during the calculation, the purity of application components can be ensured for single roles.

Define preferences

Before starting the optimization, the user can specify his preferences for the role concept to be calculated. These currently include an optimization according to the number of composite roles, the number of single roles, the overlaps between the single roles, the positive deviations and the interpretability of the role concept. In the next development steps, license costs and compliance conflicts will be integrated as additional target criteria. The Authorization Robot calculates many alternative role concepts for the examined department. Among the mathematically meaningful alternatives, an administrator can choose the most suitable variant afterwards. This feature is helpful because the logical optimization of individual target criteria can be contrary. If, for example, a user wants very few composite roles, then as a result, a certain number of positive deviations will generally be accepted. On the other hand, if the user does not want to allow positive deviations, then it results in the need for more composite roles and to map the user-authorization assignment. When considering the alternatives, the administrator can select an alternative that represents a suitable compromise.

Recognize potential for optimization

For the selected sample department, SIVIS also has the current role concept for the affected users in addition to the traces. When comparing the proposed solution with the Authorization Robot, the potential for optimization quickly becomes obvious. The original role concept included 14 composite roles with different naming conventions. Some roles contain a reference to the SAP module, others have a reference to the department. One of the proposals of the Authorization Robot consists of a role concept with 8 composite roles, which leads to a significant reduction of the administrative effort. This role concept ensures that all users can continue to perform their activities in the SAP ERP system. For some users, the Authorization Robot suggests to slightly increase the available authorizations (related to the activity log) in order to be able to save roles. In other situations, it is not necessary to extend the authorization for a user in order to reduce the number of roles to be managed. This case occurs when the user gets needed roles in the current role concept from several roles. It is evident that the Authorization Robot provides a neutral view on historically grown role concepts. It creates logically comprehensible role concepts that can be subsequently adapted to individual customer requirements.