I was wondering if there is a body of information or best practices when it comes to managing security/authorization/profile/user management in large installations? We currently have a large customer site (30,000+ users) which is seeking expertise to help them design and manage the overall security around their SAP landscape. It comprises multiple SAP systems e.g. SAP R/3, BW, SRM, WP, etc.
Frankly, I am in a similar scenario. I don't know of any specific
document that speaks to managing the security across the spectrum, but I
can share with you some of my key principles:
First, it is important to understand where the business is going, what they want to get out of SAP, and the level of importance they put around data within SAP.
Second, Based upon the above, you need to develop a well-thought strategy and vision that you can share with business leaders. This document will serve to put clear objectives for your security efforts.
Third, assemble solid standards around every facet of the security model. From User Naming convention, User Group Convention, Role Naming Convention, ABAP Query Security approach, CATT Security approach, Table and program auth groups, Info-Cube and InfoObject security strategy, Data classifications, and Role Menu structure. Always, Always follow them. If you don't, you will regret it later, and end up doing double work.
Fourth, develop and implement a common user request process for all SAP systems. Identify business owners and document approvals.
Five, Consistently report to management your success in these factors, be honest, and stand your ground when you need to.
This was first published in September 2002