Most companies have problems in defining the business requirements related to authorization access in SAP and segregation of duties. Unclear business requirements and/or ownership can jeopardize the decision process and lead to inappropriate adaptation of SAP role content/user-role assignment.

With the consequences of

• increasing the maintenance effort for the authorization team (increasing cost)
• increasing frustration on the user-id community
• jeopardize the availability of the required SAP functionalities
• increasing the risk of undesired given access rights or inadequate role adaptation
• unrealistic business expectation

axl & traxis using the norm methodology to identify the business requirements, ease the decision process and reduce the effort set in adaptation of the authorization concept.

The norm methodology maps business requirements with actual – factual statistics to identify business requirements (To be situation), compare them with the granted access rights (current situation – as is) and assess the appropriateness of the given SAP authorizations (gap – need to have versus reality).

The norm methodology helps in identifying:

• which user-ids should (not) do specific/critical SAP functionalities (SoD conflicts)
• which user-ids can do specific/critical SAP functionalities (SoD conflicts)
• which user-ids did specific/critical SAP functionalities (SoD conflicts)
• the gap between what user-ids can do, what they should do and what they actually did

The objectives of this approach are to define the appropriate action to take in the remediation process while limiting the impact on the user-ids community.

The methodology will define appropriate action per identified situation (implement compensating controls, adapt role content, adapt user assignment, or adapt business responsibilities…). It will also create a benchmark for future monitoring to ensure business requirement are enforced over the time.