One of the biggest success stories of our company has been the implementation of a role redesign project based on best practices that reduced more than 96.5% of the Role Segregation Conflicts that existed in different SAP systems. Because of this we want to explain how the process has been from the first moment.
This case was presented at the SAP GRC Europe Event in Nice on June 18, 2015.
VCEAA is the subsidiary of Votorantim Cimentos in Europe, Africa and Asia. Votorantim Cimentos is one of the TOP 10 largest cement companies in the world:
The difficulty of the role redesign was the existence of different SAP systems for each of the countries, which made the project tasks difficult since it was necessary to replicate the entire role model for each of the SAP systems. On the other hand, each country had a different role model, one based on users, one based on positions and one based on tasks/activities.
These two points meant, on the one hand, that the security teams managing the roles had different strategies that prevented centralization, and on the other hand, the lack of a global nomenclature made the management and provisioning of roles very difficult.
Due to the need to comply with the SoX regulation, the project was divided into two phases, the first focused on a drastic reduction of access to reduce risks and SoD conflicts that were not required by users and a second phase where the basis of a new role model would be defined, based on global best practices, so that countries would follow the same criteria in role management.
Previously, roles were managed locally and without a clear definition when it came to creating roles. To give an example, the situation was:
- Tunisia followed a Position-based role model.
- Morocco had a mixed role model based on Nominal User and Position.
- Turkey had a mixed role model based on Named User and Position.
- Spain had a Task-based role model.
The first phase of the project to eliminate unused accesses resulted in the reduction of 1160 Role Segregation Risks.
The second phase focused on the definition and authorization of the new task-based role model:
The tasks are aligned with the technical roles and the grouping of the roles would generate the role of the position which technically would be implemented by composite roles.
The total number of roles generated with the new role model is detailed in the following table for each country:
The risk reduction obtained throughout this project was close to 70%, which represents a great reduction of effort on the execution of mitigating controls. The reduction for each of the countries is detailed below:
Finally, and the reduction that had the greatest impact on the presentation of the case was the 96.5% reduction in SoD conflicts and that exceeded the total of 1 million SoD conflicts remediated: