It is all about Timing!
Setting up authorization-concepts already at the start of a project will save time, money and nerves.
In any IT-implementation project will come a time when the person responsible has to tackle which employees can access certain functionalities and in what form. Project teams often occupy themselves with the issues of accesses and authorizations only shortly before the productive rollout. So they are risking not only significant additional expenses regarding costs and time but in the worst case they also risk the entire Go-Live date.
„Unfortunately this is a situation which surprisingly occurs during many implementation projects. Depending on the project-type this can become very expensive. “Therefore authorization-concepts should already be considered during the planning phase when the concept paper is being defined”, says Bianca Folkerts, Associate Partner and Compliance-responsible at the IT-Consulting ConVista Consulting. “My recommendation is to integrate a Quality-Gate ‘Authorizations‘ in projects and to add already a chapter ‘Integration into the authorization concept’ to the templates for technical concepts”, says the expert additionally.
Right question – wrong time
The right questions are often asked to late: Only just before the Go-Live one wonders, for example, how the different departments should access to the new functionalities or which data needs to be saved under which criteria. A closer check often shows that additional authorizations are necessary or that in the worst case the design of the existing authorization roles does not fit to the new process anymore.
“In hindsight it is usually very difficult, for example, to define authorization groups for inventory accounts, accounts payable and accounts receivable. And the implementation of a function or a report does not get any further if nobody can work with it later”, clarifies Folkerts. Therefore it makes sense when the respective requirements are already going to be documented in the technical concept and realized in the Customizing.
Including risk- and test-management
Thinking these issues through at an early stage offers an additional advantage: When it comes to technical tests, existing authorization concepts can just be tested with it. This means a significantly reduced expenditure. „For this purpose we recommend to complete the test cases with the corresponding details. So the technical processes and their associated permissions are being tested. Experience has shown that permissions are often tested in production after the Go-Live. If then changes are faced, accesses are often distributed brachial to everybody. In terms of a solid risk management this fact is of course a total disaster”, says Folkerts.
An integral approach
As an IT-consulting Company and SAP-partner of many years’ standing, ConVista Consulting implements the SAP-tool SAP Business Objectives GRC. A well-structured authorization concept is the basis for an efficient Access Control Management. ConVista supports its clients already during the planning phase with the design and realization of an authorization concept and with the definition and shaping of roles. Not only the legislation and internal guidelines are taken into account. The experts also analyze the processes and job descriptions and they have a look at the system technology environment, defined name conventions and responsibilities. The conception occurs with a look at the necessary flexibility, for example for company purchases and structural adaptations within the organization. Bianca Folkerts is convinced: “With this comprehensive approach we provide our clients with security and protect them against bad surprises.”
