| Case Study: Bringing Business into Security
| Challenge: |
|
This Multi-National Medical Technology Manufacturer was
already involved in a multi-phased implementation with its
first phase including 800 users approximately two months away
from going live. The implementation work was more than half
way through the integration testing phase and an extensive
number of security issues, such as missing roles or incomplete
authorizations to perform business critical functions, were
present. The client asked The Hermosa Beach Consulting Group
(HBCG) to perform a review of the existing design and implementation
methodology, and subsequently leverage the existing design
to assist with improvements. The Company was implementing
SAP Enterprise including AM, AP, AR, GL, CO-CCA, CO-PCA, MM,
PS, SD modules and BW and APO systems. |
| |
|
|
| Solution: |
|
HBCG performed a comprehensive review of the current
design and found that the issues being encountered were
primarily the result of miscommunication and incomplete
understanding between the business process teams and the
technical security team. The security team understood the
technical aspects of building and managing security and
the limitations of SAP security, while the process teams
understood the business requirements; the teams were not
able to communicate or fully understand each other’s
requirements or limitations. Furthermore, there was a lack
of security involvement to-date in integration testing which
meant the issues caused by this were not being detected.
HBCG assisted the client to formulate a detailed action
plan, which included integrated Business Requirements Workshops
between the business process and Security teams. The rounds
of workshops were designed to educate business process owners
on SAP security, gather business requirements from the business
process owners, and review the role design to ensure security
met the business’ needs. Once the roles were signed
off and accepted by the business, security was integration
tested by utilizing existing test scripts to be executed
using security roles. HBCG ensured that security became
involved with the integration test process and was represented
on the testing team. Scripts were reviewed to ensure business
critical processes and business process controls were included
within the scripts, and that both positive and negative
security testing was performed.
|
| |
|
|
| Result: |
|
Subsequent phases of testing had fewer security-related
issues. The Company successfully went live with their first
phase with their users having access to business critical
transactions, few issues with those transactions, and business
processes are more tightly controlled. The second phase of
the implementation saw a smooth security design process with
on-time deliverables and a dramatic reduction in security
issues during integration testing. |
| |
|
|
|
