Roles were designed by Job Function and standardized across all component systems (i.e., R/3, BW, BCS, CRM, EBP, SEM-BPS). Similarly, data-level access was standardized across all component systems to ensure that users would be limited to the same organizational levels, regardless of the system they were accessing. Workplace was used to organize menu paths and serve as the primary user interface for the various component systems. The HR Organizational Structure was leveraged to assign roles to users’ positions; meaning that as an employee changes positions or is hired into a position, they were automatically assigned to the roles associated with that position.

Workflow was implemented to allow any user of the system to submit a security governance request which is routed to appropriate approvers within the business. The workflow is designed to prohibit redundant functionality assignments and warn of Segregation of Duties (SOD) violations. The request is routed to appropriate business data owners for approval. Once fully approved, roles are assigned automatically to the user’s position with no manual intervention required by security. Similarly, requests for modifying a role’s data-level access are approved through workflow. Once the request is routed to and approved by the appropriate business data owners, a build specification is created which identifies by component system all of the roles to be modified; the build specification is reviewed by security for final approval and then automatically updates the roles within the appropriate development systems.