A recent SearchSAP.com news item offered advice to system administrators on how to transfer Basis skills to the NetWeaver world. In the interest of full disclosure: Some of my best friends are system admin people. They have bailed me out on more than one occasion, and for that I will always be appreciative. All the same, I have to confess that this article amused me greatly.
In bygone days of not-so-long ago, SAP system administrators just had core R/3 system technology to worry about; today’s ERP landscapes are vastly more complex, requiring varied technical skill sets just to keep the lights on and the systems humming along. While acknowledging the challenges, the author reminded his readers of the advantages in mastering these varied skills, and he suggested a learning plan.
My response as a security administrator is a tongue-in-cheek quelle surprise! Welcome, system admin folks; join the party! We security people are facing very similar challenges. Security administrators have been dealing with a vast array of authorization concepts, role and user management tools, some of us for years now. Even before BW became BI, the security concept was quite different from that of R/3; with the new authorization concept in NetWeaver BI 7.0, the old BW authorization concept is considered obsolete, and the new concept is another critter altogether. It seems that every time SAP acquires another kind of software, another authorization concept and frequently another user management methodology as well are added to the mix. E-recruitment, SRM, CRM- you name it, each new module has its own security quirks, adding to the complexity and total cost of supporting the ERP landscape. It is a concern that comes up periodically on security discussion forums, with no easy answers. As discussed on a recent SAP Customer Call series web cast, Central User Administration, which not so long ago was the latest tool in our arsenal, is moving into maintenance mode; if you don’t already have a CUA landscape configured, SAP product management folks now suggest not bothering.
To give SAP credit, the anticipated Identity Management 7.1 functionality will offer some improved mechanisms to manage users and role assignments across heterogeneous landscapes that include both SAP and non-SAP components. The new solution offers the potential to ease the complexity of user provisioning in landscapes that today can easily require mastery of many different technologies.
However, the new IdM solution still requires security roles to be built in the back-end systems via a widely varying array of tools, concepts, and methods. The days of the profile generator being the only gadget in the security analyst’s toolbox are long gone. The more tools it takes to support your ERP landscape, the higher the risk that the day one system has a security problem is the day your in-house expert on that toolset is SCUBA diving somewhere deep in the Caribbean.
I raised this issue at TechEd 07 in Las Vegas, and SAP executives bravely tackled the question at a keynote session. I didn’t expect them to conjure up a fully formed answer on the spot, but I’m hoping that perhaps this year, they will have a more detailed response to share with us. If you have not already made your plans to attend TechEd 08 in Las Vegas, think about joining me and other SAP Mentors there, for learning and leading practice sharing on this and other challenges stemming from the ever-increasing complexity of our ERP landscapes.
In the mean time, chin up, Basis colleagues; we security admins have been coping with an ever-expanding toolkit, and with a bit of good luck our systems continue to hum along securely and painlessly to most users. Come and chat with me at BPX Community Day and we’ll compare notes.