Advanced Authorization for SAP Global Deployments
To maximize competitive advantage and drive down cost, companies are increasingly dependent on an extended supplier and contractor network. Products are often designed in collaboration with global partners to leverage best in class capabilities. Companies are operating globally to drive down the cost of business and to serve a global customer base. Unfortunately global collaboration creates complexity.
A Birds-Eye View of Global Complexity
The following graphic lists some common challenges that arise in a global collaborative program, broken into the areas of: Global Shared Processes, External Access, Shared Information Technology Operations, Global Supply Chain, and Regional Compliance Jurisdictions.
- Global Shared Processes: Companies strive to unify business processes and share resources and know-how across regions. Concerns over intellectual property (IP) protection and export compliance often hinder global collaboration.
- External Access: Going global often raises the requirement of enforcing access control rules for members outside the typical perimeter or IT infrastructure. Two main challenges arise: how to enable secure access, and how to control how IP is used and distributed once it’s outside the organization.
- Shared IT Operations: Increasingly, global programs and organizations are outsourcing their IT Operations. As a result, privileged users in other countries have access to the most sensitive data stores.
- Global Supply Chain: Collaborating with suppliers poses two challenges: deciding how data should be shared with each supplier and how those suppliers will handle and distribute that data once they have access. This is especially important considering multi-level supply chains, and “co-opetition.”
- Regional Compliance Jurisdictions: Global organizations must comply with multiple regional compliance jurisdictions, each of which has its own set of regulations governing how data may be exported and shared.
The Result: Authorization Rule Explosion
For all the reasons listed above, when organizations go global, they tend to experience a precipitous increase in their business rules and policies. In fact, the number of required authorization rules tends to grow exponentially with the number of requirements (see diagram below).
Where Traditional Models Fail
Traditional approaches fail because they assign permissions to data and are incapable of handling complex authorization requirements. In fact, traditional authorization models, such as role based access control (RBAC) and access control lists (ACLs), were never intended for complex use case like this one. These models focused on static job roles or work-group use cases.
Because of the limitations of traditional access control, many organizations relied on manual information labeling and end-user training to control information use. For example, end-users had to be trained to store and look for sensitive data in specific data folders. These manual security procedures often hinder collaboration, and if too onerous, will likely be ignored by end users.
The 2-layer Authorization Model
The key to sustainability is not to abandon your RBAC authorization models, but to complement them. RBAC is best for functional authorization and should be augmented with newer authorization models such as attribute based access control (ABAC) for data authorization.
The SAP authorization tool box comprises a range of capabilities from RBAC to context based access to certified ABAC solutions. Separating authorization into 2 layers allow a transaction to be first evaluated based on functional roles, and then separately for data entitlements, providing the fine grained access control that is sustainable.
A deeper discussion on advanced authorization is available here.
(source of images: NextLabs)