Direct vs. Indirect Role Assignment

This document elaborates the differences of the direct vs. indirect role assignments in SAP Access Control. Each scenario has its pros and cons and can be used dedicated or also in combination.

Direct Role Assignment

Authorization roles (and profiles) are directly assigned to the User Master Records via SU01/PFCG, Access Request Management (ARM) or adequate tools like SAP IdM.

What are the pros?

• Flexible – different authorization can be assigned to end user eventhough they are assigned to the same position
• Widely used – best practise (fully supported by SAP Access Control)
• Access Risk Analysis (ARA) performed on user level, as well as remediation is done on user level
• HR user master is not required (only SAP user account)

What are the cons?

• Historical assignments do often remain undetected and conclude in too much authorization
• Same authorization must be given individually eventhough end users having the same job role
• Roles / profiles must be requested and assigned manually

Indirect Role Assignment

Authorization roles (and profiles) are attached to positions or other objects in the organization structure. The end user gains the access rights based on his assignment to the position in the organization management.

What are the pros?

• Same authorization for everyone who is assigned to the same position
• Authorization gets removed automatically if a person moves around the organisation
• New authorization gets added automatically if a person moves around the organisation
• New hired people will get authorization automatically when they start their work
• Less effort for administrators to initiate and manage access requests

What are the cons?

• Inflexibelity – everyone assigned to a position gets the same authorization (differences in authorization needs to be assigned seperately)
• Each SAP user needs to have a personnel record in HR that is assigned to a position
• SAP user needs to be mapped with the personnel record in HR (info type 0105 (Communication), sub type 0001 (SAP User))
• Changes in organisational management will have an impact on end user access
• Additional training to administrators and approvers
• Access Risk Analysis (ARA) only works on user level, whereas remediation is done on position level

Basically both scenarios can be used together depending on your business scenario. Combining both scenarios (direct and indirect assignment) means that basic authorization can be assigned indirectly via the position and additional authorization is assigned directly to the user account.

I am looking forward to your input and also experience with setting up the scenarios in complex environments.

Best regards,

Alessandro