Home / Blog Overview / What to Do When SAP Role Designs Go Bad
Role Design | December 7th, 2018

What to Do When SAP Role Designs Go Bad

SAP role designs are done with the best intentions, but even the best designed roles often don’t stay that way for long. The roles soon become a figment of what they once were, potentially jeopardizing the security of a company’s SAP ERP environment.

Why does this happen? And what can companies do to fix it and ensure it doesn’t happen after another role redesign? In a webinar titled “Delayed Failure Effect,” Alex Gambill, a GRC and SAP Security consultant, explains what causes SAP role designs to go bad years after they are implemented. We interviewed Gambill to get more insight on this phenomenon and what can be done to prevent roles from going bad again.

Could you explain what the “Delayed Failure Effect” is?

Gambill: I came up with the term “Delayed Failure Effect”after being a part of several companies’ multiple redesigns over several years. The basic premise is that consulting firms and their redesign clients declare projects as successes too soon. In my opinion, stating a redesign project as being successful immediately upon completion doesn’t make sense. It’s comparable to the JD Power Award for initial quality in automobiles. The initial quality award is based on the first 90 days of ownership. Does the consumer care about the first three months? Sure. However, it doesn’t drive the buying decision and overall satisfaction with their purchase –it’s a long-term investment. If the vehicle breaks down after the first year or two and is constantly in the shop, was it a quality purchase? Of course not, and any satisfaction during those first 90 days is all but a distant memory.

Security redesign projects, and enterprise transformation projects in general, are no different. Success is declared in the honeymoon period immediately after steady state has been achieved. We’re all still enamored with that “new design smell.” What happens when the proverbial wheels come off the design three to five years down the line, and we’re right back to where we started before the project? Can we confidently say the project was a success? No, hence the term “Delayed Failure Effect.”

What issues/problems lead to role redesign?

Gambill: The answer falls into two categories: technical issues and process issues.

First, the role redesign should be predicated upon scalability. Designing roles with the primary focus on the here and now is short-sighted and lays the groundwork fora future redesign, especially for organizations looking to expand.

Second, process issues are detrimental to the long-term success of a redesign. Many organizations don’t do a great job of documenting processes (some don’t document at all) and training/refreshing employees and support personnel on the correct steps to assign, change or remove application access. In many cases, the redesign project is heavily focused on the technical design aspect and fails to adequately address the process documentation and training gap. Without training and consistent documented tasks and activities, we introduce a climate ripe for long-term role design failure.

What are some common mistakes professionals make when doing SAP role redesign?

Gambill: Here are three that come to mind:

1.) Failure to include the business in the design. Doing this sets up the organization for design adoption failure. The goal is to develop a shared design, which will help in adoption and long-term success.

2.) Failure to develop/document processes and train/refresh end users and support staff on the correct tasks and activities regarding application security.

3.) Failure to create a scalable design for long-term use.

Why should someone watch this webinar?

Gambill: I believe business process owners, security/controls professionals and auditors, as well as anyone who’s been a part of multiple redesigns, considering a redesign (tactical or full-scale), or has an application security-related audit finding will find value in learning about the Delayed Failure Effect. In my opinion, this is a must-watch prior to beginning any security redesign journey, regardless of scale.

Want to learn more best practices about role design? Sign up here to view the webinar, “Delayed Failure Effect,” hosted by Alex Gambill and Ryan Throop, Director of Strategic Alliances with ERP Maestro, on Thursday December 13 at 1:30 p.m. EST.