Redesign of all SAP authorizations at Coop Mineraloel
Mithilfe der Xiting Authorizations Management Suite (XAMS) konnte die Coop Mineraloel AG die Rollen eines zentralen ERP-Systems in nur fünf Monaten neu gestalten und in der Anzahl drastisch reduzieren – ohne während der IWith the help of Xiting Authorizations Management Suite (XAMS) Coop Mineraloel AG was able to redesign the roles of a central ERP system in only five months. Furthermore, the number of roles was drastically reduced without affecting the daily operations during the implementation of the new authorization concept. This was made possible by using the XAMS’ automated tool for role design, the Role Designer. In addition, the introduction of the Xiting Central Workflows (XCW) solution met the auditing requirements for traceability in the processes of user creation, user modification, role change and role assignment. In order to increase security and usability, SAP Single Sign-On 3.0, an SAP solution, was implemented by Xiting.
About Coop Mineraloel AG
Sustainability characterizes the Coop Group today more than ever. As a company in the retail trade division of the Coop Group, Coop Mineraloel AG is the leading Swiss company in the mineral oil, petrol station and convenience sectors. With around 120 employees in 2019, Coop Mineraloel AG generated sales of around CHF 2.5 billion. Coop Mineraloel is based on three main areas of activity: • Operation of the Coop Pronto convenience shops with or without petrol stations, • operation of the Coop petrol stations and • the procurement and sale of mineral oil products (fuels, heating oil).
Security outside, security inside
Often the users of IT systems have extensive authorizations. This was also the finding of an analysis of the authorization concept of the central ERP system for around 100 users, which was carried out by the internal audit department of Coop Mineraloel AG in mid-2019. Excessive authorizations can lead to violations of the four eyes principle (Segregation of Duties, SoD) and thus entail high security risks, such as violations of applicable laws or data protection. Coop Mineraloel AG wanted to counteract these risks by redesigning its authorization concept. In addition, Xiting Central Workflows (XCW) and SAP Single Sign-On (SSO) were implemented for reasons of security, traceability, and usability.
Many companies avoid such authorization projects for fear of time-consuming projects and downtimes, stress for the employees in the business units and the high costs. Coop Mineraloel AG therefore fully relied on the automated tools of XAMS – and was able to agree with Xiting AG on a fixed schedule at a fixed price for the implementation and the role project. The redesign was started in June 2019. In conventional authorization projects, the most time-consuming parts of an authorization project are usually the workplace analyses, the role design – consisting of the definition of the content and the technical creation of the roles – and testing. Xiting has therefore developed very special tools for these tasks.
The XAMS tools: automated, time-saving, effective
At Coop Mineraloel AG, for example, the Role Designer integrated in XAMS was used to record the processes used and to create role proposals. These initially purely virtual roles were then checked and modified taking the subsequent user assignment (degree of coverage) into account. The Role Designer follows general guidelines for SoD and critical authorizations, proven SAP Best Practices, and the audit guide of the German-speaking SAP user group (DSAG). In the end, the aim is to retain as few roles as possible to simplify the administration of the future authorization system.
The check of the template roles also includes in-house developments in the SAP system. In accordance with the actual processes at Coop Mineraloel AG, some of the new roles also contain so-called Z transactions (customer parameter transactions), with which users can start custom developed applications.
The in-house developments were also subject to a SU24 analysis and cleanup and the roles were then automatically enriched with the correct authorization objects and values. Once all necessary roles have been created virtually, they were transferred to the SAP system and tested. For this purpose, Xiting has developed the Productive Test Simulation (PTS): Here, the use of the new authorization roles is simulated in the production system, under supervision of the automated tools Role Builder and Xiting Times. This enables one to immediately detect and correct any inaccuracies in the new authorization design. The go-live was carried out without any risk for the productive operations, since the users retained their old roles in the background during a transition phase (protected go-live phase) and could temporarily use them again in case of any problems.
Sustainable administration of permissions thanks to XAMS and Xiting Central Workflows
With a manual approach, the redesign would have been less sustainable. In the current project, the number of existing roles was reduced from approximately 130 roles (plus several assigned SAP standard roles) to 50. In the future, Coop Mineraloel AG will be able to reliably manage its own authorizations with XAMS. Thanks to the automated processes, employees in the specialist departments were also only minimally affected. Without Xiting Times the departments at Coop Mineraloel AG would have been very critical of a go-live. However, the redesign only caused a minor impact for them.
As an additional measure of sustainable user and role administration the new solution Xiting Central Workflows (XCW) was implemented within only two days. In the future, changes as well as the creation of new roles and users will be controlled, traceable and automated via an approval procedure.
In addition, Coop Mineraloel AG was able to solve a task that affects many companies: The functionalities of XAMS in combination with the professional realization of the implementation process by Xiting enabled Coop Mineraloel AG to meet a very tight project schedule and to achieve a proven ROI within the project duration. Xiting’s support team was able to provide a solution for all problems that arose, usually on the same day.
More security and user-friendliness with SAP Single Sign-On
With the introduction of SAP SSO 3.0, access to SAP systems is not only more secure (no more passwords on the screens or under the keyboard), but also much more user-friendly. Incorrectly entered passwords, user locks and the associated helpdesk calls are now a thing of the past.
Single Sign-On means that user authentication is performed only once. At Coop Mineraloel AG, this login takes place directly when the PC is started or by logging on to the terminal server. Subsequently, access to all applications configured for SSO, SAP GUI, SAP Enterprise Portal, SAP ICF Services or SAP BusinessObjects, can be carried out without the need to log on again. Authentication is performed throughout using securely encrypted Kerberos tickets.
Password management in the various SAP systems was thus eliminated for all SAP users. An additional advantage is the ability to quickly lock out certain users from all SAP systems. No access to the Active Directory also means that access to integrated SAP applications is no longer possible.
The use of encryption of network communication was an integral part of the audit requirements in the context of auditing SAP systems. The aim was to implement end-to-end encryption and secure authentication of systems, interfaces, and users. Connections should always be encrypted when passwords, personal or sensitive data is transferred across the network. This applies to communication between SAP systems as well as client-to-server communication, for example, using the SAP GUI or the browser.
In addition to SSO being a convenience function, the encryption for the SAP protocols DIAG and RFC, which is missing in the standard system, and the consistent use of HTTPS for Web-based SAP applications were also implemented to meet this requirement. The SAP Secure Network Communications (SNC) and Transport Layer Security (TLS) technologies provide the basis for this.
Project successes at a glance
By redesigning SAP authorizations using XAMS and workflow-controlled authorization assignment, the following successes were achieved:
- Minimal project-related loss of working time for the specialist departments during the entire project duration, primarily due to the productive test simulation on the production system – transparent for the user
- Problem-free go-live due to the possibility of the user activating the “old” permissions independently
- Reduced support effort through newly designed workplace-specific roles
- Audit requirements (SoD, cleaning of critical authorizations) fulfilled
- Sustainable implementation of the new authorization concept by using the workflow-based tools for automated role and user maintenance
The use of SAP Single Sign-On at Coop Mineraloel AG offers many advantages from the point of view of productivity and security and has created a higher level of acceptance among end users and system operators:
- Single sign-on and user-friendly access to SAP applications
- Improvement of IT security and compliance
- Elimination of passwords and password management
- Simple and secure authentication for many applications and scenarios