Success Story: Zumtobel Group (Extended Version)

Efficient SAP Role Redesign with the XAMS as a Catalyst for
the S/4HANA Migration at Zumtobel Group

The automated tools of the Xiting Authorizations Management Suite (XAMS) enabled an efficient SAP role redesign at Zumtobel Group. By reducing the number of roles, introducing job-based roles and cleaning up critical permissions, Xiting‘s project team was able to redesign the authorization concept for a system with two clients. Through a productive test simulation, the new permission roles could be simulated in the production system, allowing for a risk-free go-live without project pressure during
the transition phase. This set the necessary conditions for the subsequent S/4HANA migration, and one of the clients was successfully migrated immediately afterwards.


The project at Zumtobel Group was aimed at increasing the security and efficiency of the company by redesigning authorizations. An important objective of the project was to reduce the number of roles and profiles in the system while adhering to the minimum principle in order to eliminate unnecessary access rights. In addition, the introduction of job-specific functional roles was desired by matching the authorizations to the specific needs of the individual departments on an international level. In order to increase security, another goal of the project was the implementation of an auditable emergency user concept, which conveniently allows key users and IT employees extended critical authorizations for a limited period of time. Finally, the best possible preparation for the upcoming S/4HANA migration was essential to ensure a successful migration for the company. Zumtobel was already able to celebrate this success on one of the clients, which was successfully migrated together immediately after the go-live.


The project faced some challenges, mainly because the complex structure due to numerous companies, partly non-harmonized processes and the use of almost all common SAP modules worldwide made it difficult to classify the large number of users into areas and functions. The XAMS Role Designer Module proved to be very helpful for designing job roles. The Role Designer made it possible to divide the large number of users into areas and job functions and to clearly structure the designed roles for the project. Efficient analysis tools in the Role Designer also helped to design and build customized roles for individual processes. By the end of the project, the Role Designer had proven to be not only an optimal role design tool, but also a project tool that could be used to document and evaluate the progress of the project. The Role Replicator with all its mass processing tools turned out to be the clear tool winner. Whether it was the challenge of easily mapping the complex organizational structure for more
than 50 companies and, based on this, replicating template roles for each of these companies with ust a few clicks, or even assigning role sets to users en masse. The Role Replicator also proved to be extremely useful with regard to the unwanted assignment of transactions such as SE16, SM30 and SE38. Thus, Z-transactions could be created quickly, and the workload could be reduced considerably. Throughout the project, the issue of security could not be neglected, which was supported in particular by using the XAMS risk framework. In addition, individual customer specifications were added to the rules in order to promote transparency and to initiate required measures such as control mechanisms.


Separate add-on roles for important authorizations, such as master data roles and key user roles, enabled sensitive authorizations to be restricted and cleansed. The use of the productive test simulation with the airbag principle enabled the project team to test for a sufficiently long time with many users, in order to achieve solid and reliable test data and to minimize risks during the go-live phases. In addition, the implemented emergency user concept also contributed to reducing the project pressure towards the end. This ensured a smooth and successful transition. An unexpected short-term achievement was the successful migration of one of the clients, which was migrated directly after the go-live. The reduced number of roles as well as the increased quality in terms of security and SU24-compliant role building paved the way for a short project duration. Within only a few months, all necessary steps, such as the alignment of the role content with the simplification list integrated in the XAMS, the conversion of the S/4HANA-related changes in the roles and the new introduction of Fiori apps, could be carried out. The tests mainly had to be carried out only for new S/4 applications, which is why nothing stood in the way of the go-live after a short time. In time for the go-live, the Fiori App Tracker, which was delivered with XAMS SP18 in May 2023, could be deployed to identify used Fiori IDs during an emergency session and to extend them in the job roles as needed.

Download Success Story

Vanessa Albuera

Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 8999 002
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now