10 Tips to Follow During Your CUP Deployment

  • by Massimo Manara, SAP Security Consultant, Aglea s.r.l.
  • June 13, 2011
Using compliant user provisioning in SAP BusinessObjects Access Control, you can check in real time if the authorization for a new user or a change made to an existing user’s status is in conflict in any way. Setting up CUP is not simple if your company has not clearly defined and deployed a structured workflow for user management. Learn some tips on how to set up and deploy this capability and avoid pitfalls during the configuration.
Key Concept
A composite role is a specific type of SAP role that includes all associated single roles (i.e., using composite roles is a metaphorical way to define a list of job roles). If you have several thousand single roles and don’t use composite role templates, you might have difficulty looking for some data pertaining to a user’s authorization.

An essential step before implementing compliant user provisioning (CUP) in SAP BusinessObjects Access Control is understanding if your authorization concept is compliant and sufficiently mature for getting the most out of CUP’s features. CUP was designed to involve business users during the change management of roles or users and during the periodic reaffirmation of privileges. It was intended to improve awareness of business process ownership (BPO) during user change management. To achieve this goal, follow these 10 tips, which are a mix of business oriented and technically oriented instructions.

When you are authorizing a new user, if you attempt to assign two or more roles to the same user, conflicts could arise such as role 1 plus role 2 could be incompatible. When you are changing a user’s status, conflicts may arise with the authorization already assigned. CUP can help you to manage these conflicts.

Tip 1: Use a Composite Role Approach

A composite role approach provides you with the opportunity to define a small number of roles over the total single roles defined, in order to better maintain the governance. With a small number of composite role templates, the business can avoid deciphering a long list of job role names. With a composite role approach you can produce clear business-oriented documentation. Furthermore, the business itself knows if a job role is named Buyer instead of Create a Purchase Order type ZC on plant IT10. Single roles and derived roles are used to achieve the goal to define a small number of composite roles related to the company size. By using a single role you can define the list of all single roles’ elementary activities; by using derived roles you can constrain these activities on certain data (e.g., create a material master data only on company IT10). Create material master data represents the activity: the SAP transaction. IT10 represents the domain data where this role can write or read).

Massimo Manara

Massimo Manara is an SAP-certified security and compliance consultant at Aglea s.r.l. (www.aglea.com), the only Italian company whose core business is SAP security and compliance. He has nearly 10 years of experience in IT security and a bachelor’s degree and master’s degree in security computer science and on SAP projects.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.