The JAMToolkit User Sync feature provides instant and detailed access analysis against live users from your satellite SAP systems.
Understanding end-user access in the context of a business requirement is often a challenge. Standard SAP transactions such as SUIM or SAP GRC and IdM reports provide technical data but can be difficult to translate into meaningful terms that can be understood by the business.
The JAMToolkit is a central repository for all objects used to define and capture an efficient SAP access design. Live users with organisational attributes, access assignments and transaction usage history provides multiple ways in which to view and analyse users and their access. The analysis and reporting capabilities in the JAMToolkit can support operational objectives and strategic decision making.
This article will explain what analysis can be performed with the User Sync feature alongside other JAMToolkit applications. There are also some short demonstration videos and interactive dashboards for illustration.
Sync End-User Organisational Attributes
End-user profiles are created in the JAMToolkit using the automated User Sync feature. End-user profiles identify key organisational attributes of a user such as their Entity and Business Unit for which they transact in the ERP system. Ultimately, these attributes will determine the role derivation(s) for the user in the JAMToolkit. The users will be assigned to the “LIVE USERS” group which can provide a holistic view of the ERP Users. This can answer many questions; how many users transact for a single country or provide a global service? Of the users, how many transact for a specific business unit (part of the company) etc?
Analyse End-Users against Business Processes
The Role Sync feature of the JAMToolkit works alongside User Sync and automatically updates the user mapping of the end-user profile in the JAMToolkit repository. This identifies which jobs and roles are assigned to users. As jobs are associated with business processes, (also stored in the JAMToolkit), it is quick and easy to understand how many live end-users have the ability to execute specific processes. This valuable insight allows for access to restricted where applicable, but also for efficiencies to be found in the operating model and business processes. For example, a business process may be run by 200x end-users in each country around the globe, but could be run by a global service saving many hours of processing time locally.
Analyse End-Users against Transaction Usage
The JAMToolkit has the ability to identify and retain transaction usage information within the repository. This coupled with the User Sync feature allows for detailed access reviews to be performed against each of the end-user profiles. Comparisons can be reported upon with great ease to identify which of the access assignments (by Job and Role) have actually been used by the end-user over specified periods of time. Recommendations for access removal can be made as a result of this reporting capability.
Analyse End-Users against Segregation of Duties
Segregation of Duties (SoD) with rules and transactions can be defined, configured and documented within the JAMToolkit. Based on this data, the tool has powerful reporting features which can be used in a variety of ways including role, job and user level violation reporting. Once the User Sync and Role Sync tools have been run, it is possible to check all live end-users assignments for Segregation of Duty violations. Additionally, the SoD feature in the JAMToolkit can be used to impact assess any proposed changes to the Segregation of Duty configuration on the live users (i.e. mass simulation).
The video below illustrates how the User and Role Sync transactions will transfer an SU01 master record from a remote ECC system into the JAMToolkit repository. Once in the repository the end-user can be checked against a variety of JAMToolkit data, including operating models (Business Units and Entities); business processes; transaction usage and degregation of duty rules.
The User Analysis dashboard is fully interactive, allowing drill-down into the data by clicking on the map and bar graphs. Right click to Page 2 to see the data behind the dashboard. Reset the data to return to the original dashboard display. Dashboards can be fully customised to suit your requirements.
The User Analysis dashboard illustrates 189 end-users who have been synchronised from a fictional ECC business operational model which includes 3x entities and 4x business units.