Testing Role Based Permissions for SAP

Testing the Role Based Permissions (RBP) in SAP projects is very important, time consuming and often underestimated. Organizations have complex requirements for user authorizations, the setup of RBP is mainly customized for organizations. High customization in general leads to high risks, which requires high testing effort. The impact when the user authorization is not properly set up is very high. We need role-based permissions to have proper business controls in place and to restrict access to sensitive information. A secondary reason for RBP is the need for strict privacy rules (e.g. compliance with General Data Protection Regulation -GDPR) that need to be followed. Authorizations are subject to audit activities to verify if the system is correctly configured, and segregation of duties are assured.

SAP projects should start RBP setup and testing during the early stages of the project. Starting late might result in missing deadlines and/or authorization issues in the live environment. Testing Role Based Permissions (RBP) can be challenging in SAP projects. Below you find a description of the challenging complexity, the need for starting early with planning and the specific considerations related to testing the RBP.

Complexity: Setting up RBP is a complex and important activity in SAP applications; in SAP projects it may take a long time to properly set up the RBP. There are a lot of detailed business rules involved with setting up RBP, that can easily be overlooked when setting up general business requirements.

Every field, object, transaction and FIORI tile in the SAP application must have the correct CRUD (Create, Read, Update, Delete) rules set up for each business role represented in the system. Depending on the number of roles and fields in the system many discussions with the business owners need to take place to get clarity. The complexity of setting up RBP for SAP applications is often underestimated by members of SAP projects. Setting up RBP is often a combination of specific roles and authorization for specific groups of people in specific areas of expertise. For example, a warehouse clerk should not be able to execute financial transactions, and a Financial Manager should not be able to execute Hiring employee processes. There will be roles which have overlapping responsibilities and duties, in this case roles can be combined and assigned to groups or individuals (in SAP also called composite roles).

Planning: The specifics of setting up the RBP for the SAP applications are not always clear at the start of the SAP project. As a result of this, projects have the tendency to start late or move the setup of the RBP towards the end of the project where it often becomes a bottleneck for the project and ends up on the critical path. Becoming a bottleneck is due to the complexity and the effort needed to fix problems if the testing of RBP results in many anomalies. Therefore, it is recommended to start with the configuration of RBP and RBP testing as early as possible. As a hard entry-criteria, user roles should be in place for the start of the User Acceptance Test (UAT) execution.

Testing: The testing of RBP in an SAP project can be very complex and time-consuming depending on how the RBP is set up for the organization. Some companies require more than a hundred roles and composite roles! Testing all these roles and their access can be very time consuming and can lead to many anomalies.

Test Preparation: While planning and creating new User Stories, it is worth to check, whether User Permissions Matrix is updated or if there is a merit to add Role Tests to that particular Story. By reviewing User Stories upfront, missing authorizations or roles can be reported. User Roles should be part of User Story creation and part of the Definition of Ready and Definition of Done. Test Automation is also an important tool to minimize the risk and save time, since the process of testing the permissions can be a long-lasting process, and it is error-prone when done manually and executed multiple times.

During the testing of the RBP for an SAP application, it is very important to test all the roles and the authorizations. The setup of the roles for RBP in SAP is custom work for each project and can result in conflicts in role authorizations. When testing the RBP the focus should be on the authorizations for all the roles, are the employees with these roles able to do what they are supposed to do, is there no conflict in segregations of duty.  The SAP authorization consultant is the responsible and main stakeholder to collect, configure, and set-up the user-roles and system-authorizations. Based on all information the SAP authorization consultant gathers from all business parts, they create the authorization matrix for the SAP-project. This matrix is the input to create test cases for the different (composite) roles and to execute RBP testing.

[Note: In small organizations the segregation of duty may be challenging because of the limited number of people involved.]