Access Manager

Big Picture

SUIM’s Access Manager (AM) is a centralized Authorization Management System

AM offers tools for:

  • the efficient administration of the User Lifecycle Managements.
  • the execution of Reorganizations as well as Mergers & Acquisitions on enterprise level.
  • the Quality Management of the authorization objects.
  • AM allows the administration of the entire SAP-portfolio (independant of release status) out of a central system.
  • AM administrates, generates and transports SAP-roles, -profiles, structural authorizations, OLAP profiles or other groups in the entire system landscape.
  • AM allows the configuration of the system landscape by customizing.



  • An authorization-officer is able to do all for his role typical tasks on one screen. Besides the assignment of all needed authorization to an SAP-user, the SoD-verification and the approval process can be initiated.
  • AM allows a rule based (as well periodically recurring) assignment of authorizations. * The structuring by AM-organizations and AM-systems allows an ergonomic presentation in an authorizationmatrix.


  • An AM-Role is a reasonable combination of authorization-elements (ERP, BI, structural authorization, organization management objects, Active directory, etc.) and systems.
  • The integration of the two dimensions system-architecture and authorization-elements allows the flexible representation of complex authorization-requirements and at the same time simplifies the operative lifecycle management substantially.

AM-Role-Derivation / BI-Profile-Generation

  • Automated generation of organization specific derivates of a master-role in the target system based on defined derivation and distribution rules. No manual change is necessary.


  • Real time role distribution via mapping of an authorization-role or an authorization-profile to a user in the target system. Thereby is ensured that the user is granted all the needed authorizations (and not more). As well a temporary unavailability of the target system is compensated by queuing.

AM-Organizations, -Systems, -Role-Catalog

  • The structuring by organizations, systems and catalogs allows on one hand a very simple implementation of the requirements and on the other hand even very complex scenarios can be represented.


  • In the AM, authorization fields can not only be defined as a general organization field but as well as a role specific one. That gives the necessary degree of freedom to find the right solution within the complex constellations.

AM-Mass-Role-derivation / BI-Profile-Mass-generation

  • On changes on master-roles or the integration of a new organization in an enterprise the need of change is usually very extensive. With the possibility to adapt or recreate all relevant derivations automatically the amount of work is minimal.


  • The AM-distribution-mechanisms can be used for bulk processing.


  • On the assignment of an authorization / a BI-profile to a user an automated analysis of the resulting constellation can check if it contradicts the defined SoD-rules.

User Life Cycle: AM-Workplace

Authorization matrix

The AM-authorization-matrix is the most used tool in the user life cycle management. This workplace serves to display and maintain of all authorization assignments to the SAP-users. The SoD- and risk-analysis as well as the defined workflow process steps from the request via approval to the physical assignment of the authorizations on the decentralized systems are initiated out of this workspace. The authorization-matrix can be used via web as well as via the SAP-GUI.

Main functions

  • Assign authorization:
    • Selection of authorizations by tagging the Checkbox in the matrix.
    • Representation of complex time dependencies by the AM-time-rules.
  • Display assigned roles: Target- / actual-comparison of the authorization-elements of the SAP-User in the respective target systems.
  • Distribute authorizations: Distribution of the target-authorization-assignments of the SAP-user in the respective target systems.
  • Action log: Display the change records of the selected SAP-User.

User Life Cycle: AM-Workflow


  • In the optional standard process, the workflow is initiated when the super user changes the AMrole-assignment of a user.
  • The applicants supervisor is determined and receives the out of the authorization-request originated work item in his inbox where he can process it.
  • The authorization-request is granted or denied by the supervisor. The distribution of the authorization-mapping (incl. the creation of a possible derivate of a master-role in the target system) can be initiated directly out of the work item processing