Hermosa Beach Consulting Group
Case Studies

Case Study: Security Automation

Challenge:   This Global Media and Entertainment Company had a user base of 27,000 core users. Because of the enterprise’s sheer size and diversity of its lines of business, the customer expected an extremely high volume of security transactions – user to role assignments (new hires, employee moves, and changes in employee responsibility) and on-going changes to users’ data-level access as the business’ organizational structure evolved. The organization required a security model which would meet these requirements, yet called for minimal resources to support, ensured accuracy of security transactions processed, involved the business in approving user governance requests, and remained tightly controlled adhering to a “least privilege” design methodology.

Roles were designed by Job Function and standardized across all component systems (i.e., R/3, BW, BCS, CRM, EBP, SEM-BPS). Similarly, data-level access was standardized across all component systems to ensure that users would be limited to the same organizational levels, regardless of the system they were accessing. Workplace was used to organize menu paths and serve as the primary user interface for the various component systems. The HR Organizational Structure was leveraged to assign roles to users’ positions; meaning that as an employee changes positions or is hired into a position, they were automatically assigned to the roles associated with that position.

Workflow was implemented to allow any user of the system to submit a security governance request which is routed to appropriate approvers within the business. The workflow is designed to prohibit redundant functionality assignments and warn of Segregation of Duties (SOD) violations. The request is routed to appropriate business data owners for approval. Once fully approved, roles are assigned automatically to the user’s position with no manual intervention required by security. Similarly, requests for modifying a role’s data-level access are approved through workflow. Once the request is routed to and approved by the appropriate business data owners, a build specification is created which identifies by component system all of the roles to be modified; the build specification is reviewed by security for final approval and then automatically updates the roles within the appropriate development systems.

Result:   The enterprise was able to minimize resource requirements for security staff, more accurately process security requests by removing manual processing, realize ownership of security by the business, and still retain a highly controlled environment.
Site Map | Privacy Statement | Terms of Use