To protect data from manipulation, misuse or destruction and to fulfill external re-quirements, such as the stipulations of the Sarbanes-Oxley Act, companies have to ensure that

• only authorized users are allowed access to the SAP system and
• only to the extent that their position, their daily work and responsibilities warrant.

Company dynamics require continual adaptation of authorizations based on current conditions and usage. This is the only way to prevent employees from gaining unau-thorized access to data and functions.

Whereas potential usage behavior results from assigned roles and authorizations, actual usage can be determined with the aid of the RBE Plus User & Role Ana-lysis. Ideally, potential usage should conform to actual usage.

Within the framework of the RBE Plus User & Role Analysis, each user’s activities and authorizations are examined and solutions are provided for the following prob-lems:

• Which users with logon authorization were not active during the analysis period?
• Which users were never logged into the system despite their authorization?
• Which users have been assigned critical authorization profiles?
• Which users are active in which application areas?
• Can critical activities be performed by the same person (e.g. entering invoices received and outgoing payments)?

The RBE Plus User & Role Analysis also evaluates transactions in order to exam-ine the intensity with which processes are executed. Among other things, this brings to light just how efficiently processes and transactions are used, for example, how many changes must be made to create a document.

For a detailed check of the authorization concept, the RBE Plus User & Role Analysis continuously integrates the quantitative and qualitative evaluation of the assignment system and usage intensity of roles.

• The RBE Plus User/Role Analysis points out differences in user-role assignment. Unused roles are evaluated in terms of the advantages they bring, and users not using the roles assigned them are identified.
• Discrepancies between assigned and used transactions within a role are identified and can be eliminated. This results in effectively tailored roles.
• Finally, the authorizations assigned to a user determine his/her access options. These must be checked in terms of usage and characteristics. Specific RBE Plus results for transactions, users, authorization objects and roles are processed in an analysis database with respect to these factors and are made available for indi-vidually configured analyses.