Naturally, companies that have been in business for decades have decades worth of user roles amassed in their systems landscape. When preparing for the upgrade to SAP S/4HANA, not every company will need to remediate all of their security roles, however this is the approach that one long-time SAP customer decided to take as part of their roadmap to meet the 2025 deadline.
Imagine remediating more than 20 years’ worth of security roles to prepare for the upgrade to SAP S/4HANA when you’ve been running SAP ERP Central Component (SAP ECC) since the late 1990s in an environment with over 4,000 roles and 11,000 users? That’s the reality for Newport News Shipbuilding (NNS), the sole designer, builder and refueler of U.S. Navy nuclear-powered aircraft carriers and one of two providers of U.S. Navy submarines. With approximately $4 billion in revenues and more than 25,000 employees, NNS is the largest industrial employer in Virginia and the largest shipbuilding company in the United States. NNS’ parent company, Huntington Ingalls Industries with locations in Louisiana and Mississippi, is America’s largest military shipbuilding company.
At SAPinsider’s 2020 conference in Vegas March 17-19, Deborah Rogers, Cybersecurity at NNS, will explain to attendees how the business redesigned roles for least privilege access, rebuilt security data around transaction code SU24, incorporated SAP Fiori interfaces, and addressed items from SAP’s simplification list for SAP S/4HANA 1909.
Rogers has been an employee of NNS since 2004, a speaker at multiple SAP conferences since 2016, and is an adjunct professor at Christopher Newport University. With a career spanning from programming to risk management to security to architecture, Rogers’ latest role revolves around making sure that NNS keeps everything up to date specifically around security and SAP and that the company stays within budget, on schedule, and is able to track everything within the SAP application.
“With NNS’ current challenges to meet government contractual obligations, speeding up some of our processes and reducing costs right now really puts us at an advantage. We’re looking to the SAP S/4HANA application to help us with that,” says Rogers.
While not every company will find it necessary to remediate all security roles for their SAP S/4HANA upgrade, NNS found that this approach is required to meet their business goals. Rogers’ presentation in Vegas, “How Newport News Shipbuilding remediated 20+ years of security roles preparing for SAP S/4HANA,” is largely geared towards project managers who might be looking to do their own role remediation prior to a large move such as the one to SAP S/4HANA. During this session Rogers will discuss:
- How NNS prepared for the project through data collection and workshops to tap into institutional knowledge
- How transaction code SU24 was rebuilt with solid representation of customizations
- What the organization did to evaluate new SAP Fiori applications and how they incorporated them into its overall role design strategy
- Tips and tricks from the conversion of security data to SAP S/4HANA 1909
Analyzing custom transactions with zero material costs
NNS moved to the SAP Governance, Risk and Compliance (GRC) solution in 2016. The company is a highly customized SAP shop, having customized over 40% of its transactions in an environment with over 4,000 roles and 8,000 users in 2016. “We had 2,000 custom transactions and different areas of business would subjectively give two different answers for how a transaction worked. We needed a reliable, repeatable, automated way to put these into the GRC rule set and have confidence in them in a way that would help us pass audit,” says Rogers.
During her case study session, “Newport News Shipbuilding analyzed 2,000+ custom transactions for SAP Access Control,” Rogers will explain how NNS made this process easier and better with zero additional licensing costs and zero configurations or installation of new tools. “It took time, but there were no materials cost,” she says.
Some of you who attended our SAPinsider event last year may have been present for an impromptu presentation that Rogers gave on this very topic, a gathering that happened in a spare conference room in the true, knowledge-sharing spirit of SAPinsider. “This topic wasn’t officially on the agenda last year but I’d presented it at past conferences. People who weren’t able to attend before recognized me, pulled me aside, and asked if I could share our story with them.”
This year we’re looking forward to hearing Rogers present this topic as part of our official agenda. “When I’m sitting in isolation in my office every week I tend to lose sight of the fact that many other SAP customers have also installed SAP and have the same challenges. The exchange of information at SAPinsider conferences is invaluable,” says Rogers.
Register to attend SAPinsider 2020 Vegas!