Secure IT Procedure for Assigning AP Roles to End Users

SAP Help

Revision History

SAP Help

 Business Risk and Fix

R1:  End Users that are assigned to incorrect Auto Provision (AP) AP Roles per types as part of Role Management and Workflows within SAP Identity Management (SAP IdM) and Access Control

Functional or Technical Issue

  • T1: Remedy Legacy inaccuracies regarding Auto Provision User assignments for each CUSTMR (Customer) Type

  • End Users in scope:

Users types that are assigned an AutoProvision Role by CUSTMR according to:

  • Customer ID

  • Manager

  • HR Mini-Master

  • Identity Type:

    • Employee

    • Contractor


    • Other

Pre-Requisite Controls

CUSTMR: Hourly Manager AutoProvision roleControl where AutoProvision assignments are corrected and identified via AutoProvision Role Assignment Status link Using “User BR – AutoProv Assignment GAPS” report found in the IDM Secure IT Reporting Portal.

General Assumptions

  1. The IDM Batch Job for Report User BR – AutoProv Assignment GAPS is being executed on a daily basis to view results the following business day.

  2. CUSTMR Security Leads (CSLs) are aware that the Internal SAP Security IDM Team is processing any findings manually or via Mass Load as pre-approved on a daily basis.

Risk Identification

***Run the FOLLOWING Report and save results as a CSV file.  This step is Critical because the report triggers a job that changes Report status.***

1. Go to SecureIT:


2. Select CUSTMR Folder:

SAP Help

3. Select Operations Support: 

SAP Consulting

4. Select ‘User BR – AutoProv Assignment GAPS’ and filter on ‘ALL’ for all fields:

SAP Help

5. Click “View Report

SAP Help

6. Once report completes, (1) click “Save” icon and (2) select “CSV” option:

SAP Help

7. Use the “Open” or “Save” options to complete the export to CSV and save the file immediately (Open the file and “Save As” or use “Save As” from the “Save” drop down depending on user preference):

SAP Help

8. Create correction file template for Mass Load for ADDs and Removals and be sure to include any Service Incident Ticket (SIT) Details in the columns below as needed for processing.

9. Push AP Role ADD via via Mass Load:

SAP Consulting

10. Push AP Role REMOVAL via Mass Load

SAP Help

11. Remove User from Groups on AD (after regular business hours)

3a. Provide a separate list of Users that have incorrect groups assigned under the wrong CUSTMR 



  1. Notify CUSTMRs impacted for that week via email as part of CUSTMR Internal Controls Process

  2. Create a GENERIC Service IDM Catalog Request and assign this task to ‘AccessIT Operations and Development’ an denote ‘User-BR Add and Remove MASS LOAD for xxxx being the CUSTMR Group Name)

Data Exclusions

A known set of data that does not need to be evaluated for this procedure (This can change is not static) Values to exclude in evaluation of report results. 

SAP Help

Escalation Threshold

If the results after allowing for the Exclusionary items are greater than (X) escalate to CUSTMR IAG Control Owner

SAP Help

Corrective Action – Only to be executed if escalation threshold is not met

1. Use Internet Explorer to go to AccessIT and log on with your user ID and password.


2. Select “Identiy Management” tab, (2) click “Identity Management” option, (3) select “Manage” tab, (4) select “Person” from drop down menu, (5) input user ID, and (6) click “Go.” 

SAP Consulting

3. Click in the selection box to the left of the Unique ID to select the User and (2) select the “Change Employee Data” tab.

SAP Help

4. Click on the Assigned Roles tab to view current AP Role assignments

SAP Help

5. Click the “Save” icon to save your changes.

6. Repeat steps 1-5 until all users in the list have been corrected. 

Author: Kim Hayes

Kim is an expert Fixer on ERPfixers. SAP I/T Architect for Coke One North America (CONA). SAP Security Deployment Lead, Project Manager, Security Analyst and Basis Architect with several years of experience in Full-cycle Project Deployment and Hands-on Technical Roles. Well versed and expertise in areas of SAP Security Deployment Business Cutovers and Security Administration, IT Landscape Architecture, and Basis Administration