Successful enterprises treat effective SAP user management as a three-fold effort that incorporates cost optimization, streamlined processes, and risk management. They know that a well-managed SAP environment leads to lower costs, greater user satisfaction, increased user productivity, better security, and less risk. Relaxo Footwears Limited is one of these successful enterprises. The company recently benefited from connecting improved SAP user management to the continued growth and security of its business. Its evolution from manual, time-consuming processes to lean, automated workflows eased the burdens and risks associated with user access and license management; it also reduced the cost structure of its SAP environment and improved audit and security results.

As the largest footwear manufacturer in India with a production capacity of roughly 600,000 pairs of footwear each day, Relaxo Footwears Limited prides itself on innovation and customer satisfaction. Through its simple “ABCD” philosophy — providing affordable, beautiful, comfortable, and durable products — Relaxo has earned the support of millions of customers who have helped make the company a household name in India. Relaxo’s 900 distributors promote 11 brands to more than 50,000 points of sale, including close to 300 Relaxo-branded retail outlets located in 125 cities across the country. 

Because Relaxo is committed to providing its employees with the same level of satisfaction it provides its customers, the company places a high priority on implementing the latest technology in its manufacturing facilities and core IT systems. In 2009, the company implemented SAP Apparel and Footwear, an SAP for Consumer Products industry solution that was developed as an SAP ERP service enhancement tailored for clothing and shoe manufacturers. Relaxo now uses it to run manufacturing processes in eight facilities in India. 

After implementing the SAP Apparel and Footwear solution, Relaxo more than doubled the number of SAP user licenses it needed. Its expanding SAP environment not only meant a more expensive SAP infrastructure, it also meant greater risk and compliance issues around user access as well as greater demands on its IT teams to manage and provision user access. The expansion and accompanying challenges drove Relaxo to look for ways to more adeptly manage its increasingly important SAP environment as well as to better manage its users. 

Just like a good pair of shoes need to fit each foot well, there were two equally important sides to Relaxo’s expansion challenges. On the one side, IT was proud of what it had done with SAP and wanted end users to be delighted with their SAP environment. It wanted the security, licensing, and provisioning requirements to be invisible to users and for users to simply be as productive as possible. On the other side, Relaxo’s leadership also wanted to minimize the risks and costs of each user along with any IT support costs. In short, they wanted the entire risk level and cost structure of the SAP environment minimized without compromising the business value of the platform.

Outgrowing Old Shoes

As Relaxo grew, its leadership team realized the older processes and tools no longer provided enough value. They no longer fit. Because of SAP user license costs, maintaining better control of licensing was Relaxo’s first user management objective. The team knew it had outgrown its former user license management practices because it had more Full Professional users than there were licenses for. Despite not having exceeded its total license inventory for all user license types, the company was non-compliant because of a contractual limit placed on each license type. “When we became non-compliant in that license type category, we had to pay the difference,” explains Raghubir Singh, Relaxo’s Head of IT. “That’s when we decided we needed a monitoring solution that could guide proper license allocations and prevent us from incurring any unnecessary licensing costs.” To reach its compliance and cost savings goals, Relaxo realized it needed an automated solution that would replace its current manual processes.  

As Singh and his team researched the impact an automated solution could have on Relaxo’s licensing challenges, they discovered additional challenges associated with SAP user management. They realized that streamlining the processes around SAP user provisioning could improve user productivity and user satisfaction and reduce the burden IT faced in supporting users. Manual provisioning of SAP users had proven extremely difficult to manage and consumed significant time and attention of the IT team. As Relaxo grew and personnel changed or job requirements changed, IT administrators were beset with urgent access requests. No one was happy with these requests. End users were impatient, and IT administrators did not like being distracted from the other important work they needed to complete.
Another area of user management included identifying and either removing or mitigating segregation of duties (SoD) conflicts and sensitive or critical access. “We found that some users were doing jobs they didn’t have authorizations for, which obviously made the system a challenge for them to use, and in other cases, some users had more authorization than they needed,” says Singh. “Those access issues created security risks that we had to eliminate, but without a clear road map to guide our SoD mitigations, that had proved challenging.” 

Singh and his team realized they needed to establish a defined set of rules to help them become more efficient at managing user access and help end users understand where too much access could result in unacceptable operational and financial reporting risks. The absence of a clear ruleset for why some combinations of roles were inappropriate was leaving many stakeholders confused and dissatisfied with how access provisioning decisions were being made. The IT and business sides had trouble coming to a consensus regarding access needs, and there was confusion as to why certain users needed less access than they had. “We knew we needed better definitions for what would constitute a role or authorization conflict,” Singh says. “A clearly articulated rule matrix would allow us to communicate those conflicts in a way that all stakeholders would understand so that everyone could be on the same page.”  

If the Shoe Fits

Having investigated the different aspects of SAP user management, Relaxo decided it was time to move forward with an integrated solution to monitor licensing, streamline provisioning for its SAP environment, and mitigate SoD conflicts. Relaxo’s aim was to produce the same sense of delight for its employees through its SAP environment as the company has done for its customers through its products. 

When Relaxo began exploring solutions, there were several requirements that were of prime importance. For example, the solution not only needed to identify potential compliance risks associated with SAP access and role definitions, but it also needed to enable real-time remediation of those risks. Another requirement included tight integration between automated user provisioning and SoD checks so that — at each step of the request and provisioning process — everyone would immediately know if there was a material risk associated with the request, what additional approvals might be required, and what mitigations should be assigned if the request were ultimately approved. This would reduce audit complexity while also significantly diminishing manual interventions. Relaxo also understood the value of a modular solution that seamlessly integrated with its SAP system, and so it required the target solution to have an architecture that supported easy deployment and allowed the Relaxo team control over when to go live with each set of user management capabilities.

After an extensive vendor evaluation phase, where Relaxo reviewed in detail several different solutions, the business selected Security Weaver and opted to implement License Management, Separations Enforcer, and Secure Provisioning. (Refer to the sidebar at the end of the article for more information on Security Weaver’s solution suite.) 

Taking Steps to Delight Users

The company was gratified to discover that, like Relaxo’s footwear, Security Weaver’s modules could be mapped to the “ABCD” model of affordable, beautiful, comfortable, and durable products.

Affordable: The application suite’s fast implementation and competitive acquisition costs made it very affordable. Singh says that Relaxo implemented Security Weaver on a shoestring budget. According to Singh, one of the main reasons his team choose the solution suite was because of the cost savings that resulted from its modular delivery and rapid installation. It was roughly one or two business days per application for basic installation and initial configuration. Within two business weeks, the company was up and running with all three applications. Singh estimates that within 90 days the company had already achieved a 25% return on investment (ROI) in the Security Weaver applications.

Beautiful: The applications were also beautiful in their design, familiar in their user interface, and offered robust reports. “Security Weaver offers an amazing number of reports,” says Singh. “I have yet to find a report that I want but they don’t offer.” A beautiful design means that all the parts work together and make a complete whole. Relaxo integrated the Security Weaver applications into its existing SAP system seamlessly. 

Comfortable: Because of the familiar user interface, the solution was immediately comfortable, like an old pair of favorite shoes. The Relaxo team could leverage its existing knowledge of ABAP and SAP systems and become productive using of Security Weaver products almost immediately. 

Durable: And finally, because the suite is an ABAP add-on to Relaxo’s SAP environment, it inherits all the investments Relaxo had already made to its SAP environment for performance, security, availability, and business continuity. Security Weaver’s ABAP architecture offers an assuring sense of durability for companies running SAP software.

Giving Manual Processes the Boot

The three user management processes Relaxo addressed were user licensing and reconciliation, access risk assessment and mitigation, and user provisioning. While there was a positive ROI early and for each Security Weaver application, cumulatively the return was significant. The project team estimates that it saved over 40% beyond what was invested, and the ROI would be even more significant when it included audit costs, avoided license purchases, and avoided compliance penalties.

Because of the urgent need to control licenses, Relaxo rolled out the License Management application first. It was quick, easy, and provided immediate benefits. The configuration of License Management entailed little more than entering how many SAP licenses the company had for each category. “That’s a one-time effort,” Singh says. “Once the upper limit has been defined in the system for each category, then every time we create or request licensing for a new user, the system automatically clears it.

Singh says the application also returned an unexpected benefit by providing a baseline that enabled Relaxo to investigate how many Full Professional licenses were actively being used. When License Management detected that the company had reached its limit of Full Professional licenses, it automatically triggered an alert that allowed the team to revoke all licenses assigned to users who had not been active in the past six months. “Revoking the authorization of those inactive users allowed us to maintain license compliance and was a significant cost savings,” he says.

To find and remediate SoD violations, Relaxo implemented Separations Enforcer next. Using Separations Enforcer, Relaxo was also able to reduce the time and complexity involved in role design and role provisioning, further saving the company and reducing the work and complexity required of IT administrators to support end users.

Singh recognizes that Security Weaver has allowed Relaxo to improve operations without becoming rigid. “Certain conflicts will exist that are acceptable to the organization,” says Singh. “But now, whatever risks we have, instead of hiding in the darkness, they are known. We are not blind, but can take calculated risks. This awareness allows us to streamline operations without worrying about IT security becoming overly rigid.”

The third application that was rolled out, Secure Provisioning, automated the provisioning of new users in the SAP system and the provisioning of new authorizations to existing users. Coupled with Separations Enforcer, this application provided Relaxo with an automated workflow that was scalable and offered real-time analysis of SoD conflicts and sensitive access. 

Previously, the approval process for access requests involved a cumbersome back-and-forth email-based process that was dependent on manual checks to find potential SoD violations. Now, when a user initiates an access request, the function-based rule matrix provided by Security Weaver enables the company to automatically alert the appropriate stakeholders to any potential violations. This analysis allows requestors, approvers, and auditors to see at a glance the implications of each user access request, and enables them to make an immediate, informed decision.  

The integrated deployment of the Separations Enforcer and Secure Provisioning applications has enabled Relaxo to simplify onboarding and to focus time and attention only on exceptions. Relaxo was also able to provide its users with an easy-to-use self-service model that didn’t jeopardize security. The result: fewer escalations, fewer time-consuming status requests, fewer interruptions, and greatly increased end-user satisfaction.

Now, the system automatically determines whether there will be conflicts,” says Singh. “If there is a conflict, an immediate prompt appears right in the system. With this process, the time it took to allocate a role-based ID was reduced from three or four days to a few hours.

The World at Their Feet

The transition for Relaxo has been comfortable and seamless. The company is still finalizing transaction metrics for what constitutes acceptable risk and ironing out exceptions, such as allowing store managers to create purchase orders only for certain items or parts, but in large measure, it has accomplished its goals and more.  Perhaps equal to the hard ROI of improved user management, is the ability for IT, business, procurement, and audit functions to communicate better with each other.

According to Singh, because IT and the business can now arrive at a consensus, have shared definitions of risks, and are able apply a single ruleset for assessing risks and exceptions, the company’s confidence about its ability to manage risk has increased tenfold. “Overall, with the Security Weaver applications, we have eliminated what were impossible tasks as we tried to manually identify and mitigate conflicts,” he says. “From the license optimization, compliance, segregation, and automation points of view, we achieved what we set out to do — and then some.”