When scoping out large-scale SAP implementations, organizations across industries and geographies have increasingly added Organizational Change Management (OCM) components to their projects.

OCM ensures everybody gets adequately trained, stakeholders are engaged, business readiness is addressed, and a strong communication plan is implemented, right?


Training, Communications, and Change Enablement are the three pillars OCM practitioners employ on any project.

But how often do you consider the successful provisioning of SAP security roles as an activity requiring heavy OCM involvement?

Support Ticket Nightmare

Picture this: After a years-long journey, your SAP project is finally ready to go live. UAT testing passed with flying colors, you’ve checked off all the business requirements, and you’ve secured a “Go” decision from leadership. Cutover goes smoothly, and launch day finally arrives.

Then you start to notice negative chatter from the business. Suddenly, you’re swamped with hypercare tickets:

“I can’t login! Now that I think about it, I never received any initial login information.”

“I was able to create a purchase order during training, but I don’t see the tile in my Fiori launchpad.”

“My Direct report says they have an Approval tile on their launchpad. They shouldn’t be able to approve invoices!”

These questions are not symptoms of a poorly built system but rather of poorly managed Role-to-Position Mapping. The frustrations of many end users now cloud the success of your implementation.

One of the first questions you should ask is: how involved was our OCM team in mapping Security Roles to end users?

Role to Position Mapping

Though often overlooked, Security Role-to-Position Mapping (R2PM) can make or break the success of an entire project. It’s one of the most important activity that OCM engages in during SAP implementations.

There are four foundational reasons why OCM should participate in and drive the R2PM process. Employing OCM-driven Role Mapping ensures that end users:

1) Receive the Correct Access

On Day 1 of Go Live, the last thing you want is a large swath of end users who received incorrect access or were entirely missed during provisioning.

It may be tempting to blanket provision access to members of your organization who have the same or similar job titles. However, in OCM we know that a person’s role title in Workday doesn’t always neatly match their actual day-to-day work.

Susan Smith may be a logistics associate who backs up the team lead when they are out of the office. John in accounting started in BP&A and has since moved into inventory accounting and happened to carry some responsibilities from his previous role with him.

Without OCM involvement, these nuances are likely to be missed. You could have users like Susan or John receiving either too much or not enough access when the project goes live.

2) Are Enrolled in the Correct Training Course

Also critical to the success of your project is making sure your end users attend proper training. Nobody wants to hear that a bunch of people showed up for a class only to find out that it had nothing to do with their day-to-day work.

To avoid this, most SAP implementations employ role-based training that leverages role mapping as an input to understand what courses are relevant for each end user based upon their mapped security role.

That’s why accurate and timely role mapping is vital for training enrollment.

3) Comply with Segregation of Duty Requirements

OCM-driven role mapping is also an essential avenue for early identification of Segregation of Duty (SOD) compliance issues.

SOD conflicts occur when a particular end user has so much access within the SAP environment that fraudulent activity may be committed. You want to minimize these conflicts as much as possible or you leave your organization open to unnecessary risks.

You don’t want to find out two years after go-live that Mary in accounting was provisioned so much access in SAP that she set up fake vendors, created phony purchase orders & invoices, and illegally siphoned money from the organization.

Early identification of these conflicts is vital for facilitating the required conversation between Business and Security on solutions to any potential SOD conflicts.

4) Feel supported and informed throughout the R2PM process

Lastly, a large part of the role of OCM in the role-mapping process is as the liaison between Security and Business.

Security and Business speak in different languages, and OCM often operates as the “translator” between these two groups. We help avoid unnecessary frustration by relating what your business team members are saying to what Security is proposing as a solution.

This helps everyone feel heard and minimizes frustration.

OCM to the Rescue

So, how can OCM accomplish the above four objectives?

1. Direct engagement
Leverage OCM to meet and work with the managers of impacted teams via role-mapping workshops.

Engaging these managers directly goes straight to the source to uncover the hidden nuances surrounding their team members’ day-to-day work. These workshops will also give you an excellent opportunity to expose front-line managers to the benefits and changes coming to them because of your project.

2. Cross-functional Partnerships
Role mapping workshops should involve a presentation of material by Security, OCM, and representatives from the project team initially involved in Security during role design & discovery.

The content ideally covers the basics of SAP security, why role mapping is essential, and an overview of the security roles in scope for the participating managers.

Providing this information will equip managers to conduct role mapping independently or live during the workshop.

You’ll be confident that managers understand how their access will work in SAP and that they can accurately map their teams.

Setting the Stage for Success

Accomplishing these four objectives via direct manager engagement will allow you to establish buy-in from project leadership and form a strong partnership with Security, allowing you to develop a highly successful role mapping program.

Instead of dealing with an avalanche of access-related hypercare tickets, business end users will immediately experience the benefits of the solution you spent years designing and building.

Logging in will be seamless, all the capabilities highlighted in training will be there, and your focus can remain on celebrating the successful launch of your company’s SAP instance!