SAP Security – Back to Basics
SAP Security. How far should we take it? Should we go back to basics and explore revisiting the tools already available in the SAP Netweaver environment?
In a previous Thinking Out Loud article, “The Art of SAP Security” we reviewed some of the products available to manage your governance, risk and compliance reporting and management. Having since spoken to a number of customers about this the consensus is “the tools look great, but how can I justify them in my environment?” Perhaps there is a cut-off point, maybe its number of users, legislative compliance requirements such as Sarbanes-Oxley, or simply budget limits.
Let’s consider access control – you need to identify users with excessive system access and users with segregation of duties violations. As far as possible you want to remove these violations and reduce the risk of fraud and improper use of your system processes and data. Where it’s not possible to remove the conflict, due to staffing issues for example, you need to know who has the access and ensure proper internal controls are in place to reduce the risk. Auditors will require this information and you can save time during audits if you have the data readily available and internal controls documented. In standard SAP we have a reporting tool available, SUIM, with a number of reporting options including identifying and reporting segregation of duties conflicts. The reports can be scheduled and sent directly to risk managers, internal auditors, process owners and so on.
Access Control also includes user and role provisioning. User master records and authorisation roles give access to the SAP systems and good governance is required to ensure only current active employees and contractors have access to the SAP systems. On-boarding and termination procedures include a number of steps and departments and processes may be manual and driven by emails. We can address most of these issues using standard SAP functionality and one of the best ways is to implement SAP best practice position-based security. This requires maintenance of the HR-ORG structure, and can be implemented without the need for a full-blown HR implementation. You will need to use the structure to identify organisations, positions and jobs; and then relate these objects to business process designed authorisation roles.
Making use of the HR-ORG structure and ensuring personnel are correctly assigned will keep user access up-to-date. If you have a number of SAP instances, such as CRM, SRM, Enterprise Portal, then introduce central user administration to simplify role provisioning across all these systems. Used together, position based security, composite roles and central user administration, will reduce your maintenance overheads and simplify access provisioning.
One of the enduring issues we come across in organisations is the excessive access required by systems administrators, support staff and super users and the risks involved. No denying it, this is a tough one and not an issue that can be completely resolved. However, there are steps that can be taken to substantially reduce the risk. Basis administrators require powerful transactions in order to perform their daily system checks. They have access to system settings, quite often user maintenance, and the database. But they don’t actually need to logon to the individual systems to perform their daily checks. Implementing systems monitoring using Solution Manager will reduce the need to logon to individual systems and as a by-product improve efficiency and reduce costs. There will be times when the basis administrator logs on to the systems, however, these can be substantially reduced and mitigating controls put in place to trace the actions performed.
Support staff and Super Users can pose a different set of problems! First of all you need to analyse what actions are being performed and how frequently. Quite often support staff are responsible for running critical functional transactions such as month end processing. This may be a legacy of the implementation and due to insufficient training in the business department. These functions should be moved back to the business and removed from support staff – except for genuine support reasons. Super users are business users with excessive system access and often with segregation of duties violations built into their user profile. Again their excessive access may be due to a lack of training and inappropriate allocation of tasks in their respective departments. A review is required to identify the business processes, retrain staff if appropriate and instigate segregation of duties where possible.
Even after all these improvements are implemented there are times when issues arise in your production system that require intervention. There are a number of ways to address this, you can assign support staff with additional access for a limited time and trace their actions while they have this access, you can create “emergency” user id’s and release these for support as required, maintaining a record of who used them, or you can completely separate the support function from day-to-day business processing. In all these cases reducing the number of times additional access is required will reduce the risk of something going wrong.
All the options highlighted here will help you to identify risk, improve access control and reduce the need for super user system access. They rely on analysis and improvement of business processes with a view to ensuring segregation of duties. They rely on input from the management team to ensure reports are reviewed and HR are kept up to date with personnel movements and excessive access is removed from staff. In contrast, the GRC BusinessObject tools include workflows and automation but ultimately still require management input to be truly effective. In both scenarios the management of governance, risk and compliance requires commitment to succeed from the very top level of the organisation.
If you would like Oxygen to evaluate your security solution and identify whether any of the options discussed here can help you to manage your governance, risk management and compliance, email Julie Hodgson.
SAP Security – Back to Basics by Julie Hodgson, Oxygen Business Solutions
