What are the main questions before starting a revising project of the authorizations in SAP?
1. What do we have to do?
Surely one of the most relevant aspects is how much time can it take and especially how much of this time is charged to the client.
It is essential to emphasize that the client must establish “who does what”. The support of the system integrator must be in describing how the concept of authorization will be designed.
There are basically two starting points:
- A blank sheet
- Ready-made patterns and template
Clearly the first option is the simplest.
But it involves a very high effort of all parties. If you’ve already tried to tackle the issue, you know what I’m talking about.
Usually, we divide the project into pre-defined phases. Real gates: subsequent Gates cannot be opened if previous Gates are not completed.
This methodology allows to have a precise path that will be the starting point for who has to face an authorization review, by attaching the reference template. .
Interviews and projects of months to understand who does what? Just forget it! Don't waste your time! It’s a method that doesn’t work.
At best, you’ll understand what your users do at 30%. Not even having all the additional authorizations to carry out the segregations.
2. How do we ensure business continuity?
SAP authorizations shouldn't obstruct the business.
Ensuring business continuity or limiting it as little as possible is an important aspect when switching to new ratings.
It's not easy to be sure you haven’t forgotten anything.
For this reason we use an ad hoc software, called Security Analyzer, which has a specific function of “Coverage”.
Is able to establish, directly at the analysis stage (without having built anything into the system) what a user:
- would loose “MISSING”
- would have more “EXTRA”
- would continue to have “COVERED”.
3. How could we ensure the Segregation Of Duties?
It is fundamental, during SAP rating review, to ensure that roles and users are free from conflicts of interest. This according to the matrix of incompatibilities defined by the client or the group (Segregation Of Duties Matrix).
How can we do that without having done anything in the system?
Even in this case we thought that the only way was to equip ourselves with a specific tool. The software Security Analyzer is able to carry out risk analysis on roles and users, not yet defined by system, to simulate the impacts of Segregation Of Duties.
It’s easier to fix it sooner than to do it when everything is already defined.
Please note also that the software SAP GRC Access Control, wouldn’t be able to do this activityn at the moment.
4. How would be the release in Production?
Even if you have sophisticated and precise tools it is always useful to proceed cautiously. Especially towards the business.
You can decide the ideal time to make the transition.
Advising the business naturally and deciding together the resources to migrate.
Consider also important moments in society es canvas, year-end or other...
Big bang approaches should therefore be avoided if possible.
5. Does SAP security end with roles?
SAP security certainly has an important part to play in the security of roles and authorizations.
However, we cannot consider exhaustive to deal only with this aspect.
What other factors should be taken into account?
- Guidelines and documentation
- Raising awareness through ad hoc campaigns (security awareness)
- Periodic checks of the system in order to verify compliance with defined guidelines
- The security of the developed code
It’s not always a good idea perform everything at once. Remember to make an adjustment plan that includes at least the above points.
But if you are implementing SAP today? Set immediately at least the above!
Blog post originally translated from: https://www.aglea.com/blog/le-5-domande-ricorrenti-nei-progetti-di-review-autorizzativa