Authorizations in the SAP system - BPX

Introduction

Security in real world can mean a freedom from some potential form of harm or e.g. a protection from some hostile intentions or actions. In virtual world security can be described very close to the same definition of physical security, but with small addition, sometimes in virtual world not only intentional, but sometimes unintentional actions can provide whole system to a dawn of its existence. Security in SAP is not an exception of virtual security world, it’s goals can be defined as following: protect SAP systems from the users and protect users from themselves by providing them a minimum required access level to operate properly.

From the article you will learn:

  • What is SAP Security?
  • What is an SAP security analyst responsible for?
  • Why is it so important to ensure SAP security?

SAP Security is a part of a BASIS component of SAP, the people who work in this area are usually BASIS consultants or sometimes (in bigger companies) a separate SAP Security Operations team members. SAP security is often regulated by public government acts such as e.g. Sarbanes-Oxley Act(SOX) due to sensitive nature of work with finance and other areas on SAP systems.

What is an SAP security analyst responsible for?

In general, functions of security analyst can be listed as follows:

  1. Creation and maintenance of user accounts – assignment of personal data to account, validity date and roles
  2. Creation and maintenance of SAP roles – ensuring the minimum required access is assigned to the role
  3. Ensuring Segregation of Duties principle is fulfilled
  4. Ensuring alignment of SAP security with government acts and rules
  5. General support of users with security related issues
  6. Ensuring confidentiality and certainty of data on systems

Why security is important?

In small SAP systems we usually don’t bother ourselves with security topics, due to scale of system and consequences of security risks which might appear in future – e.g. only one company code is maintained by a small number of specialists in single SAP system.

Everything changes when we don’t want to allow access to the data by certain side due to some reasons – e.g. person should not have access to the operations on data (finance data should not be maintained by the logistics specialist), data of one company code should not be viewed or edited by the person from another company code.

This is where security starts to gain its power.

Security itself or members of security and basis teams, in case of huge companies, can either prevent or allow users to do certain actions on system – this can be achieved by doing user’s account management on SAP systems and creating or maintaining so called roles, which can grant different access level to user on systems. Very common division of access level can be described as follows:

  • Low sensitivity access level – display mode in transaction, usually harmless access, which is granted to view restricted set of data.
  • Medium-High sensitivity access level – editing data in transactions, can be granted to user in his area of specialty, thoughtless actions with such access level can provide to serious business damage.
  • Critical access level – can be granted with special approval to users, who do some required production system configuration (e.g. when project goes live on production system), thoughtless actions with such access level can cause severe damage to whole SAP system.

In smaller SAP systems security team usually operates directly on user accounts through such transactions as SU01 or PFCG, thus on bigger systems operations are usually done using security operations support tools – mainly to decrease human-made error probability. The most notable of them is GRC (Governance, Risk, Compliance) tool externally integrated to SAP. GRC tool allows calculation of so called SoD risks – a problem of assigning too much access by providing users conflicting roles, also it helps to centralize operations related to security and make them easier.

How we do it

BPX consultants have tremendous experience in security field, which led to a successful completion of a number of huge projects in our history done for one of the largest food companies in the world and other Partners, who trusted us.

  • Europe, 2014 – more than 1500 roles created and more than 900 users supported with access, successful go-live in 2014.
  • USA, 2017 – full support of business and IT teams from the beginning to the end of the project, successful go-live in 2017.
  • Ukraine, 2020 – successful expertise help from BPX side to Ukrainian business, full support with communication between local business and template team and business process owners, more than 100 of new transactions added to existing roles, successful go-live in 2020 which was performed fully remote due to pandemic.
  • USA, 2020 – continuous support of business users in terms of access and roles, more than 700 tickets successfully done.
  • Ad-hoc security support on projects.

Right now, cybersecurity is more important than ever. With the right strategies, you can protect your company’s networks from potential threats. And we are only getting better at this.

Author:

Dzmitry Korsak – in BPX from 2019, SAP BASIS consultant, SAP Security Functional Expert