Many organisations have put a lot of effort to manage Segregation of Duties Conflicts (SoD) in their SAP solutions. This is very welcomed effort from the risk management point of view. Unfortunately, other aspects of security have not received similar kind of attention. How protected is our master data Is display really display? Are activity values correctly maintained? Is *-value used in wrong place? Are organization restrictions working?
In solutions where e.g. several organisational changes have been implemented over the years, it appears that the checks are not always working as they should. Reasons could be that maintenance has been done inconsistently, without sufficient competence or simply mistakes have happened. This increases the risks and vulnerability of the system as the system can be open in areas where we are not monitoring the status.
In order to avoid these problems the basics must be in place:
- authorisation concept is documented and followed
- object values are systematically designed and built
- roles and responsibilities are clear and agreed
- best practises are followed e.g. SU24
Solid SAP access management governance is the only way to avoid and prevent new vulnerabilities emerging. But how do I do this efficiently ? How should I analyse the current situation ? Is there an efficient way to address this problem ? Where do I start ?
Standard SAP systems offer good basic reports and tools to start evaluating the situation. Run basic reports for some of the key security values and you will soon start to see where you are. Unfortunately this can sometimes be a very long and troublesome road to walk due to the high number of values to analyse. Or simply defining what to look for…
We have developed specific solutions and methods to overcome this complexity. Our SAP security analytics platform goes beyond SAP SoD with predefined queries to analyse detailed system accesses. Kindly contact us for further discussions and demonstrations !
Matti Halonen