Speed up development of framework and application authorization concepts for SAP ERP and S/4HANA

| securityblog

SAST Blog: Speed Up Development of Framework and Application Authorization Concepts for SAP ERP and S/4HANACompanies that use SAP are required to describe controls and procedures in documents that reflect the current status of the system and the general compliance guidelines. The concepts for framework and application authorizations are essential elements of this documentation, for both internal requirements and annual reviews by external auditors. Good documentation templates can help get you where you need to go much more quickly.

 

The framework authorization concept describes the general controls for user and authorization management that are valid throughout the system, and can be thought of as a kind of legal system. Without laws, there are no defined rules that have to be followed. The result would be virtual anarchy.

To avoid this situation in your system landscape, you define the “legal system for user and authorization management” in the framework authorization concept.

Examples of crucial content in the framework authorization concept:

  • Description of the system and role architecture
  • Naming conventions for single and composite roles, user master records, and user groups for front-end and back-end systems
  • Responsibilities in user and authorization management
  • Description of persons responsible for data and roles
  • Dual-control principle in user and authorization management
  • Transport routes and testing procedures
  • Handling of critical authorizations and cross-functional roles
  • Monitoring process for SoD (separation-of-duties) risks and critical authorizations
  • System parameters for login and password protection (LOGIN / AUTH)
  • Handling of SAP standard users (such as SAP*, DDIC, EARLYWATCH, WF-BATCH, and so on)
  • Emergency user procedures
  • Approval procedures in the user and role request process

The same applies to the individual application areas. If you use SAP applications for your financial accounting and controlling (FI/CO), you have to follow specific compliance requirements. If there is no documentation, there can be no defined rules, and thus no specifications for proper authorization assignment. The inevitable consequences: proliferation of assigned authorizations and loss of control.

Particularly in financial accounting and controlling, authorizations should be assigned extremely restrictively, on a need-to-know basis. If they are not, you run the risk of manipulation in your internal reporting, which can ultimately lead to falsified balance sheets and profit and loss statements or even embezzlement, with the corresponding financial damage to your company. These are only a few examples of potential negative scenarios.

Good documentation helps you here, as well, since access controls are described precisely, enabling effective control of authorization assignment.

Important concepts and foundations of FI/CO application authorization concepts

  • Description of the processes used in FI/CO
  • Listing the relevant organizational levels, such as company codes and controlling areas, with descriptions
  • Listing of cost centers, internal orders, or profit centers
  • Workplace definitions (business roles)
  • Listing of composite roles, single roles, and special roles (role catalog)
  • Description of persons responsible for data, roles, and personnel
  • Authorization groups for tables and custom developments
  • Handling of specific critical functions (such as open/close posting period, current settings, and master data maintenance)
  • Technical users in FI/CO
  • Handling SoD risks
  • Process controls
  • Monitoring and control process for adherence to compliance standards

The creation of documents that satisfy your requirements and those of external auditors generally takes a great deal of time. The SAST documentation templates, which come prepopulated with many useful recommendations, can get you where you need to go much more quickly. In most cases, you can cut the time required by 80-90 percent compared to not using documentation templates, enabling you to dedicate your valuable time to other value-adding activities.

Benefit from the templates in our tried and tested framework authorization concept, as well as the application authorization concepts for SAP Controlling, SAP Finance, and SAP FI Asset Management for your financial accounting solutions.

We also offer the following concepts:

  • Application authorization concept for Sales & Distribution (SAP SD)
  • Application authorization concept for Materials Management (SAP MM)
  • Application authorization concept for Human Capital Management (SAP HCM)
  • Application authorization concept for Plant Management (SAP PM)
  • Application authorization concept for Production Planning and Control (SAP PP)
  • Application authorization concept for Project Systems (SAP PS)

These extensive documents, which are available completely in English, help you to document your current system state, so you always have the possibility of comparing the defined rules with the current state and then adjusting your system as needed.

Find out more on our SAST SOLUTIONS website and, if we’ve piqued your interest, send us an e-mail. The SAST Team will be happy to advise you.

Steffen Maltig (SAST SOLUTIONS)
Steffen Maltig (Head of SAP Consulting, SAST SOLUTIONS)

 

That might also interest you:

How to define the right defaults for a framework authorization structure of your SAP HANA database

SAP S/4HANA authorizations – it’s your choice: brownfield or greenfield