Hardening measures for the handling of SAP standard users are an integral part of the SAP security and audit guides. Doesn’t everyone already know that? Only at first glance. Consulting practice has shown that the implementation of these protective measures is a regular, major challenge for businesses of all types and sizes.
A survey was conducted during an ITOK expert talk on the greatest challenges for SAP security in March. It revealed that over half the participants see such challenges in the area of roles and authorizations. The integration of the authorization concept represents one of the core activities during SAP S/4HANA implementation and is a frequent reason for the failure of such projects as a whole. But how can you handle conflicts like resource bottlenecks, shifting priorities for subprojects, changes to tasks, and testing?
The SAP Fiori user interface is gaining in importance in current SAP S/4HANA projects. SAP applications become experiences, usability is enhanced, and the use of apps enables device-independent access – anytime and anywhere. Spaces and pages, the new way of visualizing apps in SAP Fiori Launchpad, deliver several key benefits. But how can you activate spaces and pages and what effects does this new approach have on authorization roles?
More and more companies are electing to use Fiori apps to call specific transactions in addition to the SAP GUI. This requires configuration of specific authorizations, however, which are composed of catalogs and groups. But how can you reduce the multitude of standard SAP Fiori catalogs and groups that are provided and adapt them to your own scenarios?
In the standard SAP system, there are many authorization fields that are not declared as organizational levels, but instead characterized by special values. But the more authorization fields without organizational levels that contain organization-specific values like location or country, the larger the proportion of special roles grows.
However, to achieve the greatest possible transparency in role administration and avoid unnecessary authorizations – not least with system security in mind – the creation of additional special roles should be avoided wherever possible.
The authorization structures at many companies have grown organically. Over the course of time, users have often been granted wider authorization privileges than they actually need for their everyday work. As a result, data availability and integrity, as well as system availability, can be critically endangered. Authorization managers see an increasing need for action to minimize the risk of SAP security incidents. After all, many more IT incidents still remain unreported compared to published cases.
Seize the opportunity to take your SAP S/4HANA migration to a new level with a cleanly designed, holistically planned security and compliance strategy. After all, having structured plans from the start will reduce the workload in the long term. That’s why you should ultimately see this challenge as an opportunity as well: to improve the security of your SAP systems, streamline your role concepts, and enable use of the new system with all its benefits.
Technical SAP users that have extensive authorizations like SAP_ALL pose a heightened security risk. Vulnerabilities can endanger interfaces and paralyze processes. As such, external auditors are intensifying their focus on authorization management. One of our customers – a company in the energy sector – recently faced the challenge of having to restrict the authorizations of its technical users (batch processing/RFC interfaces).
One of our long-standing customers, the largest forklift manufacturer in Europe, uses the SAST SUITE for its SAP authorization management alongside a variety of IT services from akquinet AG. As part of a compliance project, the SAST Consulting team was commissioned to redesign and re-engineer all SAP authorizations for nearly 900 users in Germany. In this guest commentary from Sascha Heckmann, together with external SAP consultant Bernhard Radermacher, he tells how the “Ticket Monitor” a custom-developed add-on for the tried and tested SAST Safe Go-Live Management helped the project become a full success.
A municipal utility company recently implemented a new authorization concept to optimize maintenance, transparency, and user access. The implementation process included an assessment of whether all the existing user master records were really necessary. A major project like implementing a new authorization concept often pays for itself when inactive user master records are classified and restricted, reducing license fees as a result.