SAP Security, The Art
I won’t go into the history of SAP Security; however, I will say it has always been a very important but much maligned part of any SAP project. The horror stories are now few and far between but most people working with SAP will have heard the story about “The Company” who gave SAP_ALL to all their staff on day one of their go-live, in order to do business.
Over the years the SAP landscape, indeed the IT landscape, has changed considerably, the basic premise of SAP security hasn’t. SAP understands that functions and data need to be controlled and protected. SAP has continued to provide and improve tools to give the level of security demanded by today’s public and private industries and legislative bodies.
Only a few years ago SAP security consultants had only to concern themselves with the SAP R/3 ERP system. The introduction of Business Intelligence, CRM, SRM, Process Integration (PI), Enterprise Portal etc. has extended the requirement for security across multiple instances and incarnations of SAP. Each of these solutions has their own unique security attributes. Tools have evolved over the years.
The Profile Generator (PFCG) enables authorisation roles for all ABAP systems. Access to the Enterprise Portal and JAVA instances is controlled with the User Management Engine (UME) and Access Control Lists (ACL). Systems access through the network has been facilitated by the many options available for single sign-on (SSO).
The aim of the security consultant has always been to control access to the SAP systems as securely and simply as possible, without negatively impacting the organisations ability to do business. In today’s disparate system landscape maintaining user profiles on each individual system is not an option. Previously efficiencies were achieved by introducing Central User Administration (CUA) into the landscape. This enables management of all the ABAP systems and clients user profiles from one central system.
CUA integrates well with position-based user access, a “job” role or composite role can be assigned to a position and include the relevant authorisations for ERP, BW, CRM, SRM etc. CUA certainly helps the security staff with ABAP roles and authorisations; unfortunately, it doesn’t address all the issues. Additional functionality, such as distributing the HR-ORG structure, is required to build Business Partners for CRM and SRM.
Using the Enterprise Portals flexibility it is possible to link assignment of UME roles to ABAP roles, thereby removing that really annoying problem of “seeing” a service in the Portal but being unable to process it due to missing authorisations in the backend systems.
The Enterprise Portal and single sign-on has also given users a single point of access to the SAP systems.
Enterprise Service Oriented Architecture (eSOA) highlights the need to view business processes as a complete end-to-end process rather than a set of steps on one or many different systems. This, more than ever, requires an integrated solution for system security, and that includes SAP and non-SAP systems. SAP’s Identity Management bridges the gap and allows access control across your entire IT landscape.
In today’s world of increased legislative compliance mandates it’s not enough to put all these security processes in place. We need to provide the people responsible for the Financial Systems, the CxO’s, evidence that appropriate controls are in place and monitored and that a culture of Risk Management is in place. This has led to the next stage in the evolution of Sap Security. We can now monitor roles and user access daily and identify segregation of duties violations immediately. Previously we may have relied on auditors to identify such issues.
We know from time to time exceptional system access is required; we can now control and audit that access. We have SAP tools that can provision roles after approval has been granted. SAP’s Business Objects (GRC) provides these tools for non-SAP systems as well as SAP, providing a single solution for all your risk management processes.
Identity Management ties all the elements of IT security together, allowing automatic provisioning (and removal) of all your IT related user access profiles, based on the employees position in HCM.
So why have I called this article “The Art of SAP Security”?
There are many definitions of art including ‘the product of human creativity’ and ‘a superior skill that you can learn by study and practice and observation’.
The Art of SAP Security is ........
• the ability to seamlessly integrate security into your IT landscape
• provide staff with access to the systems, functions, and data they require to perform their job
• maintain one security solution, not many
• react to change promptly
• achieve the required results with the tools available
........ and to do all this with the minimum of disruption to the employee, their manager or the security personnel.
The options I have discussed in this article are not mutually exclusive, for example, if you have CUA in your landscape you can continue to use it with SAP BO (GRC). The “art” is providing the best solution with the tools your organisation has.
For more information on SAP Business Objects (GRC) Access Control and SAP Security or if you would like Oxygen to evaluate your security solution and identify where efficiencies can be made, please contact us.
Related Tags: none
