Do Excessive User Authorizations in SAP Pose a Threat?
- Security
It would seem that - certainly - every system administrator, as well as - at the very least - users representing top management are well aware of what access privileges each of them has to the system.
NOTHING COULD BE FURTHER FROM THE TRUTH!
The practice of performing SAP audits has shown that this is not the case.
What should I pay attention to when assigning rights?
It is often the case that the powers given to an SAP user are too extensive. Even if they are aware of the scope of their authorizations, already in the case of the danger that may be associated with their possession - this awareness is missing.
Administrators, on the other hand, without the ability to monitor threats, without documentation of critical activities, also have no chance to take countermeasures.
What are the dangers of too much power?
I think the most glaring example (especially for those in management roles in the finance area, such as CFOs) would be when the the user (let it be a consultant) has an account that allows him to create and modify financial documents.
Are such permissions needed for this user?
The CFO will say - Impossible! And yet! Such situations happen very often, and are actually a trap for the person who has them, because they increase the risk of mistaken interference (I don't assume intentional) with the documents they have access to, and cause additional - unnecessary - work for the users from the finance department to correct these actions.
The most common examples of threats
This time let it be the administrator of the SAP BASIS module. It is very common for users of this type to have the following permissions:
- access to business transactions,
- The ability to influence this data,
- user creation,
- assigning them specific roles or editing programs.
It is easy to guess that a user with such privileges also has access to and the ability to modify data in the General Ledger.
What does this mean?
It can make changes to the chart of accounts, and further to all business events relevant to the company/organization.
Does the administrator need such powers? The answer is - NO.
Why?
Because such an array of permissions in a person (user) poses a real threat to system security.
SUMMARY
To recap: a colleague of mine, who is absolutely the best SAP system administrator I know, used to say:
"A production user with a developer key is God."
And he definitely knows what he is talking about. A person with such a key/authorization can make any changes on the production system.
Example: can write a program that deletes, modifies, etc.
Think - it's impossible for such situations to happen!
Take my word for it - situations with improperly assigned permissions happen very often!
If management and control of entitlements is a challenge for you write to us!
We Manage the Digital Transformation of Your Business
Do you want to secure your business from cyberattacks? Or are you planning a digital transformation or looking for IT specialists for a project? We'd be happy to help. We are here for you. Let's talk about professional IT services for your business.
Tomasz Jurgielewicz
Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and reorganization of authorization, - SAP vulnerability identification, - integration of SIEM solutions with SAP, - SAP license optimization.