Do You Know What Authorizations Your Employees Have?
- Security
Business Doesn't Like Chaos and Hates Uncertainty
Roles, permissions, and authorizations in SAP are a vast topic that we've discussed several times before.
We talked about the dangers that arise from a lack of a clear permissions concept, poorly managed processes for granting them, and the associated risks for organizations. Today, in this new reality for many businesses, the topic is even more "hot."
PWC's "Global Economic Crime Survey 2020" report clearly indicates that among Polish companies, considerable growth is being recorded by accounting frauds. It turns out that about 63% of frauds was made by employees (insider).
The scale of abuse is also increasing - over 61% companiesin which the abuse was detected suffered for it losses greater than PLN 400k (more than half of them made losses above 1 million EUR).
It is worth noting further that the majority of fraud detections were made by the routine activities (such as audits or document reviews). Only 23% of detections came from suspicious activity automation and IT security systems.
Since most of the abuses were carried out by employees, it's worth looking into the possible reasons. When it comes to project implementation – in the context of SAP authorization, we’re seeing three significant trends: neglect of authorization at the initial stage of system implementation, the acceptance process, and conflicts of permissions.
Neglecting Authorization at the Initial Stage of System Deployment
Implementation projects tend to have a big focus on budget and speed of execution. This makes sense, of course, because businesses need to generate revenue, and time is of the essence. However, later in the system's lifecycle and for the users involved— it is important to secure authorization management with specific guidelines.
Hence the concept of the concept of authorization, which is a set of detailed information about the fundamental rules of this challenge. This ranges from naming and content of roles, to mapping roles with positions, to defining the framework and risks associated with accesses. And it seems that such access consistency should be a priority in any organization - the PWC study above shows that a lot of work remains to be done.
Since the system has been in operation for a couple (often a couple of dozen) years - there is a good chance that the unauthorized
(by definition) Individuals have the potential to realize abuses by having too much access.
It is easier for a user to add a role than to take one away - and this comes out from our observations, where about 10-15% authorization given to users is used in daily life (The rest is simply unnecessary).
Acceptance Process - Lack of Knowledge
Do you know such a scenario?
- "I'll ask for a role like Mr. Smith has."
- "Ok, I accept."
What does BASIS (or the authorization department) do in this situation?
If the approval process ends at this point - the request is implemented.
Does the approver have knowledge of all transactions and roles, associated risks and potential risks?
I dare say it is unlikely.
Requests on email, paper, or in the ticket system, the verification of which is detached from the context of the system (no feedback to risks in SAP) cause the organization to
in this regard does not act proactively. As a result, unsafe authorization sets regularly enter the system.
Conflicts of Autorizations - the Flow of Money out of an Organization
Over the years of working in an organization, an employee goes through various levels. They gain new permissions, change roles, and take on new responsibilities. This is also influenced by the first two points (typical oversights).
The consequences are very visible here because his access allows for the execution of entire business processes. Often many...
Good when the organization knows the risks and can deal with them by implementing appropriate GRC processes
in SAP. However, these are exceptional situations, and in most cases activities are reduced to the execution of general reports on individual conflicts.
Abuses related to Conflicts of Interest (COI) can be numerous. They pertain to almost every area of business conducted by SAP.
A simple scenario for FI:
Authorization No. 1 - FK01 / XK01 - Supplier master data management
Authorization No. 2 - FB60 / FB65 / FB01 / F-53 - Incoming goods invoicing
Conflict of powers - The risk of sending an invoice for a fictitious supplier. Outflow of invoice settlement money.
SD area
VA01/VA02/WCS0
+
Ex: V32/V32/V33/V35
Ability to enter sales documents and reduce prices to achieve financial benefits for the user who can edit fictional suppliers and initiate purchases from a specific supplier.
HR/PY area
Ex.:F-18/F-46/F-58_K
+
Ex: FEBA/FF.5/FF/4/FF/5
Introducing unauthorized payments and settling the bank account balance. The risk of entering an unauthorized payment and bank balance confirmation by the same person.
Summary
In such a powerful tool, which processes the most important data in organizations - the issues of optimal access management are nothing more than a requirement that the organization could control the risks and potential abuses.
And it's not just the need we're addressing, as a developer of GRC process management tools for SAP. It's also the developments of the Big Four, and their customers, who are facing measurable problems precisely because of the abuse of users who should not have access, or that access should be closely monitored.
So what can be done?
First of all, look at the current SAP infrastructure:
1 - what is your current concept of entitlement? Is it taken into account in daily activities?
2 - What is your empowerment and acceptance process like? Do the acceptors have sufficient knowledge of the risks?
3 - Do you know the level of risks associated with access and privilege conflicts?
If you have doubts about any of the points - we are at your service.
We Manage the Digital Transformation of Your Business
Do you want to secure your business from cyberattacks? Or are you planning a digital transformation or looking for IT specialists for a project? We'd be happy to help. We are here for you. Let's talk about professional IT services for your business.
Tomasz Jurgielewicz
Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and authorization reorganization, - identification of SAP vulnerabilities, - integration of SIEM solutions with SAP, - optimization of SAP licenses.