Lukardi

Webinar: Jak autoryzacje w ECC wpływają na koszty licencji w S/4 Rise with SAP  

How to Take Care of SAP Security in 3 Steps?

Share

Let's dispel doubts at the outset - there is no safe IT system. There can be a malfunction in any system, and trying to solve it may involve a malfunction on another level. The requirements for the functionality of the system are also different, and they do not always coincide. The architect designing the system has a different view of functionality than the programmer, and the programmer has a different view than the business user of the system.

That is why Security management is a continuous process, and preparing a secure system is not a one-time activity.

Threats are posed both by the technical aspects of the systems (vulnerability to hacking) and by the users of the system (too much authority provides the opportunity for more or less deliberate abuse).

The SAP system-because of its flexibility and broad capabilities-is being changed in parallel with changing needs. New client programs that extend standard functionalities are a properly conducted project that often involves the cooperation of several user groups (programmer, business user, module expert). SAP security is therefore an extremely complex topic.

Each such user has permissions (either acquired, or provided by specific activities). Thus, a very important question arises

Do your users have SAP_ALL privileges?

SAP_ALL permissions allow users to make almost unlimited changes to the system, regardless of the organization's system modules. Such permissions are a convenience on the one hand and a threat on the other. So are you monitoring the activities of these users under such high privileges? Are you able to indicate which user made what changes, and were they related to a specific project you are running? What does SAP security look like in your organization.

What risks are associated with the above process?

1 - risk associated with abuse of power

2 - risks associated with changes in system structures outside the control of the relevant services

3 - the risk of unknowingly misusing one's powers

4 - risk of not passing an external audit

It is therefore essential that:

1 - know about the existing permissions of your users,

2 - disable those permissions that are given unnecessarily (here, in addition to the topic of security, there is also the topic of having user licenses that we do not de facto need,

3 - provide SAP_ALL privileges only for specific users, only for specific cases

4 - monitor their activities as part of the ongoing work.

So how do you organize an optimal risk reduction process in three steps?

First - clearing unnecessary SAP_ALL permissions. Let's not be afraid to say that excessive user permissions are a problem. And problems need to be solved. So let's take away SAP_ALL permissions from all (!) users.

To the second - Let's make sure that we provide functionality only to those users whose activities inside the organization actually require such permissions. Because, after all, we can't give up these permissions altogether.

Third - Let's assign an auditor who will accept the grant of authority and verify the actual actions on the system. Every action that is carried out under the assigned authority will leave a trace. Evaluate whether changes were really necessary.

The process carried out in this way makes it possible to significantly reduce risks, because this is the essence of data security management in SAP, on which the business of many organizations, not only in Poland but all over the world, is often based entirely.

For a clearer view of the subject matter screens attached Of the progress of the new SAP_ALL entitlement delivery process.

The following shows the receipt of a positive response to a request from user DSIKORSKI for SAP_ALL (emergency user) privileges. In the "Enter session token" popup, the user entered a unique token allowing him to access user PL_EMERG_1 with SAP_ALL privileges

Below is the report that the PL_EMERG_1 user auditor receives. You can see on it all the detailed information regarding DSIKORSKI's actions within the framework of the powers received. The auditor verifies the legitimacy of the implemented changes on this basis.

Want to know more about reducing risks and increasing the security of your SAP system? Contact us.

We Manage the Digital Transformation of Your Business

Do you want to secure your business from cyberattacks? Or are you planning a digital transformation or looking for IT specialists for a project? We'd be happy to help. We are here for you. Let's talk about professional IT services for your business.

Tomasz Jurgielewicz

Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and reorganization of authorization, - SAP vulnerability identification, - integration of SIEM solutions with SAP, - SAP license optimization.