Cyclic Verifications in the SAP Authorization Area
- SAP
Today we would like to draw attention to a very important issue in the area of SAP authorization security. In addition to one-off role reorganization projects and SODs, issues such as maintaining the concept of authority and administrative-process order in roles developed on the project are equally important. How do we prevent "turn-offs" of our post-project assumptions and avoid role clutter? One solution is introduction of cyclical inspections. They will not only provide us with mental comfort, but also adequate preparation before the visit of the external audit.
Best practices with cyclic controls
Our best practices from cyclical inspections are based on three main foundations:
- Methodology - What are we verifying? Who does the verification? How much time can we devote to it? How do we verify in terms of content and organization?
- Tools - How do we verify technically (reports, SAP elements)?
- Documentation - What do we document? Where do we store reports and confirmations? Who has access to the documentation?
Benefits of cyclic checks
First of all Circular awareness and continuous expansion of security knowledge in all cells of the organizational structure in the enterprise. Every SAP user - enduser, keyuser, ABAP developer, module consultant, Basis team or operations directors - must understand that security is not a one-time project, but an ongoing (state of mind).
How often should such inspections be performed?
The more often, the better. However, at the beginning of our verification venture it is worthwhile to carry out periodic inspections once every six months. With the right tools, such verification will be simple and time-saving for all participants. In case it is not possible to do verification once every six months, we should do our best to do one big verification with the whole organization once a year. This is the absolute minimum.
What Else is Worth Remembering?
Any organization can verify any element of the SAP security area. Here are some standard issues that are worth "come under the microscope":
- SAP role status - Role content (PFCG) vs. compliance with the Concept of Entitlement (we should have and keep such a document updated)
- Assignment of profiles SAP_ALL, SAP_NEW
- Emergency users (en. Emergency users) so-called FIREFIGHTERS - who is allowed to use? Is there a designated person in the organization responsible for verifying the actions performed on the user account with extended privileges? What actions are performed by a given FIREFIGHTER (We will check this at the transaction level in SM20 or with greater detail in a tool from the GRC group, e.g. SAST SUITE)
- Status of role assignments to employees - Managers of the departments concerned should confirm or negate the validity of assigned roles on SAP systems to specific employees.
- SoD conflicts - We should make an analysis comparing the state since the last revision with the state today. Are new mitigations needed? Have new dangerous conflicts emerged that threaten the security of the company?
- Validity of SAP accounts - Have the accounts of employees who no longer work locked (or deleted, depending on the organization's policy)
How does the SAST tool support the cyclic inspection program?
As I mentioned before, our team is using the solutions of tools from the GRC SAST Suite group. Here are some examples How the SAST tool supports the cyclic inspection program:
- Automation - The tool has an engine that, based on standard SAP functionality, allows you to generate cyclic reports in the background and put them back on the system for easy retrieval and distribution to key area owners.
- Variety of reports - the content of roles, the assignment of roles to active and inactive users, the use of transactions per user or per role (answers the question: do we need so many transactions in a role?) are just a few of the reports available in SAST tools.
- Documentation - allows the creation of PDF documentation directly from the system and the creation of mitigations, thus the system becomes the main resource on which the mitigations on specific risks are located.
Finally, a handful of small but useful organizational tips
In order to plan cyclic verifications well, first of all, it is necessary to communicate openly in the organization planned by us verification activities. We suggest doing this with eye-catching posters in the company's offices or graphics inserted on the intranet, which can be accessed by all employees who will be considered for verification.
It is worth setting in the calendar the so-called. "Blocker" for the entire period of planned verification. Reserving time slots in advance (even six months in advance) in this way will help us avoid pushing the topic to the background. Since the daily operational work is often very large, there is a danger of reducing the priority of our verification task in favor of ongoing support. The consequence will be perpetual postponement of cyclic control execution.
We are here to help!
We will be happy to support you in conducting cyclic reviews or advising you in preparing your operations strategy and training your internal teams.
We Manage the Digital Transformation of Your Business
Do you want to secure your business from cyberattacks? Or are you planning a digital transformation or looking for IT specialists for a project? We'd be happy to help. We are here for you. Let's talk about professional IT services for your business.
More from the category
- SAP
Tomasz Jurgielewicz
Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and authorization reorganization, - identification of SAP vulnerabilities, - integration of SIEM solutions with SAP, - optimization of SAP licenses.