Do too many permissions pose a risk to the SAP user?

Reading time: 2 min.
Tomasz Jurgielewicz

Are too much permissions for the SAP user

a threat?

It would seem that - for sure - every system administrator, as well as - at least - top management users are well aware of the access rights to the system each of them has.

NOWISE!

Most of the authorizations given to users are too extensive

Practice in the scope of performing SAP system audits has shown that this is not the case.

What to pay attention to when granting permissions?

It often happens that the authorizations granted to a SAP user are too extensive. Even if they are aware of the scope of their rights, in the case of the risk that they may be associated with - this awareness is missing.

Administrators, on the other hand, are not able to monitor threats, do not have documentation of critical activities, and do not have a chance to take remedial measures.

What is the risk of having too much authority?

I think that the most striking example (especially for people holding managerial positions in the area of finance, e.g. financial directors) will be whenthe user (let it be a consultant) has an account allowing him to create and modify financial documents.

Are such permissions needed for this user?

The Finance Director will say - Impossible! But still! Such situations take place very often, and in fact they are a trap for the person who has them, because they increase the risk of erroneous interference (I do not assume deliberate action) in the documents to which they have access, and provide users from the financial department with additional - unnecessary - work related to correcting these activities.

The most common threats

This time let it be the SAP BASIS module administrator. It is very common for users to have the following permissions of this type:

  • access to business transactions,
  • the possibility of influencing this data,
  • creating users,
  • assigning them specific roles or program editing.

It is easy to guess that a user with such permissions it also has access and the possibility to modify data in the General Ledger.

What does it mean?

He can make changes to the chart of accounts, and further - all business events that are important for the company / organization.

Does the administrator need such permissions? The answer is - NO.

Why?

Because such a range of authorizations for a given person (user) poses a real threat to the security of the system.

SUMMARY

To sum up: my colleague, who is the absolute best SAP system administrator I know, says:

"The user of the production with the development key is God."

And he definitely knows what he is talking about. A person with such a key / authorization can make any changes to the production system.

Example: he can write a delete program, a modifier, etc.

Think - it is impossible for such situations to happen!

Take our word for it - situations with incorrectly assigned permissions happen very often!

If managing and controlling permissions are a challenge for you, contact us!

OTHER ARTICLES ABOUT SAP AUTHORIZATIONS WORTH READING:

If you find this article valuable, please share it.
This will allow us to reach new people. Thank you in advance!

We will take care of the digital transformation of your business

Do you want to protect your business against cyber attacks? Or maybe you are planning a digital transformation or looking for IT specialists for a project? We are happy to help. We are here for you. Let's talk about professional IT services for your company.
Contact Us
Darmowy e-book

Wszystko, co musisz wiedzieć
o migracji z SAP ERP na SAP S/4HANA

Nasz zespół ekspertów przygotował dla Ciebie
e-poradnik, dzięki któremu zrobisz to łatwo, bezboleśnie i bez szkody dla bezpieczeństwa
Twojej firmy.

To praktyczna wiedza podana w przystępnym
języku - zupełnie za darmo.
Pobierz darmowego e-booka
Address Information
ul. Tęczowa 3 , 60-275 Poznań
NIP: 5213683072
REGON: 360098885
Visit our Social Media:
Lukardi 2022. All Rights Reserved. 
Made with