Periodic Verifications in the Area of SAP Authorization

Reading time: 4 min.
Tomasz Jurgielewicz

Today we would like to draw your attention to a very important issue in the area ofSAP authorization security.. In addition to one-off projects of role reorganization and SOD, issues such as maintaining the concept of rights and administrative and procedural order in roles developed in the project are equally important. How to prevent "crossovers" of our design assumptions and avoid a mess in roles? One solution is to introduce periodic verifications. They will provide us not only with psychological comfort, but also proper preparation before the visit of the external audit.

Best practices for periodic verifications

Our best practices in the area of periodic verifications are based on three main foundations:

  1. Methodology - What do we verify? Who verifies? How much time can we devote to this? How do we verify content and organization?
  2. Tools - How do we verify technically (reports, SAP elements)?
  3. Documentation - What do we document? Where do we store reports and confirmations? Who has access to the documentation?

Benefits of Periodic Verifications

First of all circular awareness and continuous expansion of knowledge in the field of security in all cells of the organizational structure in the company. Every SAP user - enduser, keyuser, ABAP programmer, modular consultant, Basis team or operational directors - must understand that security is not a one-time project, but a continuous (mind) state.

How often should these checks be performed?

The more often, the better. However, at the beginning of our verification project it is worth carrying out Periodic Verifications once every six months. With the right tools, such verification will be simple and time-saving for all participants. Where verification is not possible on a semi-annual basis, we should do our best to have one big verification involving the whole organization once a year. This is the absolute minimum.

What else is worth remembering?

Each organization can verify any element of the SAP security area. Here are a few standard issues to consider:

  • Status of SAP roles – content of roles (PFCG) vs compliance with the Concept of Authorizations (we should have and update such a document on an ongoing basis)
  • Assignment of profiles SAP_ALL, SAP_NEW
  • Emergency users the so-called FIREFIGHTERS - who can use them? Is there a designated person in the organization responsible for verifying the activities performed on the user account with extended privileges? What actions are performed by a given FIREFIGHTER (We will check it at the transaction level in SM20 or with more details in a tool from the GRC group, e.g. SAST SUITE)
  • Status of assigning roles to employees – Managers of given departments should confirm or negate the validity of roles assigned to specific employees on SAP systems.
  • SoD Conflicts – We should make an analysis comparing the state since the last verification with the current state. Are new mitigations needed? Have new dangerous conflicts emerged that threaten the security of your enterprise?
  • SAP Account Validity - Are the accounts of employees who no longer work have accounts blocked (or deleted, depending on the policy of the organization)

How does the SAST tool support the program of Periodic Verifications?

As I have already mentioned, our team uses solutions from the GRC SAST Suite group of tools. Here are some examples of how the SAST tool supports the program of Periodic Verifications:

  1. Automation - the tool has an engine that, based on standard SAP functionality, allows you to generate cyclical reports in the background and deposit them in the system for easy download and transfer to key area owners.
  2. Variety of reports - role content, assigning roles to active and inactive users, using transactions per user or per role (answers the question: do we need so many transactions in a given role?) are just a few of the reports available in SAST tools.
  3. Documentation – allows you to create documentation in PDF form directly from the system and to create mitigations, thus the system becomes the main resource where mitigations for specific risks are located.

Finally, a handful of small but useful organizational tips

In order to plan periodic verifications well, firstly, you should openly communicate the planned verification activities in the organization. We propose to do this with eye-catching posters at the company's headquarters or graphics posted on the intranet, which can be accessed by all employees who will be considered for verification.

It is worth putting in the calendar of the so-called. "Blocker" for the entire period of the planned verification. Such booking of time slots in advance (even six months in advance) will help us avoid pushing the subject to the background. As day-to-day operational work is often very heavy, there is a danger of reducing the priority of our verification task in favor of ongoing support. The consequence will be an eternal shift in the execution time of the Periodic Verifications.

We can help!

If you are interested in the topic of cyclical inspections and would like to talk to our SAP Security Team about it, please contact us. We will be happy to support you in carrying out periodic verifications or advising on the preparation of operating strategies and training of internal teams.

Zapoznaj się z naszym e-bookiem dotyczącym migracji z SAP ERP na SAP S/4 HANA
Pobierz darmowego e-booka

We recommend reading our other articles on similar topics:

If you find this article valuable, please share it.
This will allow us to reach new people. Thank you in advance!

We will take care of the digital transformation of your business

Do you want to protect your business against cyber attacks? Or maybe you are planning a digital transformation or looking for IT specialists for a project? We are happy to help. We are here for you. Let's talk about professional IT services for your company.
Contact Us
Darmowy e-book

Wszystko, co musisz wiedzieć
o migracji z SAP ERP na SAP S/4HANA

Nasz zespół ekspertów przygotował dla Ciebie
e-poradnik, dzięki któremu zrobisz to łatwo, bezboleśnie i bez szkody dla bezpieczeństwa
Twojej firmy.

To praktyczna wiedza podana w przystępnym
języku - zupełnie za darmo.
Pobierz darmowego e-booka
+ 48 508 400 203
Address Information
ul. Tęczowa 3 , 60-275 Poznań
NIP: 5213683072
REGON: 360098885
Visit our Social Media:
Address Information
ul. Tęczowa 3 , 60-275 Poznań
NIP: 5213683072
REGON: 360098885
Visit our Social Media:
Lukardi 2022. All Rights Reserved. 
Made with