Today we would like to draw your attention to a very important issue in the area ofSAP authorization security.. In addition to one-off projects of role reorganization and SOD, issues such as maintaining the concept of rights and administrative and procedural order in roles developed in the project are equally important. How to prevent "crossovers" of our design assumptions and avoid a mess in roles? One solution is to introduce periodic verifications. They will provide us not only with psychological comfort, but also proper preparation before the visit of the external audit.
Our best practices in the area of periodic verifications are based on three main foundations:
First of all circular awareness and continuous expansion of knowledge in the field of security in all cells of the organizational structure in the company. Every SAP user - enduser, keyuser, ABAP programmer, modular consultant, Basis team or operational directors - must understand that security is not a one-time project, but a continuous (mind) state.
The more often, the better. However, at the beginning of our verification project it is worth carrying out Periodic Verifications once every six months. With the right tools, such verification will be simple and time-saving for all participants. Where verification is not possible on a semi-annual basis, we should do our best to have one big verification involving the whole organization once a year. This is the absolute minimum.
Each organization can verify any element of the SAP security area. Here are a few standard issues to consider:
As I have already mentioned, our team uses solutions from the GRC SAST Suite group of tools. Here are some examples of how the SAST tool supports the program of Periodic Verifications:
In order to plan periodic verifications well, firstly, you should openly communicate the planned verification activities in the organization. We propose to do this with eye-catching posters at the company's headquarters or graphics posted on the intranet, which can be accessed by all employees who will be considered for verification.
It is worth putting in the calendar of the so-called. "Blocker" for the entire period of the planned verification. Such booking of time slots in advance (even six months in advance) will help us avoid pushing the subject to the background. As day-to-day operational work is often very heavy, there is a danger of reducing the priority of our verification task in favor of ongoing support. The consequence will be an eternal shift in the execution time of the Periodic Verifications.
If you are interested in the topic of cyclical inspections and would like to talk to our SAP Security Team about it, please contact us. We will be happy to support you in carrying out periodic verifications or advising on the preparation of operating strategies and training of internal teams.
We recommend reading our other articles on similar topics: