What is SoD ? - Authorization conflict #1

Reading time: 5 min.
Tomasz Jurgielewicz

SAST has defined SoD control mechanisms in its package. These principles are based on the verification standards used by leading audit firms. They therefore cover all the necessary monitoring requirements. However, each of the clients using SAST can also adapt their internal requirements and implement them into their own matrix.

In today's article, we will discuss what SoD is and how to strengthen its control in an organization using the example of a permission conflict at the BASIS level

What is SoD?

Segregation of Duties – separation of responsibilities, which means that certain tasks within a given business process should not be performed by the same person or organizational unit in accordance with:

  • Legal regulations
  • Audit recommendations
  • The need to protect data for use by the relevant departments

SAST Authorization Management andSAST Risk and Compliace Management allows us to prepare a matrix of permissions conflicts not only at the transaction level, but also we have the ability to add dependent authorization objects.

Let's use an example of a permission conflict at the BASIS level, where users can manage users and modify roles in SAP at the same time.

EXAMPLE OF A CONFLICT AT THE BASIS LEVEL

1. Defining critical authorizations for a process BC_AUTH_ADMIN

Each critical authorization has a unique ID (Authorization ID).

The authorization ID list is shown in the table.

Each critical authorization defines dependent transactions and authorizations.

  • BC_PROFILE_CHANGE - BC-USR - create/maintain/generate profiles

  • BC_ROLE_CREATE - BC-USR - Profile Generator create roles SAST BC_ROLE_CREATE
  • BC_ROLE_UPD_OR_GEN - BC-USR - Profile Generator roles change/generate

  • BC_TCD_AUTH_SWITCH_O - AUTH_SWITCH_OBJECTS: Deaktivate authorization objects

  • BC_TCD_CRM_ROLE_COPI - Role Copier (Portal Administration)

  • BC_TCD_CRM_ROLE_MAP - Admin Tools: Role Mappings Adder

  • BC_TCD_SU03 - SU03: Maintain Authorizations

  • BC_TCD_SU20 - SU20: Maintain Authorization Fields

  • BC_TCD_SU21 - SU21: Maintain Authorization Objects

  • BC_TCD_SU22 - SU22: Modify Authorization Object Check for Transactions

  • BC_TCD_SU24 - SU24: Auth. Obj. Check Under Transactions

  • BC_TCD_SU25 - SU25: Upgrade Tool for Profile Generator

  • BC_TCD_SU26 - SU26: Upgrade Tool for Profile Generator

  • BC_TCD_SUPC - SUPC: Role Profiles

2. Defining critical authorizations for a process BC_USER_ADMIN

Each critical authorization has a unique ID (Authorization ID).

The Authorization ID list is shown in the table.

konflikt uprawnień_blog_sast_polska

Each critical authorization defines dependent transactions and authorizations.

  • BC_TCD_EWZ5 - BC: User lock and unlock with EUR-tools

  • BC_TCD_EWZ6 - BC: User lock and unlock with EUR-tools

  • BC_TCD_SU01 - Administration of User master Data

  • BC_TCD_SU01_PW - BC-USR - V_T681F: RevAccDeter - Allowed Flds

  • BC_TCD_SU01_PW_SUPER - BC-USR - User Maintenance

  • BC_TCD_SU10 - SU10: User Mass Maintenance

  • BC_TCD_SU12 - SU12: Mass Changes to User Master Records

  • BC_USER_CHANGE_RFC - BC-USR - Create or change user via RFC (Group SUSK)

  • BC_USER_CHANGE_RFC_2 - BC-USR - Create or change user via RFC (Group SU_USER)

We describe the resulting conflict, which we will be able to add to the SoD Authorizations Matrix

konflikty uprawnień_3_blog_sast polska

4. We prepare a description of the risk, where it is contained, which are among others: identifier, level of criticality, title, reason for the risks

konflikty uprawnień_4 blog sast polska

SUMMARY

In order toremoval of SoD conflict in a role, we must eliminate one process.
The role must be modified enough to get rid of transactions and dependent authorization objects from one process.

The tool provided by Akquinet which is SAST helps customersstrengthen SoD control in your organization. This product allows todetect, analyze, monitor and build risks.
Automates access control for critical transactions contained in SAP roles.

Author: Marek /Sast Team Polska/

ALSO WORTH READING:

If you find this article valuable, please share it.
This will allow us to reach new people. Thank you in advance!

We will take care of the digital transformation of your business

Do you want to protect your business against cyber attacks? Or maybe you are planning a digital transformation or looking for IT specialists for a project? We are happy to help. We are here for you. Let's talk about professional IT services for your company.
Contact Us
Darmowy e-book

Wszystko, co musisz wiedzieć
o migracji z SAP ERP na SAP S/4HANA

Nasz zespół ekspertów przygotował dla Ciebie
e-poradnik, dzięki któremu zrobisz to łatwo, bezboleśnie i bez szkody dla bezpieczeństwa
Twojej firmy.

To praktyczna wiedza podana w przystępnym
języku - zupełnie za darmo.
Pobierz darmowego e-booka
Address Information
ul. Tęczowa 3 , 60-275 Poznań
NIP: 5213683072
REGON: 360098885
Visit our Social Media:
Lukardi 2022. All Rights Reserved. 
Made with