Are too much permissions for the SAP user

a threat?

It would seem that - for sure - every system administrator, as well as - at least - top management users are well aware of the access rights to the system each of them has.

NOWISE!

Practice in the scope of performing SAP system audits has shown that this is not the case.

What to pay attention to when granting permissions?

It often happens that the authorizations granted to a SAP user are too extensive. Even if they are aware of the scope of their rights, in the case of the risk that they may be associated with - this awareness is missing.

Administrators, on the other hand, are not able to monitor threats, do not have documentation of critical activities, and do not have a chance to take remedial measures.

What is the risk of having too much authority?

I think that the most striking example (especially for people holding managerial positions in the area of finance, e.g. financial directors) will be whenthe user (let it be a consultant) has an account allowing him to create and modify financial documents.

Are such permissions needed for this user?

The Finance Director will say - Impossible! But still! Such situations take place very often, and in fact they are a trap for the person who has them, because they increase the risk of erroneous interference (I do not assume deliberate action) in the documents to which they have access, and provide users from the financial department with additional - unnecessary - work related to correcting these activities.

The most common threats

This time let it be the SAP BASIS module administrator. It is very common for users to have the following permissions of this type:

• access to business transactions,
• the possibility of influencing this data,
• creating users,
• assigning them specific roles or program editing.

It is easy to guess that a user with such permissions it also has access and the possibility to modify data in the General Ledger.

What does it mean?

He can make changes to the chart of accounts, and further - all business events that are important for the company / organization.

Does the administrator need such permissions? The answer is - NO.

Why?

Because such a range of authorizations for a given person (user) poses a real threat to the security of the system.

SUMMARY

To sum up: my colleague, who is the absolute best SAP system administrator I know, says:

"The user of the production with the development key is God."

And he definitely knows what he is talking about. A person with such a key / authorization can make any changes to the production system.

Example: he can write a delete program, a modifier, etc.

Think - it is impossible for such situations to happen!

Take our word for it - situations with incorrectly assigned permissions happen very often!

If managing and controlling permissions are a challenge for you, contact us!

OTHER ARTICLES ABOUT SAP AUTHORIZATIONS WORTH READING:

• What Should the SAP Entitlement Concept Contain?
• Authorization Concepts in the SAP System
• SAP User Monitoring
• What Rights do Employees Have for SAP
• SAP Dictionary of Terms
• SAP Authorization Reorganization
• What is SoD?
• SAP System