Hello lovely readers!
I have some exciting news! “Beginner’s Guide to SAP Security and Authorizations” is officially available for purchase in paperback or kindle via Amazon here. Get yours today!
In other news, I’m hosting a virtual book club meeting on Friday, May 20th at 1pm EST. You can sign up here.
Looking forward to getting to know all of you even better as I embark on this new journey. #author
Excerpt from new release Beginner`s Guide to SAP Security and Authorizations.
Introduction to SAP Security and Authorizations concept
SAP has a wide range of built-in functionality to meet various security requirements, including network protection, data protection, and SAP authorizations. This book will focus on the application of SAP authorizations and how user access can be limited by transaction codes, organizational levels, field values, etc. SAP Security and Authorizations is designed so that the system must explicitly indicate what each user can do. This is done by assigning authorization roles, which are groupings of
profiles comprised of authorizations.
The basic architecture of SAP Security and Authorizations is a 6-tiered
approach:
1. User Master Record: Accounts for users to enable access to the SAP system; primarily used for user administration purposes.
2. Role: Compilation of transactions and permissions that are assigned to one or more user master records; usually includes commonality amongst a job role or job task.
3. Profile: Assigned when a role is generated and added to its corresponding user master record.
4. Authorization Object Class: Logical grouping of authorization objects by business area.
5. Authorization Object: Groupings of 1-10 authorization fields; configuration is performed against authority check statements written in the SAP code.
6. Authorization Field: Least-granular element in which values can be maintained to secure data and information.
Authorizations can be useful in limiting access to items such as: billing and vendor information, personnel and payroll information, key financial data, and critical system areas such as basis, configuration, development, and security. Users obtain their authorizations by being assigned to roles and users cannot start a transaction or complete a transaction without the proper authorization role assignment. In order to perform an action, a user may need several authorizations. For example, in order to create a sales order, the user will need access to the transaction, the “create” authorization, general authorization for the sales org, and the authorization for the specific sales document type. Therefore, the relationships required in order to meet user access requirements can become very complex.
The SAP authorization concept was created on the basis of authorization objects. Each authorization object is comprised of multiple authorization fields. A user’s permissions always refer to authorization objects, which can contain a single value or a range of values for each field. Both report and dialog transactions in SAP have predefined “authorization checks” embedded in the program logic which protects the functions and information within them.
The basis of an organization’s role design should always be the rule of least privilege, which is the SAP Security best practice of giving users exactly what they need to perform their job responsibilities, not much more, and not much less. Access creep is the adversary of this privilege as users may retain unnecessary access after a job function change or may receive unnecessary access as a result of the application of permissions or transactions to roles which are shared between users who have similar, but not identical, responsibilities. Ultimately, security is the gateway
to the SAP system, but it can often be difficult to manage and understand. Information stored in SAP is a valued business asset, and SAP Security can aid an organization by increasing flexibility and customization at the user level and protecting critical information from unauthorized use.
This book includes SAP best practices for user and role maintenance and how to create an SAP Security design that is both low maintenance and scalable. You will learn how to use and interpret SAP authorizations and troubleshoot security and authorization issues. Lastly, you will discover some advanced topics surrounding SAP authorizations, including an overview on upgrading your SAP Security environment and reducing avoidable segregation of duties conflicts.
SAP has a wide range of built-in functionality to meet various security requirements, including network protection, data protection, and SAP authorizations. This book will focus on the application of SAP authorizations and how user access can be limited by transaction codes, organizational levels, field values, etc. Explore the basic architecture of SAP Security and Authorizations, including user master records, roles, profiles, authorization object classes, authorization objects, and authorization fields. Dive into how to create user profiles and assign roles. Get tips on leveraging the profile generator transaction, PFCG. Obtain valuable tools and tables for identifying user master records and role and authorization information. By using practical examples, tips, and screenshots, the author brings readers new to SAP Security and Authorizations up to speed.
– Basic architecture of SAP Security and Authorizations
– GRC Access Control introduction
– User profile creation and role assignments
– Common security and authorization pain point troubleshooting
Author Tracy Juran (Levine), CPIM, is a Managing Consultant at IBM as part of the Security Services Risk and Compliance practice. She has extensive experience in SAP Security and Authorizations; SAP Governance, Risk, and Compliance (GRC); and core cross-functional business processes. Tracy is a die-hard Ohio State Buckeyes fan and loves to plan parties with friends and travel the world; her favorite destinations include Thailand, Peru, and Israel. She resides in Cincinnati, Ohio with her husband, Josh, their dog, Markley, and cat, Misha. For more information please visit Tracy-Levine.com.Excerpt from new release: Beginner`s Guide to SAP Security and Authorizations
The aim of Remediation is not to suppress all the conflicts but to have them all under control.
For each identified risk, there are 4 possible solutions for remediation/mitigation.
REMEDIATION:
MITIGATION:
Remediation: Actions taken to eliminate an identified risk. Typical SAP remediation activities include, but not limited to:
Mitigation: Actions taken to monitor risks which cannot be remediated. Mitigation is a less desirable action due the costs associated with the maintenance, execution and traceability requirements of the mitigating control.
Once we save the data and authorize a user (the Delegate) to perform task on behalf of other user (the Delegator), user (the Delegate) is eligible/authorize to see the INBOX of Delegator for that particular period.
*Before this delegation happened, user (the Delegate) was able to see only his tasks.
*If user (the Delegate) needs to see his own Tasks in Work Inbox, he needs to change the delegation back to ‘Own Behalf’ in Change Delegation window as shown below.
What is a derived role?
| Pros | Cons |
| No Updates Needed Post-Upgrade | Increased number of technical security roles |
| Eliminates Human Error | |
| Simplification of Role Administration Tasks | |
| Program to mass update values in org level window | |
| Decreases level of effort required for testing |
What is an enabler role?
| Pros | Cons |
| Reduced number of technical security roles | All Enabler Roles Updated Post- Upgrade |
| Flexibility in complex / low level data restriction designs/build | No automation to maintain authorization objects within enabler roles |
| Frequency of human error increases | |
| More complex org structure = more complex enabler role design | |
| Non-standard SAP approach |
This is a master data change and will be done in DEV.
Check out this article on “Corporate Compliance Insights” written by yours truly!
Here’s a great blog article I found that puts SAP HANA into perspective. For anyone like me who is “lost in all the marketing and technical jargon…”
Hola amigos!
Long time no hablamos (no talk). Few things to catch you up on…
I spent the last week in Peru with Josh, Allyson and Brian petting llamas, eating alpaca and guinea pig (seriously) and hiking Machu Picchu.
Machu Picchu: La Maravilla del Mundo
I recently submitted the second chapter of my book to my publisher for review. You can pre-order the “Beginner’s Guide to SAP Security and Authorizations” on Amazon here.
And the third and final bit of news… after 4 years at itelligence I decided to take a new position at a large firm. The whole transition has been bittersweet, but ultimately this was the best decision for my family (aka the dog and the cat) and my career. In my new role, I will taking on the position of managing consultant in which I will be leading SAP Security and GRC Implementations teams here in the United States and abroad. Wish me luck! I promise to keep you all satiated with lots of new tips and tricks of the trade that I pick up along the way.
Te amo mucho (I love you lots),
Tracy
A collection of musings for those who will do from those who have done.
The TED Blog shares news about TED Talks and TED Conferences.
A practical guide to IT Risk Management, Project Management and Methodologies & Life's Little Pleasures.
Timo Elliott's Blog
Tracy Juran (Levine) 