Virtual Book Club Meeting & Beginner’s Guide Now Available!

Hello lovely readers!

I have some exciting news! “Beginner’s Guide to SAP Security and Authorizations” is officially available for purchase in paperback or kindle via Amazon here. Get yours today!

In other news, I’m hosting a virtual book club meeting on Friday, May 20th at 1pm EST. You can sign up here.

Looking forward to getting to know all of you even better as I embark on this new journey. #author

Excerpt from new release: Beginner`s Guide to SAP Security and Authorizations

Excerpt from new release Beginner`s Guide to SAP Security and Authorizations.

Introduction to SAP Security and Authorizations concept
SAP has a wide range of built-in functionality to meet various security requirements, including network protection, data protection, and SAP authorizations. This book will focus on the application of SAP authorizations and how user access can be limited by transaction codes, organizational levels, field values, etc. SAP Security and Authorizations is designed so that the system must explicitly indicate what each user can do. This is done by assigning authorization roles, which are groupings of
profiles comprised of authorizations.
The basic architecture of SAP Security and Authorizations is a 6-tiered
approach:
1. User Master Record: Accounts for users to enable access to the SAP system; primarily used for user administration purposes.
2. Role: Compilation of transactions and permissions that are assigned to one or more user master records; usually includes commonality amongst a job role or job task.
3. Profile: Assigned when a role is generated and added to its corresponding user master record.
4. Authorization Object Class: Logical grouping of authorization objects by business area.
5. Authorization Object: Groupings of 1-10 authorization fields; configuration is performed against authority check statements written in the SAP code.
6. Authorization Field: Least-granular element in which values can be maintained to secure data and information.

Authorizations can be useful in limiting access to items such as: billing and vendor information, personnel and payroll information, key financial data, and critical system areas such as basis, configuration, development, and security. Users obtain their authorizations by being assigned to roles and users cannot start a transaction or complete a transaction without the proper authorization role assignment. In order to perform an action, a user may need several authorizations. For example, in order to create a sales order, the user will need access to the transaction, the “create” authorization, general authorization for the sales org, and the authorization for the specific sales document type. Therefore, the relationships required in order to meet user access requirements can become very complex.

The SAP authorization concept was created on the basis of authorization objects. Each authorization object is comprised of multiple authorization fields. A user’s permissions always refer to authorization objects, which can contain a single value or a range of values for each field. Both report and dialog transactions in SAP have predefined “authorization checks” embedded in the program logic which protects the functions and information within them.

The basis of an organization’s role design should always be the rule of least privilege, which is the SAP Security best practice of giving users exactly what they need to perform their job responsibilities, not much more, and not much less. Access creep is the adversary of this privilege as users may retain unnecessary access after a job function change or may receive unnecessary access as a result of the application of permissions or transactions to roles which are shared between users who have similar, but not identical, responsibilities. Ultimately, security is the gateway
to the SAP system, but it can often be difficult to manage and understand. Information stored in SAP is a valued business asset, and SAP Security can aid an organization by increasing flexibility and customization at the user level and protecting critical information from unauthorized use.

This book includes SAP best practices for user and role maintenance and how to create an SAP Security design that is both low maintenance and scalable. You will learn how to use and interpret SAP authorizations and troubleshoot security and authorization issues. Lastly, you will discover some advanced topics surrounding SAP authorizations, including an overview on upgrading your SAP Security environment and reducing avoidable segregation of duties conflicts.

Keep reading in Beginner`s Guide to SAP Security and Authorizations.

13SAP has a wide range of built-in functionality to meet various security requirements, including network protection, data protection, and SAP authorizations. This book will focus on the application of SAP authorizations and how user access can be limited by transaction codes, organizational levels, field values, etc. Explore the basic architecture of SAP Security and Authorizations, including user master records, roles, profiles, authorization object classes, authorization objects, and authorization fields. Dive into how to create user profiles and assign roles. Get tips on leveraging the profile generator transaction, PFCG. Obtain valuable tools and tables for identifying user master records and role and authorization information. By using practical examples, tips, and screenshots, the author brings readers new to SAP Security and Authorizations up to speed.

– Basic architecture of SAP Security and Authorizations
– GRC Access Control introduction
– User profile creation and role assignments
– Common security and authorization pain point troubleshooting

Author Tracy Juran (Levine), CPIM, is a Managing Consultant at IBM as part of the Security Services Risk and Compliance practice. She has extensive experience in SAP Security and Authorizations; SAP Governance, Risk, and Compliance (GRC); and core cross-functional business processes. Tracy is a die-hard Ohio State Buckeyes fan and loves to plan parties with friends and travel the world; her favorite destinations include Thailand, Peru, and Israel. She resides in Cincinnati, Ohio with her husband, Josh, their dog, Markley, and cat, Misha. For more information please visit Tracy-Levine.com.Excerpt from new release: Beginner`s Guide to SAP Security and Authorizations

Remediation vs. Mitigation 2.0

The aim of Remediation is not to suppress all the conflicts but to have them all under control.

For each identified risk, there are  4 possible solutions for remediation/mitigation.

REMEDIATION:

  • Modify user authorizations/roles to remove risk.
  • Change the organization’s job roles and responsibilities matrix so that the user no longer requires the access.

MITIGATION:

  • Remove user authorizations/roles and give user periodic access to risk by provisioning a firefighter ID that will be appropriately monitored.
  • Create and apply the appropriate mitigating or compensating control to the risk.Slide15

Remediation vs. Mitigation 1.0

Remediation: Actions taken to eliminate an identified risk. Typical SAP remediation activities include, but not limited to:

  • Simple Security Roles Modifications
  • Functional Activity Groups Modifications
  • Updating SoD Risk
  • Creating New SoD Risks
  • Updates to Functions
  • Creation of New Functions
  • Updates to Actions
  • Restricting Users Access

Mitigation: Actions taken to monitor risks which cannot be remediated. Mitigation is a less desirable action due the costs associated with the maintenance, execution and traceability requirements of the mitigating control.

SAP GRC Acces Control 10.x : How to Set Up & Use Approver Delegation

How To Set Approver Delegation

  1. In the My Hometab, choose Approver Delegation. The Approver Delegation screen appears.
  2. Choose the Delegate button.
    2. In the Approver IDfield, for the user to whom you wish to delegate your approver duty, enter the following:
    • Last Name
    • First Name
    • E-Mail address
  1. In the Valid Fromand Valid To fields, choose the Calendar icon to specify the date range during which the delegated approver has approval authority.
  2. Choose “Active” for Status.
  3. Choose Save.
  4. The Approver Delegationscreen appears with a success message at the top, and with the name of the approver in the delegations table.
  5. Make sure that the Statusicon is activated for the current delegated approver.

How To Use Approver Delegation

Once we save the data and authorize a user (the Delegate) to perform task on behalf of other user (the Delegator), user (the Delegate) is eligible/authorize to see the INBOX of Delegator for that particular period.

  1. User (the Delegate) can click on ‘Change Delegation’ from home page of GRC from NWBC/Portal and click the check box ‘All sessions closed’.
  1. Now user (the Delegate) can choose the other user (the Delegator), on behalf he is going to perform the work.
  1. Once user (the Delegate) save the information after choosing the right user (the Delegator), Work Inbox would be replaced with Delegator’s Task. Now if user (the Delegate) opens his own Work Inbox, he will get the list of all the Delegator’s task only.

*Before this delegation happened, user (the Delegate) was able to see only his tasks.

*If user (the Delegate) needs to see his own Tasks in Work Inbox, he needs to change the delegation back to  ‘Own Behalf’ in Change Delegation window as shown below.

SAP Application Security: Derived vs. Enabler Role Concept Desiign

What is a derived role?

  • SAP Standard to allow for organizational data restriction and reduce role administration tasks
  • Parent (Master Role) and Child (Derived Role(s)) concept where the child role will have identical attributes to the parent role
  • Parent role will have wide-open access to all organizational level entities
  • Child Role will have limited access to a specific organizational unit (i.e. Company Code 1000)
  • Simplified maintenance at derived role level as only organizational levels need to be maintained
  • Minimizes human error during authorization maintenance using automation and reduced testing efforts
Pros Cons
No Updates Needed Post-Upgrade Increased number of technical security roles
Eliminates Human Error
Simplification of Role Administration Tasks
Program to mass update values in org level window
Decreases level of effort required for testing

What is an enabler role?

  • Non-standard approach to allow for organizational restriction and reduce number of technical roles
  • Single, manually created, Authorization Object-only technical role (without t-codes) that provides access to a restricted organizational level unit (i.e. Company Code 1000)
  • Authorization objects in Functional Roles need to be “disabled”
  • A single common authorization object may be responsible for a particular organizational security check in hundreds of transaction codes. This can be contained in one enabler role.
Pros Cons
Reduced number of technical security roles All Enabler Roles Updated Post- Upgrade
Flexibility in complex / low level data restriction designs/build No automation to maintain authorization objects within enabler roles
Frequency of human error increases
More complex org structure = more complex enabler role design
Non-standard SAP approach

How to Mitigate Users in Mass in GRC Access Control 10.x

How to Upload Mitigating Control Assignments in Mass

 

This is a master data change and will be done in DEV.

  1. Log in to GRC DEV via the SAP GUI.
  2. Go to transaction SE38.
  3. Put in program GRAC_UPLOAD_MIT_ASSIGNMENTS and click the execute button.1
  4. Select object type “user” and browse for your file that has been created. You can either append or overwrite existing assignments. Then click the execute button.2
  5. Format of file to uploaded can be downloaded via program GRAC_DOWNLOAD_MIT_ASSIGNMENTS in transaction SE38. The format will be as follows: 3