How secure is your SAP system?

In the early 21^st century there were a few big fraud cases in the USA which resulted in the Sarbanes-Oxley Act (SOX) ¹. Companies who are listed on the New York Stock Exchange have to comply with SOX. One of the most important parts of SOX is that there has to be Segregation of Duties (SOD) within in a company. A lack of SOD is not the only risk a company faces. A lot of companies have enhancements besides the standard SAP functionalities. Often there are no authorization checks included in the enhancements which can be a very big risk. Besides that there are often background job and RFC users with very broad authorization (SAP_ALL). This can be a risk when the user type of these users is dialog or service. Normally an audit will fail when there are any users with SAP_ALL on the production system. Emergency users often have SAP_ALL but it’s wiser to create separate emergency users with limited authorization for the different modules or processes. To broad authorization can not only lead to fraud but has also another, and often unknown, risk. To broad authorization can lead to loops in the business process. This can have a very negative influence on the business process and can result in huge costs. Beneath you can find an overview of the consequences of to narrow or to broad authorizations.

To narrow authorization                 To broad authorization

Restrictions are good visible Frustration Costs

wandering responsibilities Extra authorization outside business process invisible Loops in business process Processes are difficult to adjust Pollution of master and transaction data  Fraud  Costs

Another important question is if it’s clear who’s responsible for the authorizations, in other words, whose head is on the table when there are huge problems caused by authorizations. Managers often think that SAP security is the responsibility of the IT department but they only provide the technical tools. They also can help to implement the security concept. Security should be a responsibility of the entire business.

As mentioned before SAP has a strong focus on GRC the last couple of years. SAP developed a toolset² that can be used to meet your GRC requirements. For the SAP security part SAP developed the Access Control toolset. This toolset contains 4 tools to meet your compliance requirements. These 4 tools cooperate very well together and the tools use real time data from the connected SAP systems. One of the quick wins of this toolset is the use of Superuser Privilege Management, a tool for emergency access. The GRC tool is state of the art technology and that has its price of course. Besides the SAP GRC tools there are other tools available which can help you to check if you’re system is SOD free. One of these tools is the CSI Authorization Auditor³ which is used for example within a company like Philips. With standard SAP it’s unfortunately not possible to check SOD risks but you can check the most important security risks in SAP. Umoe Consulting developed the SAP Security Check to check your most important security settings. The SAP Security Check consists of a list of questions and a check of your security settings in your SAP system.

¹ Click SOX for more information about SOX

² Click SAP GRC toolset for more information about the GRC toolset

³ Click CSI Authorization Auditor for more information about the CSI Authorization Auditor

Please do not hesitate to contact us if you have any concerns about your SAP Security. Send a mail to sap@umoeconsulting.no or call Vidar Kalsund, +47 93 25 86 30

About the author

Stephan Neeten (The Netherlands, 1973) has more than 12 years experience as SAP consultant. He’s specialized in SAP security and also certified SCM order fulfillment consultant. Stephan has participated in several SAP security projects for multinationals (Philips, ASML) and has broad experience as member of security teams. Since 1. October 2009 Stephan is working as SAP Security Specialist at Umoe Consulting.

Download the article as PDF