Corporate users often have unauthorized access to critical data in SAP systems. This is often due to a historically developed authorization concept in which roles were inherited and enhanced with additional transactions. A case in point: The buyer of one plant was able to trigger extensive payment runs in other plants. This opened the door to abuse. Unfortunately not an isolated case. This can only be remedied by an appropriate authorization management!
Minimize risks with a well thought-out authorization concept
The only solution here is a well thought-out authorization concept that ensures right from the start that no risks for companies arise from the combination of authorizations. Sensitive authorizations should therefore only be assigned when absolutely necessary. For example, SAP user companies can use the DSAG (the German SAP User Group) guidelines as a code of practice. The basic IT protection catalogue of the German Federal Office for Information Security (BSI) also demands a restrictive allocation of critical authorizations. In addition, the existing role and authorization concepts are regularly reviewed. Another advantage for companies using SAP is an internal control system (ICS).
When the accountant comes knocking…
The visit of an accountant is a horror scenario for many companies: If he starts examining an SAP system and thus also the authorization concept, it is important that all changes are rightly documented. And it is precisely here, where problems begin: various evaluations within SAP, notes stored in e-mails and folders have to be reviewed and checked. This is not only time-consuming and annoying, but also expensive.
Less work, ensured compliance
Authorization management made easy: Changes can be documented automatically and comprehensibly if the SAP authorization system is completed with functions such as setQ (based on the SIVIS tool) offers. The Compliance Manager can be used to simulate the assignment of new authorizations and their effects prior to going live. This software solution can also be used to define different approval procedures for conflicts. This also takes into account the four or six-eye principle. The Compliance Reference Manager, for example, offery over 500 automated test queries that can also be expanded individually. Typical conflicts are thus quickly identified and resolved. In this way, roles or authorizations of employees can also be checked periodically or as required.
Three recommendations for SAP users:
1. When assigning rights, make sure that the rights are really necessary for the job in question.
2. Coordinate the assignment of rights with the responsible department. Only those experts can really assess the necessity for rights.
3. Periodically question assigned rights via re-certification. For example, conflicts can be avoided when employees change departments.
Guest article by Manuela Gruber, SIVIS.