You get a call at 2 a.m. informing you that your SAP ERP system has…
SAP Security governs what data and processes users can access inside an SAP landscape. Typically, users are given just enough access to do their jobs. In order to understand the basics of how SAP security operates, picture a warehouse with many locked rooms. To do a task, a user needs to enter (and have access to) the correct room.
The job of SAP security services is to make sure each user only has keys to the rooms they’re supposed to be able to access — this way, employees are prevented from accidentally damaging data they shouldn’t have access to (or potentially creating a security issue should they compromise sensitive information). Want to know more? Here’s a quick guide to the SAP security basics:
SAP Security Basics — Security vs. GRC
SAP security isn’t the same thing as governance, risk and compliance (GRC). GRC audits user access to spot problems with user privileges or behavior, then it puts together a compliant provisioning program, which is implemented using SAP security tools.
SAP Security — Basics of Access Control
SAP security assigns roles to users. Each role allows users to run certain transactions (processes within the SAP system). When running a transaction, the user get authorisations to perform specific tasks.
Under SAP security best practices, admins create a standard role for a position, which can then be assigned to anyone occupying that position. For example, a company might create a financial consultant role that permits each consultant to run a set of transactions related to credit limits and other tasks their job covers. Each consultant would receive SAP HANA security authorisation to address customer credit limits, but only for their own customers. This lets the consultants do their jobs, while minimising the security risks they pose.
Why SAP Security Basics Are Easy to Get Wrong
SAP security settings can interact in complex, unintended ways. Authorisations are shared between transactions, so sharing access to a piece of data can give inadvertent access elsewhere. For example, one of our customers had previously granted access to a manager to see their employee’s performance appraisal, but did it wrong. As a result, the manager was able to see their own appraisal before it was complete.
Getting SAP security basics wrong can have far more damaging effects. For example, if a customer manager who is supposed to only see customer names is accidentally granted access to their credit card information, it can lead to a PCI breach, theft or fraud. Additionally, certain types of access like debug allow users to bypass access controls entirely, creating major risks if they aren’t handled appropriately.
How SAP Security Services Fail at Go Live
Many integration partners see SAP security as an obstacle; they want to get the system up and running first, and don’t want to have to deal with complicated role creation. Instead of accounting for SAP security basics in the planning stage, they try to tack on security controls once the project has been built, with potentially disastrous results.
Compounding the problem, most testing is done in the quality assurance (QA) system where the SAP project management team has unlimited access. Failing to test adequately in production can lead to major SAP security risks by giving users too much access, or paralyse the company by not providing all the permissions users need to do their jobs. These mistakes can also increase the risks posed by cyber security vulnerabilities, since hackers can gain more access by compromising an account.
SAP Security Controls are a Feature, Not a Bug
Because Symmetry handles both IT project management and long-term IT managed services, we understand the importance of careful planning and thorough testing. By incorporating strict security and compliance controls in the planning phase, we establish a strong foundation for long-term SAP security services.
We build on that foundation post-go-live, with 24-hour monitoring and incident response, along with direct access to a dedicated SAP support team. Our customers sleep better, knowing that in an emergency, they’ll never have to wait on hold or navigate a help menu.
Learn how to catch SAP security vulnerabilities with the ControlPanelGRC Security Risk Assessment.