Type: Service, Product - Service
Sub-categories: SAP Security, Governance, Identity & Access Management
CSI- Tools : Access Governance of SAP environments
SAP systems contain confidential and business critical data and this data needs to be secured and access governance should be defined by high level management. What we see is that SAP security projects consume enormous budgets without really improving the security. This is caused by misunderstanding the basics of SAP security: the SAP authorizations. 90% of the security administrators do not know how many transaction codes and authorization objects exist in an SAP system. Moreover, if you ask the question what the purpose of a transaction code and an authorization object is with regard to SAP security, the answer is usually wrong. Most people think that you can protect SAP systems by removing and assigning transaction codes to users and that the purpose of authorization objects is to restrict certain organizational levels like company codes, plants, sales organizations etc. The reality is however completely different: Only the authorization objects assigned to a user gives this user the permission to access the data, regardless if this user can execute the transaction. In a SAP system there can be more than 150.000 transaction codes and there are only 1.200 authorizations objects. Focusing on the authorization objects is more effective, efficient and gives greater agility. This misunderstanding of how SAP security really works has also consequences in the way that the ruleset for the Access governance is defined. Instead of defining SAP access governance on high management level, most companies tackle SAP access governance on a very detailed technical level and they try to define all access paths to the data and translating these access paths into a rule set. SAP security is very complex and nobody can define the real access path to the data. Besides this, nobody can guarantee that the user will remain on this access path and won't push a menu item or another button because there are more than 150.000 transaction codes and all these programs and transaction codes are nested and can be bypassed. Furthermore, the authority checks are done sequentially and nobody can really predict which authorizations are really needed to get access to the data. This results in an incorrect ruleset that is not defined or understood by high management and the rule set is incomplete, leading to incorrect risk reporting.
Solution (Value Proposition)
The challenge of SAP security is first to really understand how it works. CSI tools gives his customers guidance to simplify the complexity by splitting it into two layers: • a governance layer and • a technical layer. The main advantage is that access governances become transparent; management can focus on the governance aspects and the technical people can focus on technical layer and get the instructions through the governance layer. CSI tools simplifies SAP security and makes it understandable for all layers of the organization. CSI tools has a unique approach and structures the (difficult to understand) technical security data, into 300 data elements that are easy to understand and interpret within all layers of the organization. These data elements covers all control objectives for the confidentiality, Integrity and availability of the SAP data and are used to define the security requirements in an understandable and correct way. Because of this approach, the security requirements are correct and complete and CSI tools reports the real risks that the organization can understand.
CSI tools can operate in different modes. For other applications you need to understand the underlying system so that you can correctly configure the audit / monitoring application to ensure correct results. At CSI tools we give full flexibility, no need any more to use text editors and spreadsheets. Since we are the number one in the audit & consultancy world, we need to ensure that reports can be produced in less than 24 hours. Even if the auditor does not know all the insights of the audited system. We accomplish this by auditing on 5 different layers and this is CSI tools’ unique approach for correct GRC reporting and analyzing: SAP has a multi layered security approach. All other applications check both layers simultaneously to ensure that there are no false positives. CSI tools do 5 analyses separately. Transaction codes and / or authorization objects and / or authorization object field values and / or menu access and / or transaction code usage. By analyzing all different layers separately only CSI tools can identify conceptual weaknesses in the roles AND / OR weaknesses in the rules. Since applications like SAP GRC need to be used as a monitoring instrument, false positives are avoided at all stakes. As a consequence, since SAP security can never be an exact science, you only have a risk of false negatives. Identifying these false negatives is real risk management. The nice thing is that the analysis of false negatives needs also be performed on a regular basis to ensure that the rule set is still ok after changes to the SAP system (upgrades, roll-outs, new modules, own developments, new document types, new movement types, change configuration, new insights). CSI tools can do the analysis on every level: single profile, composite profile, single master role, single derived role and composite role. By identifying on each layer what access rights are granted and by extrapolating these results we are able to - give insight in the accumulation of access rights problem - highlight differences between master and derived roles - identify if the content of single roles are still in sync with the content of the corresponding single profiles (this is important since that a user buffer is loaded only with authorizations granted through profiles). So we do not only analyze every level separately but we have engines available to identify where inconsistencies exist, this makes it possible to identify – just based on data where there are issues with the access governance processes
Supporting Technology (the 'magic')
CSI tools works with Queries which represent data elements in an SAP system. There are only approximately 250 data elements in an SAP system (PO, Sales order, A/P posting, payments, …) and only approximately 15 organizational levels (company code, plant, sales organization, …). By using these items we no longer are bound to specific SAP releases or specific SAP systems. This ensures that non-technical people can define the governance / risk aspects for each data element and organizational level. More Technical people can – completely separately – start documenting the different company codes, plants etc. CSI tools will then automated collect all transaction codes used. The engine will then develop for you a role design and will ensure extreme consistency between the different SAP systems. We now see that a security project is developed for each SAP system. With CSI tools we first define the requirements for the organization. If for instance “vendor master data” is defined as critical this information can and even should be used in not only SAP ECC but also in SAP BI, SAP SRM, SAP APO etc …Simplification is efficient and effective since it ensures consistency, makes projects transparent. Last but not least it ensures extreme responsiveness to a changing world. Too much security products are so complex that if the business changes, nobody changes the settings and thus wrong reporting is done.
Johan Hermans, CEO | CSI tools | SAP Security | Access Governance
Johan Hermans and Meta Hoetjes both have years in the field experience with SAP security. This experience, together with the input that we receive from our implementation partner axl & trax makes it possible to harvest SAP security issues and translate them into solutions by our development team, led by our Chief developer Christophe Vandekerkhove.
Contacts for clients, press and partners:
CSI tools bvba
Tel: +32 16 308 000