How can you monitor critical authorization assignments in SAP Systems?

Controls for preventing, detecting and mitigating misconduct are a requirement to comply with legislation such as Sarbanes-Oxley (SOX). Organizations are largely free to implement these controls as they see fit, but they are audited for compliance and can incur significant penalties if found inadequate.

In the last decade, organizations have come to pay more attention to internal control and risk management in ERP systems such as SAP. This increased attention is partly but not solely the result of stricter legislation. Actual daily practice has shown that authorization related controls –?as a part of internal control?– are still not functionally sound. Users have been assigned undesirable combinations of authorizations, and a relatively high number of users are authorized to access critical functional transactions or system functionality. In the past, management frequently initiated efforts to reconfigure their authorization processes and procedures. Unfortunately, it often turned out that problems with the assigned authorizations resurfaced after some years, which allows for undesirable segregation of duty conflicts to show up again, while the costs of control remain high.

The authorization management process in SAP Systems can subsequently be divided into the following sub-processes:?

• User management:?all activities, including controls, related to assigning and withdrawing authorizations, as well as the registration in the system. In a practical context, the term “provisioning” is commonly used. User registration takes place on the basis of source data: for example, as recorded in an HR system. One part of user management is issuing passwords and managing special users, such as system and emergency users.[System users are users that are used by (another) system to establish an interface between systems or are required for batch purposes. An emergency user is a user which is used in cases of disaster, and often has more access rights. ] Recurring assessments and checks of the assigned authorizations also form a major part of user management.?

?

• Role management:?all activities, including controls, required for the definition and maintenance of authorizations within the system. There is a strong relationship between the role-management process and the change-management process. Here too, recurring checks of the authorization roles are essential.?

?

Authorizing access to a person or object in any SAP system is usually based on arrangements made beforehand: a policy is established for granting access, for example. These arrangements are made by the management, as a rule, and in virtually all cases they aim to ensure that risks or threats to an organization remain on an acceptable level.?

?

Authorizations are an integral part of the internal control system of an organization. “Segregation of duties” is based on the principle of avoiding conflicting interests within an organization. The aim is to ensure that, within a business process, a person cannot carry out several successive (critical) tasks that may result in irregularities –?accidentally or on purpose?– that are not discovered in time or during the normal course of the process

?

The assignment of right roles to right people in organizations is one part of the problem. The second part is, monitoring in real time if users in system are using their assigned roles accordingly. At LogPoint, we have created a solution which monitors access in SAP Systems and reports problems.

?

You can see users with critical authorizations like:

?

·??????Users authorized to lock or delete users

·??????Users authorized to change super user accounts

·??????Users authorized to change user groups

·??????Roles for changing super user groups

·??????Role for changing super user accounts

·??????…

?SAGESSE TECH, global SAP Security / Oracle Security / ERP Security Tech Company, is providing SAP Threat Detection Products integrated with SIEM, SAP PenTest Framework ,an SAP Audit Service and SAP Threat Detection Products integrated with SIEM Solutions which control these kinds of configurations, vulnerabilities and much more in your SAP Systems. You can contact SAGESSE TECH(E-mail : [email protected] or [email protected] ), if you would like to have a Vulnerability Scanning, SAP Audit or SAP PenTest on your SAP Systems.

?