The global and independent platform for the SAP community.

No more historically grown authorization concepts!

Risk regulations help to manage complex authorizations and maintain compliance. How you can also prevent cyberattacks and save costs with the right strategy.
Christopher Niekamp, IBS Schreiber
August 29, 2024
avatar
This text has been automatically translated from German to English.

Anyone who has ever cleaned out their basement will be familiar with this: over the years, things have accumulated, some useful, others superfluous or even dangerous. The situation is similar in the IT landscape of many companies, especially when it comes to SAP authorization concepts. Historically grown structures as a result of years of adaptations, extensions and "emergency solutions".
SAP authorization concepts are complex. They must ensure that every employee has exactly the access rights they need for their work. Authorizations that are too restrictive can hinder the workflow, while authorizations that are too generous can pose security risks, such as the segregation of duties conflict "Maintain vendor master data AND post vendor invoice or credit memo".

The ways in which this process is carried out in the system are complex and difficult to check, as can be seen time and again in SAP security audits and even in current S/4 projects. Added to this is the need to adhere to legal requirements and internal compliance guidelines and to discuss these with the department heads.

Rules for risk

This is exactly where risk regulations come into play. Like an experienced tidying expert, they help to bring clarity to the chaos. But be careful: not every set of risk rules is helpful. Some overlook risks, others are too rigorous and remove useful authorizations. It is crucial to rely on a set of risk rules with the broad expertise and experience of SAP auditors.

A precise set of risk rules detects the most subtle deviations and determines which authorizations are problematic. Minimizing unnecessary access warnings and false positives increases efficiency and saves resources. A good risk policy creates common standards and improves communication between departments. Clean role design ensures efficient and precise assignment of authorizations that meet the company's requirements. Risk and process descriptions should be included so that an understanding is created on this basis in addition to the technical component. A risk policy should be subject to constant updates to reflect the dynamic nature of the technical content.

S/4 restart option

The switch to S/4 Hana offers the opportunity to start with an empty basement. But there are pitfalls lurking here too. The new architecture, the separation of front and back end and the introduction of SAP Fiori apps bring new challenges. Risk rules can help to maintain an overview and ensure that authorizations in the new system are kept much cleaner and more efficient than before. This means that the new basement is structured and free of legacy issues - which has a positive effect on the SAP security check.

Historically evolved SAP authorization concepts are a challenge, especially in the face of new requirements (technical, legal and content-related). However, with the right strategy, the right tools and an experienced team, they can be efficiently optimized. Anyone who sets themselves the goal of operating a secure and efficient SAP system that meets compliance requirements and reduces costs is preparing for the future.

However, those who do not use an up-to-date set of risk rules risk incurring additional costs for SAP authorizations in the future and jeopardizing corporate security. These gaps also lead to an increase in cyberattacks that can cause lasting damage to companies. At the end of the day, a tidy basement is a great feeling, isn't it?

ibs-schreiber.de

avatar
Christopher Niekamp, IBS Schreiber

Christopher Niekamp is Managing Director for Sales, Marketing and the Academy business at IBS Schreiber.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.