The global and independent platform for the SAP community.

SAP authorizations - security needs an overview

German companies have been increasing their spending on IT security for years. But many companies do not notice attacks on their SAP system. Cases of embezzlement and data theft are becoming more frequent. Only the tip of the iceberg reaches the public. One key to greater SAP security is the clean assignment and permanent checking of user authorizations.
E-3 Magazine
June 22, 2015
2015
avatar
This text has been automatically translated from German to English.

The trainee passes through all departments in the company, receives ever new SAP authorizations and ultimately has far-reaching rights. This exaggerated example is not so far removed from reality in some companies.

This is often due to SAP structures that have grown historically and become increasingly complex. Security risks that arise usually remain undetected for years. Nordwest Handel, a trading company in the production connection trade with 950 affiliated medium-sized trading companies, wanted to prevent such a situation.

In addition to goods procurement and warehousing/logistics, Nordwest Handel also offers services for finance, logistics, IT and sales. The SAP system, which was introduced in the mid-1990s and has been steadily expanded, contains business-critical data for accounting, controlling, and customer and supplier master data.

Nordwest Handel decided to modernize its SAP authorization management from the ground up. The administrative effort for management was to be reduced. Transparency across processes was to be increased through improved documentation.

Stefan Lendzian, division manager of information technology/systems support at Nordwest Handel, says:

"SAP offers only very limited options in the standard for conveniently managing and documenting roles and risks."

In his view, there are basically three ways for a company to modernize:

1. make the best possible use of the SAP standard, bringing in an external specialist if necessary, 2. use a solution developed outside SAP, or 3. use a solution fully integrated in SAP.

Nordwest Handel opted for the third way to be sure that the selected application is always up to date with the latest SAP system status. After three months of market research, those responsible selected the Sast GRC Suite from Hamburg-based Akquinet.

The abbreviation Sast stands for "System Audit and Security Toolkit". Steffen Maltig, project manager and senior consultant at Akquinet, explains:

"At the beginning, we usually find that the SAP authorizations are too generously designed and therefore hard to keep track of. Our goal is to permanently assign them as precisely as possible without restricting the company's ability to act."

The company's wishes were ascertained by means of questionnaires. Key questions were: Which data is particularly worth protecting? Who is given access? By evaluating this data and the usage statistics, new roles were determined for each workstation with the help of a "role construction kit" consisting of 700 templates.

The goal was an overarching workstation authorization model that was applicable in all organizational units and took data ownership into account.

With the help of Sast, the work roles were directly subjected to a risk check. The system checks whether all external guidelines are adhered to when assigning authorizations and whether functions are separated properly.

Different purchasing and sales organizations of Nordwest Handel should also be completely separated from each other in terms of their data accesses, so that overlapping read and write accesses are no longer possible.

During the remodeling process, workstation-specific composite roles were also introduced. After a final test phase with pilot users, in which the last authorization gaps were closed, Nordwest Handel introduced the new authorization concept company-wide according to time and budget planning.

Ongoing SAP operation is safeguarded by an automated risk management process within authorization management. Potential threats in real time can be detected and reported. Following the project, an external auditor confirmed to Nordwest Handel that the security of SAP authorization management meets the requirements without restriction.

"We offer our customers, suppliers and employees maximum data protection and confidentiality in the long term. In everyday life, we nevertheless have a low maintenance and documentation effort".

says Lendzian.

avatar
E-3 Magazine

Information and educational outreach by and for the SAP community.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.