SAP authorizations - security needs an overview

The trainee passes through all departments in the company, receives ever new SAP authorizations and ultimately has far-reaching rights. This exaggerated example is not so far removed from reality in some companies.

This is often due to SAP structures that have grown historically and become increasingly complex. Security risks that arise usually remain undetected for years. Nordwest Handel, a trading company in the production connection trade with 950 affiliated medium-sized trading companies, wanted to prevent such a situation.

In addition to goods procurement and warehousing/logistics, Nordwest Handel also offers services for finance, logistics, IT and sales. The SAP system, which was introduced in the mid-1990s and has been steadily expanded, contains business-critical data for accounting, controlling, and customer and supplier master data.

Nordwest Handel decided to modernize its SAP authorization management from the ground up. The administrative effort for management was to be reduced. Transparency across processes was to be increased through improved documentation.

Stefan Lendzian, division manager of information technology/systems support at Nordwest Handel, says:

"SAP offers only very limited options in the standard for conveniently managing and documenting roles and risks."

In his view, there are basically three ways for a company to modernize:

1. make the best possible use of the SAP standard, bringing in an external specialist if necessary, 2. use a solution developed outside SAP, or 3. use a solution fully integrated in SAP.

Nordwest Handel opted for the third way to be sure that the selected application is always up to date with the latest SAP system status. After three months of market research, those responsible selected the Sast GRC Suite from Hamburg-based Akquinet.

The abbreviation Sast stands for "System Audit and Security Toolkit". Steffen Maltig, project manager and senior consultant at Akquinet, explains:

"At the beginning, we usually find that the SAP authorizations are too generously designed and therefore hard to keep track of. Our goal is to permanently assign them as precisely as possible without restricting the company's ability to act."

The company's wishes were ascertained by means of questionnaires. Key questions were: Which data is particularly worth protecting? Who is given access? By evaluating this data and the usage statistics, new roles were determined for each workstation with the help of a "role construction kit" consisting of 700 templates.

The goal was an overarching workstation authorization model that was applicable in all organizational units and took data ownership into account.

With the help of Sast, the work roles were directly subjected to a risk check. The system checks whether all external guidelines are adhered to when assigning authorizations and whether functions are separated properly.

Different purchasing and sales organizations of Nordwest Handel should also be completely separated from each other in terms of their data accesses, so that overlapping read and write accesses are no longer possible.

During the remodeling process, workstation-specific composite roles were also introduced. After a final test phase with pilot users, in which the last authorization gaps were closed, Nordwest Handel introduced the new authorization concept company-wide according to time and budget planning.

Ongoing SAP operation is safeguarded by an automated risk management process within authorization management. Potential threats in real time can be detected and reported. Following the project, an external auditor confirmed to Nordwest Handel that the security of SAP authorization management meets the requirements without restriction.

"We offer our customers, suppliers and employees maximum data protection and confidentiality in the long term. In everyday life, we nevertheless have a low maintenance and documentation effort".

says Lendzian.