Wouldn't your organization and auditors love it if your SAP users were restricted to only having access to the transaction codes and roles that they actually use and which are essential to their job function?

We call this the Principle of Least Privilege or POLP.

The benefits of course are well known especially in terms of reducing risks and vulnerabilities, segregation of duties management and general user maintenance.

So why is it so difficult to achieve? Well, unfortunately the two main barriers are;

  1. It's extremely time consuming to manually analyse SAP logs to see exactly what every user uses out of their authorization set and ...
  2. If you were instead to ask each user what they use then they will usually say 'I use them all so you can't take away any of my roles or transactions'.

The truth of the matter is that your users are, most probably, not entirely sure what authorizations they use and don't use, so they certainly don't want to have any access removed that could pose a risk to the business.

System and RFC accounts are also commonly left 'open' with a huge scope of access because nobody really understands what their real access requirements are, and are then too frightened to remove any of it in case it causes any business interruptions. We are therefore leaving our SAP systems and business processes open to serious compromises of security.


Phase 1 Cleanup - Quick and with no role re-engineering required

One of the first things that our ProfileTailorâ„¢ Dynamics customers want to do when they initially implement the system is to resolve their Segregation of Duties issues. However, the one thing that we encourage our customers to do prior to this is to use the ProfileTailor built-in cleansing tools to;

(a) Remove any roles that are not assigned to any users

(b) Remove any roles that are assigned to users but are not used by those users

(c) Remove any transactions from roles that are not used by any users assigned to the role

These reports and processes prove time and time again to be very quick wins and are of zero risk to the business - if people are not using certain roles and authorizations then there is of course no risk by removing their access to them.

Not only will running these built-in tools get you well on the way to providing access down to the level of Least Privilege but, in running them, you will consequently vastly reduce the number of static SoD violations within your organization.


Phase 2 Cleanup - Role re-engineering to provision access on a Least Privilege basis

After the Phase 1 clean-up you will still not be quite down to provisioning access on a Least Privilege basis. For this, we can use a couple of other reports in ProfileTailor and also use it's built-in role builder to automate building and assigning the new roles in your DEV/QA environment.

Firstly, we can run a report to show actual t-code usage over a given time period. For the example below I asked ProfileTailor to show me all t-code usage in the Financial Accounting group during the previous two months.


Figure 1. A ProfileTailor Dynamics Matrix Report showing real usage of SAP transaction codes

These types of ProfileTailor reports are fantastic for seeing exactly the SAP transactions that certain departments or groups of users are actually using in SAP.

We can use this data as a starting point for re-engineering existing roles or building new roles. The ProfileTailor role-builder tool can also automatically check any simulated changes against Segregation of Duties rules and allow you to check and include any necessary authorization objects. The automation engine can even make the final changes to your roles ready for transportation into Production without having to manually change and generate them in your your SAP DEV/QA environments.


We can addtionally add a 'belt and braces' approach to further reduce your risk in going live with your re-engineered roles by providing some automated SU53 interception so that, if your users do find that they are missing an important authorization, then it will be automatically detected and kick off a 'request for new authorization' workflow.


Phase 3 Keeping Clean - Periodical recertification and automated starter, mover, leaver processes

We are of course massive advocates of continuous monitoring, continuous controls and continuous cleansing.strong> This means using ProfileTailor's event detection and automation to trigger authorization reviews (recertification) and automated role provisioning and de-provisioning based upon an employee's job function. More details of these aspects of ProfileTailor can be found in our other web pages or in article Automating and securing your starter, mover, leaver processes.


Next Steps...

As you can see, ProfileTailor's out-of-the-box reports, analysis and automation tools provide some extremely rapid and low risk methods to help you attain the Principle of Least Privilege within your SAP environments.

If you would like to find out more about how Grey Monarch and ProfileTailor™ Dynamics can help in this area then please do contact us or have a look at our dedicated page here.

You can also share this page via the following buttons: