copyright © 2003 americas’ sap users’ group segregation of duties (sod) strategies, techniques,...

Copyright © 2003 Americas’ SAP Users’ Group

Segregation of Duties (SOD)

Strategies, Techniques, and Tools

Christopher LaneManager – PricewaterhouseCoopers

Jeremy StokeldSr Associate - PricewaterhouseCoopers

Monday, May 19,2003

Security Overview

Elements of a Good Role Design

Maintaining the Standard

Q&A

Agenda


Security Overview

SAP Security Check

ProfileAuthorizations

andField Values

User Master Record

Overview - The Security Key Concept

User

Role (Activity Group) – container for authorization data

Transaction Code – a task within SAP (~52,000+)

Field – element of data within a transaction, control point

Object – template containing up to 9 fields (“uncut key”)

Authorization – a completed object,

all field values are filled in (“cut key”)

Profile – container of authorizations (ring of “cut keys”)

Profile Generator – tool to construct/generate profiles,

tied to the USOBT_C and USOBX_C tables

Definition of Terms

User Master Record

User

Level 1: User ID Access

Level 2: Transaction Code AccessExamples: SU01, MM01, SPRO

Level 3: Authorization AccessExamples: M_MATE_NEU,S_TABU_DIS

Role/Activity Group/Profile

Authorization Object Field Values

Overview – The Authorization Concept

Tcode: F-43 Enter an Invoice

Authority Check 1:

Object: S_TCODE

Field: TCD = “F-43”

Authority Check 2:

Object: F_BKPF_BUK – Authorization for Accounting Documents

Field: ACTVT = “01” – Create

BUKRS = “1000” – Company Code

Security Check Example

Role-based vs. Manual Profiles

• User menus, tcode controlled

Tcode-based

• Not using asterisks or ranges

Task-based vs. Job-based

• What is the logical grouping of tcodes with minimal duplication and no segregation of duty conflicts?

Standardizing Control Points

• Which field-level security control points are we going to implement?

• What are the risks of not standardizing the control points?



Maintainingthe Standard

What can they really do?

• Sensitive Objects

• Sensitive Transactions

• Segregation of Duties

Tcode is only Half the story!

Where did it come from?

• Role (Activity Group) or Manual Profile

• Cross-Pollination

Ex: F_BKPF_BUK is referenced in over 250 Transactions

Tool Focus:

• Authorization Field-Level Analysis

• What-if Analysis

• Query (User Driven) vs Detect (Automatic)

Visibility

Business Involvement?

• Why – It’s their data

• How – Visibility & Workflow Approvals

What is Security’s Role?

• Role Design, Maintenance, Control Optimization

Where is the Administrator’s True Value?

• System Watchdog

• Demand for Better Controls vs Resource Allocation

Tool Focus:

• Automatic Request Routing

• Preventative Check - Forced vs. Optional

• Approver Presentation – Data vs Information

Ownership

Change History

• Record of Action

What, Where, When, By Whom, Why

• Searchable Data

Saved e-mails rarely tell the whole story!

Meeting Audit Standards

• Identification of Controls

• Documentation of Testing

Tool Focus:

• Change History / Approval Record

• Mitigating Controls

Documentation

Where is the control – Its In the Process!

• Visibility – current issues & change impact

• Ownership – approval, risk presentation

• Documentation – audit requirements

Tool Focus:

What Belongs in a Tool?

Reality –

When resources are strained, manual processes are the first to go.

Summary

Christopher Lane

PwC Security, Manager

Phone: 713-870-6449

Email: [email protected]

Jeremy Stokeld

PwC Security, Sr. Associate

Phone: 713-501-5957

Email: [email protected]

Contact Info:


Questions


Thank you for attending!

Please remember to complete and return your evaluation form following this session.

Session Code: 505