S 4.260 Rights management for SAP systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The security of the business data processed in an SAP system depends greatly on the authorisation settings configured for the users and administrators. These settings specify which functions (also referred to as transactions in SAP terminology) a certain user may call and therefore which data this user may read or change. For this reason, the authorisations configured and their administration is a very important component of system security, especially when considering the possibility of internal employees committing fraudulent acts.

The SAP authorisation system is very flexible, but its configuration is also very complex. In contrast to operating systems, where authorisations are assigned directly to objects (e.g. files), SAP systems operate according to the identification principle: when a user accesses a function, the system checks if the user possesses a certain type of authorisation. If this is the case, the system checks if the values entered meet the requirements the user needs to meet to execute the function called. The authorisation types and values checked are specified by the programmer of the function, and the programmer can also implement functionality to check the data passed to the function in the current call. In addition, the programmer can decide at the end of a function if a required authorisation check will actually be performed.

The following recommendations should be taken into account for the management of authorisations. The list must be adapted to the local needs and requirements and must be expanded, if necessary.

Training

Administrators who are responsible for the administration of user IDs, roles, profiles, or authorisations absolutely must receive training on the SAP authorisation concept and on authorisation management (procedures, tools, and correct use) or be able to provide verification that they possess the corresponding knowledge. This is the only way to ensure that authorisation management will be performed correctly.

Separating responsibilities (two-man principle)

The administration concept must be designed in such a way that the responsibilities are separated wherever possible. The following should be taken into consideration in this case:

• A user administrator should be created. This administrator should be allowed to create and change user IDs and assign roles. This administrator must not be allowed to create or change roles or profiles. SAP provides the SAP_ADM_US template for this purpose.
• A role administrator should be created who is allowed to create and change roles, but not allowed to create or change users or profiles. SAP provides the SAP_ADM_AU template for this purpose.
• A profile administrator should be created. This administrator must be allowed to generate profiles for existing roles which do not contain any critical system authorisations (for example S_USER*), since such roles permit user and role administration. SAP provides the SAP_ADM_PR template for this purpose.
• These administrators must be assigned to the SUPER group.
• An administrator-administrator should be defined. This administrator administrates the user, roles, and profile administrators. The administrator-administrator should be assigned the S_A.SYSTEM profile, which is needed to administrate the users in the SUPER group. The administrator-administrator should only be used according to the two-man principle. It can be locked by the user administrator, for example, and then unlocked for the time it is needed.

Separating the responsibilities (provided that this separation is implemented correctly from a technical point of view) prevents the administrators from assigning authorisations to themselves and ensures they can only perform the tasks assigned to them.

In small companies or government agencies, it may be impossible to separate the responsibilities due to a lack of available personnel, and all tasks are then performed by a single person. All of the data in the SAP system can be read and changed by the administrator without anyone noticing in this case. In general, this must be considered critical to security, and additional controls are necessary to prevent this. The same also generally applies to important financial and balance sheet processes, as well as to cases in which personal data is processed, in which case it is necessary to separate the functions accordingly, for example. If these functions cannot be separated, suitable controls must be defined at the organisational level, and the execution of these controls must be ensured. Corresponding checks for the presence of such controls are performed, for example, during audits conducted in the context of the Sarbanes Oxley Act.

The roles defined and supplied by SAP must be checked carefully for conformance to internal requirements and modified accordingly when necessary.

References to SAP documentation relating to the design of an authorisation management system and the relevant authorisations can be found in S 2.346 Use of the SAP documentation.

Tools for authorisation management

Authorisations, profiles, and roles may also be administrated manually. However, we urgently recommend avoiding manual administration of these items for security reasons, since authorisation problems always arise when they are administrated manually due to the large number of objects. It is therefore urgently recommended to use the Profile Generator (transaction PFCG). In particular, when the Profile Generator is used, manual changes to the profiles must be prohibited.

Administrators must familiarise themselves with the mechanisms and procedures for using the Profile Generator so that the authorisations are assigned correctly. For example, the Profile Generator needs to be initialised first using transaction SU25. In particular, they must be familiar with the use and maintenance of check indicators (transaction SU24). Test runs should be conducted to detect missing authorisations (which can be found using transaction SU53 or by conducting authorisation traces using transaction ST01, for example).

In addition to the internal system tools for authorisation management, there are also external tools offered by third party manufacturers for user and authorisation management. These tools are generally equipped with an easy-to-use user interface, since they run at the operating system level. Whether or not such tools can be used as an alternative to the internal system tools must be decided on a case-by-case basis and depending on a cost/benefit analysis.

References to SAP documentation for authorisation management using the Profile Generator can be found in S 2.346 Use of the SAP documentation.

Application-specific authorisation management

Some products and applications use their own authorisation concepts and authorisation management tools (for example the SAP Customer Relationship Management, mySAP CRM, or Human Capital Management (HCM) module) in addition to the standard SAP authorisation concept. This must be taken into account during administration, since additional administration steps and tasks are necessary in this case. In particular, it must be taken into consideration that the product or application can only be operated securely when the application-specific authorisations are configured securely using the application-specific management tools. In general, it must be ensured that only minimal authorisations are granted, the roles are separated, and the tasks are separated from the responsibilities. For example, it must not be possible in a CRM system for the person who placed the goods in a shopping cart to place the order for the goods in the shopping cart.

In general, the subject of business risk management plays an important role at the application level. For example, when assigning authorisations, some of the criteria defined for assigning the authorisations are defined by risk management.

Review questions:

• Is there a role concept for administrating the SAP system?
• Have the roles specified and delivered by SAP been compared to the organisation's own requirements and adapted?
• Are the SAP administrators familiar with the mechanisms and procedures when using the SAP Profile Generator?