View
222
Download
2
Embed Size (px)
Citation preview
Copyright © 2003 Americas’ SAP Users’ Group
Segregation of Duties (SOD)
Strategies, Techniques, and Tools
Christopher LaneManager – PricewaterhouseCoopers
Jeremy StokeldSr Associate - PricewaterhouseCoopers
Monday, May 19,2003
Security Overview
Elements of a Good Role Design
Maintaining the Standard
Q&A
Agenda
Copyright © 2003 Americas’ SAP Users’ Group
Security Overview
SAP Security Check
ProfileAuthorizations
andField Values
User Master Record
Overview - The Security Key Concept
User
Role (Activity Group) – container for authorization data
Transaction Code – a task within SAP (~52,000+)
Field – element of data within a transaction, control point
Object – template containing up to 9 fields (“uncut key”)
Authorization – a completed object,
all field values are filled in (“cut key”)
Profile – container of authorizations (ring of “cut keys”)
Profile Generator – tool to construct/generate profiles,
tied to the USOBT_C and USOBX_C tables
Definition of Terms
User Master Record
User
Level 1: User ID Access
Level 2: Transaction Code AccessExamples: SU01, MM01, SPRO
Level 3: Authorization AccessExamples: M_MATE_NEU,S_TABU_DIS
Role/Activity Group/Profile
Authorization Object Field Values
Overview – The Authorization Concept
Tcode: F-43 Enter an Invoice
Authority Check 1:
Object: S_TCODE
Field: TCD = “F-43”
Authority Check 2:
Object: F_BKPF_BUK – Authorization for Accounting Documents
Field: ACTVT = “01” – Create
BUKRS = “1000” – Company Code
Security Check Example
Copyright © 2003 Americas’ SAP Users’ Group
Elements of a Good Role Design
Role-based vs. Manual Profiles
• User menus, tcode controlled
Tcode-based
• Not using asterisks or ranges
Task-based vs. Job-based
• What is the logical grouping of tcodes with minimal duplication and no segregation of duty conflicts?
Standardizing Control Points
• Which field-level security control points are we going to implement?
• What are the risks of not standardizing the control points?
Elements of a Good Role Design
Copyright © 2003 Americas’ SAP Users’ Group
Maintainingthe Standard
What can they really do?
• Sensitive Objects
• Sensitive Transactions
• Segregation of Duties
Tcode is only Half the story!
Where did it come from?
• Role (Activity Group) or Manual Profile
• Cross-Pollination
Ex: F_BKPF_BUK is referenced in over 250 Transactions
Tool Focus:
• Authorization Field-Level Analysis
• What-if Analysis
• Query (User Driven) vs Detect (Automatic)
Visibility
Business Involvement?
• Why – It’s their data
• How – Visibility & Workflow Approvals
What is Security’s Role?
• Role Design, Maintenance, Control Optimization
Where is the Administrator’s True Value?
• System Watchdog
• Demand for Better Controls vs Resource Allocation
Tool Focus:
• Automatic Request Routing
• Preventative Check - Forced vs. Optional
• Approver Presentation – Data vs Information
Ownership
Change History
• Record of Action
What, Where, When, By Whom, Why
• Searchable Data
Saved e-mails rarely tell the whole story!
Meeting Audit Standards
• Identification of Controls
• Documentation of Testing
Tool Focus:
• Change History / Approval Record
• Mitigating Controls
Documentation
Where is the control – Its In the Process!
• Visibility – current issues & change impact
• Ownership – approval, risk presentation
• Documentation – audit requirements
Tool Focus:
What Belongs in a Tool?
Reality –
When resources are strained, manual processes are the first to go.
Summary
Christopher Lane
PwC Security, Manager
Phone: 713-870-6449
Email: [email protected]
Jeremy Stokeld
PwC Security, Sr. Associate
Phone: 713-501-5957
Email: [email protected]
Contact Info:
Copyright © 2003 Americas’ SAP Users’ Group
Questions
Copyright © 2003 Americas’ SAP Users’ Group
Thank you for attending!
Please remember to complete and return your evaluation form following this session.
Session Code: 505