Upload
sameer-ali
View
220
Download
0
Embed Size (px)
Citation preview
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
1/34
SecurityStrategies for HCMImplementations
Scott GoolikDirector of Security and Controls - Symmetry
June 16, 2010
Kellie FitzpatrickCOO Symphony Consulting
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
2/34
Download the presentation recording with audio from the
Symmetry Knowledge Center
www.sym-corp.com/knowledge-center
http://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slideshare8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
3/34
Introducing
Scott Goolik
Director of Security & ControlsSymmetry Corporation
14 years experience in SAP security
Lead architect for ControlPanelGRC
compliance automation tools
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
4/34
21st Century ERP Model
Quality proactive supportdelivered by US-based experts
Accessibility 24x7 direct accessto your support team
Affordability highly competitive,fixed price contracts
Symmetry Corporation
Established 1996
Based in Milwaukee WI100% SAP focusAll SAP applicationsAll platforms
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
5/34
Symphony Management Consulting
One of the leading providers of SAP HCM consulting services
Established in 2002 and led by experienced SAP HCM consultants
We strive to not only assist you in your current need, but to become
a trusted advisorto your organization
SAP Services Partner since 2007
Industry focus includes Chemicals, Healthcare & Biotech, Manufacturing &
Distribution, Pharmaceuticals and State & Local Government
Need help from an expert? Symphonys experts provide complimentaryanswers to some of your most difficult questions!
Visit us at http://www.symphonyhcmexperts.com
http://www.symphonyhcmexperts.com/http://www.symphonyhcmexperts.com/8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
6/34
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
7/34
What We Will Learn
Determine when you should consider a separatelandscape and when you should consider a combined
landscape. Understand the limitations of implementing on a
separate instance and the level of maintenance required.
See real-life examples of companies that have
implemented on separate landscapes, those that haveimplemented on the same landscape, and why thatdecision was right for them.
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
8/34
Single vs. Separate SAP Instances When Implementing HCM
What does it mean? Single Instance
One Instance of SAP across all business functions One transport path across all systems
When SAP is currently installed on a single landscape it is Dev QA Prod only
Separate Instance There are two different SAP instances running
Potentially one for FI, MM, SD, PM, CRM Another for HCM
Transports run across one landscape Data is interfaced between multiple systems via an ALE Data is configured twice (once on each system)**
There are usually 2 of each box
** This typically means multiple maintenance and can result in inaccuratedata or data integrity issues
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
9/34
Single Instance Advantages
Real-time data for all business functions in one system
No need to transfer data across multiple instances via an interface(ALE) or configuration
Support packs can be implemented for only HCM Configuration is tested, transported and configured to meet total
business requirements one time and in one system
Master data is accessed through a single point of entry Global headcount reporting
Compliance reporting Budget preparation
One system to maintain with reduced costs
Security administration should be monitored on an ongoing basis ControlPanelGRC can help and will be discussed later in this presentation
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
10/34
Single System Disadvantages
HCM requires support packs and updates multiple times ayear Usually four times a year, but definitely year-end
Typically requires the entire organization to shut down the systemover a weekend for a few hours
Requires Unicode compliance if implementing in multiplecountries Language and currency issues are addressed
HCM Talent Management functionality recommends at leastECC 5.0 Encourage ECC 6.0 due to functionality enhancements
Enhancement Pack 4 or above should also be installed
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
11/34
Benefits of a Separate system for HCM
One system which is dedicated to only HCM data requirements
Organization is running multiple large payrolls across multiplecountries
Can cause system to run slower if running during the workday Either way we would recommend you run after hours in a batch session
Time is evaluated for a large employee population at the same time Can cause system to run slower if running during the workday
Either way we would recommend you run after hours in a batch session
Safe Harbor laws prevent employee data from being housed in adifferent country If this is a concern, other entities have procured waivers from their
employees to allow this to be done ~ P&G, Coke, PolyOne
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
12/34
Separate System Advantages
Ability to upgrade and apply support packs whenever necessary
System downtime for the rest of the organization is decreased
Ability to implement SAP HCM with the latest and greatestfunctionality if the rest of the organization is on a lower SAPversion
Ability to run payroll/time across multiple countries with minimalimpact to departments outside HR
Localization issues arising from Safe Harbor restrictions areminimized or eliminated
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
13/34
Separate System Disadvantages
ALE needs to be created and run for HR required data relatedto Cost Centers
G/L Accounts Work Orders
Activity Types
The disability of having data in one system available real-time Reporting may be limited by 24 hours
Ability to set up specific items which relate to FI Positions, Departments, Jobs (Cost Center integration)
Users may need to sign into multiple systems to completetheir position responsibilities
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
14/34
Separate System Disadvantages
Additional Costs may be incurred by
Multiple upgrades
Multiple support streams Multiple configuration tasks
Multiple system maintenance
Requirement to understand two landscapes with multipletypes of configuration with very different data
When the other system upgrades data we need to teston both systems to ensure the data flow is notcompromised
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
15/34
Common Misconceptions ofWhy a Separate Instance is Needed
HR support packs require us to apply support packs forevery other module
There is to much HR data to allow us to incorporate it onone instance
Reporting is much more labor intensive
Security issues are major
HR data is not secure if it is on the same system
Employees have access to items they shouldnt
A portal will open us up to data integrity and liability issues
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
16/34
Large Organization Same System
System Requirements 21,000 users
Over 75,000 Employees all on ESS
35 countries 22 languages
Modules Implemented - Finance, HR, Materials, ProductionPlanning, CRM Specific HCM
PA, OM, PY, Time, ESS, MSS Globally Payroll runs in batch at night
Time Eval runs in batch at night
Securities are assigned primarily to positions (structural) in order toensure system is locked-down
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
17/34
Mid-size Organization Same System
System Requirements 500 users
Over 3,000 Employees all on ESS
US Only 2 languages
Modules Implemented - Finance, HR, Materials, ProductionPlanning, CRM Specific HCM
PA, OM, BN, PY, Time, ESS, MSS, Talent Management Payroll runs in batch at night
Time Eval runs in batch at night
Securities are set up by person and are monitored frequently
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
18/34
Large Organization Separate System
Standardized on a common IT backbone
15,000 users
Over 100,000 Employees 45 countries
175 legal entities
18 languages
Modules Implemented - Finance, HR and Supply Chain.
Due to size and requirements of payroll processing
HCM is on a separate instance
ALE is run at night and new positions are created the next day
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
19/34
Mid-size company example Separate System System Background
1,000 users Over 5,000 Employees 12 countries 8 languages
SAP Environment 4.6c Finance does not have a need to upgrade Finance did not want to apply support packs to all modules at the same time** There was no compelling reason to upgrade
HR ECC 6.0 Required Talent Management Functionality
Security team did not want to continuously update employees This was not necessary, however they were never told the system has structural
authorization capability
The rest of the organization was on 4.7, Prior to ECC 5.0 all modules had to apply support packs together
Data is being configured in two systems Sometimes it isnt completed for weeks, workload issue
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
20/34
Security & HCM
Security is not a reason for a separate landscape
Authorization flexibility in SAP is a key component to its valueproposition
All critical data can be restricted!
Can require a culture change
Remediation project is generally required for live customers during
HCM implementation
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
21/34
Step 1 Review of HCM Authorizations in existing Roles
Review of P Authorization
Objects in existing RolesOr any Object in the HR Class!
Needs to be reviewed andlikely removed or restrictedfurther
If not required, update SU24 soyou dont accidentally provideaccess in the future!
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
22/34
Step 1 Review of P_ORGIN in existing Roles
P_ORGIN is commonly in existing Roles
Authorization controls access to HCM Master Data very sensitiveCan be automatically proposed when Production Planning Transactionsare added to Roles
Not likely required if there was no HCM data available in the system!
Consider activating P_ORGINCON in the HCM system instead of
P_ORGIN to increase future flexibility!
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
23/34
Step 1 Review of PLOG in existing Roles
PLOG is commonly in existing Roles
Authorization controls access to HCM Organizational StructureCan be automatically proposed when Production Planning, Controlling,or other Transactions are added to Roles
These might be required going forward as the structures are used formore than just HCM
Need to restrict the OTYPE field accordingExclude any used HCM Object Types definitely O, S, P, but check withyour HCM team for others!
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
24/34
Step 1 Review of P_ABAP in existing or new HCM Roles
P_ABAP could be in existing Roles, but will be in HCM Roles
Provides the ability to bypass HCM Master Data Authorization checksduring report execution
Useful to provide someone with the ability to run a telephone listwithout giving them access to underlying HCM data
Watch for this Authorization in Roles with REPID field set to wildcard orreport SAPDBPNP!
Recommend updating SU24 so that you dont accidentally provide this
access
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
25/34
Step 2 Sensitive Authorizations in existing and new Roles
Sensitive Authorizations can accidentally compromise data privacy
Display of Spool Output belonging to the Payroll ManagerDisplaying HCM Infotype data via SE16 or ABAP Query
Well provide some examples of what to look out for
Not a complete listjust getting you pointed in the right direction!
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
26/34
Step 2 remove S_DEVELOP from end-user Roles
S_DEVELOP enables maintenance of ABAP Workbench Objects...
Which is bad in non-Development SystemsDebug Replace (Activity 02 for Object Type DEBUG)
Enables Users to step around Authority-Checks
Debug Display (Activity 03 for Object Type DEBUG)
Enables Users to view data in Internal Tables before Authority-Checksdetermine access is not allowed
In general, no end-user should have any S_DEVELOP Authorization!
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
27/34
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
28/34
Step 2 restrict S_TABU_DIS in end-user Roles
S_TABU_DIS enables Users to display tables via SE16 or ABAP
QueryUse of SE16 and ABAP Query (i.e., SQ01-03) really should be limited toyour IT folks (at a minimum)
ABAP Queries can be assigned to Transactions for end-users
Displaying tables via these methods bypasses all HCM Authorizations
HCM data is generally stored in tables assigned to P Authorization
Groups
Some HCM tables are unclassified causing risk for the &NC& AuthorizationGroup
Need to restrict S_TABU_DIS from having access to Authorization Groupsthat start with P and &NC&
Existing unclassified Tables need to be assigned to an Authorization Group!
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
29/34
Step 2 remove S_SPO_ACT from end-user Roles
S_SPO_ACT enables Users to access Spool Requests belonging to
other UsersWould allow a User to view reports printed by my Payroll Manager
In general, this Authorization should be removed from all Users
In some cases, it may be reasonable to provide groups of Users with theability to display spools generated by a specific background user
Verify that SPOAUTH is not set to wildcard in Roles!
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
30/34
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
31/34
Data in Non-Productive Systems
Authorization restrictions are required in any system that contains
live Production dataThis could impact more than just the end-user community inDevelopment and Q/A environments!
Consider data scrambling to free up User Authorizations in the
environment
Scramble Names, SSN, Birthday, Addresses, Pay/Additional Pay, BenefitsInformation, EH&S data, etc.
Symmetry has tools and/or services to assist!
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
32/34
32
Implementations of HCM do not require separate
instancesReal-time data is essential to the daily operations ofbusiness
Symphony is an SAP HCM only firm with extensiveexperience in global and local implementations
Security should never be the reason to have aseparate HCM landscape
Security can be adapted to protect sensitive HCM data
Tools like ControlPanelGRC can be used to provideassurance that sensitive data is restricted toappropriate Users
Symmetry can assist with security architecture designand implementation, or risk assessment andremediation specifically for HCM
7 Key Points to Take Home
8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
33/34
Download the presentation recording with audio from the
Symmetry Knowledge Center
www.sym-corp.com/knowledge-center
http://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slideshare8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02
34/34
Heather Mickelson414-732-2738
Kellie Fitzpatrick704-556-2288
Scott Goolik414-732-2740