1ISACA JOURNAL Volume 6, 2014©2014 ISACA. All rights reserved. www.isaca.org

There are many things to know about authorizations in SAP. Ask SAP security administrators or auditors, and they will say that they discover new things all the time. The reason is that SAP is a developing product that frequently rolls out new components and has become so complex that working with SAP is a constant journey of learning.

That said, the fundamentals of SAP security remain stable in each silo supporting the functional components, such as modules, applications, portal and application server. Considering this stability and the fact that many new consultants and auditors want or need to learn SAP security, 100 Things You Should Know About Authorizations in SAP provides a strong foundation for anyone interested in becoming familiar with SAP.

To outsiders, security is often seen as being just the tool to grant a user access to the system and its functionality. But, security is much more than that. Understanding, knowing and applying the SAP security/authorization concept is an important prerequisite for successful SAP implementation, sustainment, ongoing administration and business controls. Knowledge of the SAP security/authorization concept can also be valuable when conducting a financial, business controls/IT or quarterly Sarbanes-Oxley audit. SAP security provides the means to grant users access to the functionality they need for their daily business tasks in the SAP system. At the same time, it also allows for organizations to follow the principle of least privilege, control

the work flow or segregate duties for user access. This book helps the reader understand the basics of SAP authorizations and security.

This 364-page book is well structured and contains many useful screen shots, explaining concepts, tasks and maintenance steps, and the 100 tips are delivered as stand-alone topics. The book’s focus is R/3, ABAP, profile generator, transaction and role security. These are the core concepts everyone who wants to dig deeper into SAP security must understand. The chapters in this book cover user master records, development security, segregation of duties, upgrades, auditing, security templates, and continuous compliance and governance.

This book is recommended as a study guide and reference book. It also touches on more specific topics, such as single sign-on, creating a transaction variant, structural authorizations, ABAP code security inspection, use of parameter transactions, master derived roles, change logs, and analyzing security or risk analysis with SAP GRC 10.

EDITOR’S NOTE100 Things You Should Know About Authorizations in SAP is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca.org/bookstore, email bookstore@isaca.org or telephone +1.847.660.5650.

By Andrea Cavalleri and

Massimo Manara

Reviewed by Horst Karin,

Ph.D., CISA, CRISC,

CISSP, ITIL, president of

DELTA Information Security

Consulting Inc. He has been

working in SAP/IT security

and risk management for

16 years. He served as chair

of the ISACA Publications

Committee for three years and

is coauthor of SAP Security

and Risk Management.

100 Things You Should Know About Authorizations in SAP

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2014 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

www.isaca.org