Simple Steps for SAP Security Assessment of Roles in SAP ECC System
SAP Security Assessment on SAP role-based security landscape to access the Current SAP Security Posture in five key areas:
SAP Security Assessment Role Design: How are the roles designed in the System?
First area will be the role naming convention which is followed of the sap roles. Some of the best practices which needs to be followed are clearly differentiate role between development, Quality & Production, identify SAP System, Module, Sub module single, composite and Location information
Internal Auditor Steps: Use Transaction SUIM to identify all the roles assigned and un-assigned.
SAP Security Tables Controlling SU24 Changes
Here we are looking the SU24 configuration changes which are made to USOBT_C & USOBX_C tables. Internal Auditor should review the number changes and who made the changes. Need to make sure good process is place for documenting the changes and approval documented when changes are made.
Internal Auditor Steps: Use Transaction SE16N to review all the change entries in USOBT_C & USOBX_C tables
SAP User Administration Process:
This is where things can go very wrong. If process is very manual then there are chances that role are not assigned with proper approval. If the company is using an Automate SAP User Provisioning tool then the process can be more controlled. The key things to look for are the approvals, user creations, Risk analysis and changes
Internal Auditor Steps: Use transaction SUIM to look change logs
Organization Restrictions Here we are looking for how the roles are secured for organizational values. Mainly look for role restrictions are consistent across all the roles.
Internal Auditor Steps: Use Transaction SE16N to review all the entries in AGR_DEFINE table
Transaction Usage:
In this step you can download the ST03N Data for the past three months. This will give an idea on the transaction being used and unused. If the data is available for longer period, then it will more helpful.
Internal Auditor Steps: Use transaction SE37 and Function module SWNC_GET_WORKLOAD_STATISTIC
[vc_row css=”.vc_custom_1512575306373{margin-top: 50px !important;}”][vc_column width=”1/3″][vc_cta h2=”Free Step by Step SAP License Optimization Guide” shape=”square” add_button=”bottom” btn_title=”click here” btn_style=”flat” btn_color=”default” btn_i_icon_fontawesome=”stm-diamond” btn_css_animation=”left-to-right” css_animation=”left-to-right” btn_add_icon=”true” css=”.vc_custom_1512579904776{padding-top: 50px !important;padding-right: 35px !important;padding-bottom: 50px !important;padding-left: 35px !important;background-color: #3a80f1 !important;}” btn_link=”url:http%3A%2F%2Fexpressgrc.com%2Ffree-sap-license-optimization-guide%2F||” el_class=”c_action”]SAP Customer is liable to pay 70 Million additional SAP licensing fees as a result of what is broadly known as Indirect Access.[/vc_cta][/vc_column][vc_column width=”1/3″][vc_cta h2=”Free SAP GRC 10.0 Step by Step Guide” shape=”square” add_button=”bottom” btn_title=”download here” btn_style=”flat” btn_color=”default” btn_i_icon_fontawesome=”stm-diamond” btn_css_animation=”left-to-right” css_animation=”bottom-to-top” btn_add_icon=”true” css=”.vc_custom_1512579856805{padding-top: 50px !important;padding-right: 35px !important;padding-bottom: 50px !important;padding-left: 35px !important;background-color: #f1b500 !important;}” btn_link=”url:http%3A%2F%2Fexpressgrc.com%2Fsap-grc-10-1-step-step-guide%2F||” el_class=”c_action”]Are you fed up with being not able to get job? Tired of being disappointed in yourself, because you just can’t seem to get started in the career as SAP GRC Consultant?[/vc_cta][/vc_column][vc_column width=”1/3″][vc_cta h2=”Financial Loss due to Fraud Risk” shape=”square” add_button=”bottom” btn_title=”click here” btn_style=”flat” btn_color=”default” btn_i_icon_fontawesome=”stm-diamond” btn_css_animation=”left-to-right” css_animation=”right-to-left” btn_add_icon=”true” css=”.vc_custom_1512579731433{padding-top: 50px !important;padding-right: 35px !important;padding-bottom: 50px !important;padding-left: 35px !important;background-color: #1d9e3f !important;}” btn_link=”url:http%3A%2F%2Fexpressgrc.com%2Ffree-sap-process-control-step-step-guide%2F||” el_class=”c_action”]Using the right kind of SAP Controls in the right way can be trans formative for any SAP System[/vc_cta][/vc_column][/vc_row]