Professional Documents
Culture Documents
Segregation of Duties,
Sensitive Access &
Mitigating Controls
Jonathan Levitt
March 2015
Agenda
1. Introduction
2. SAP Security Design Overview
3. The SAP Authorization Concept
4. Approaches to SAP Security
5. Segregation of Duties & Sensitive Access
6. Mitigating Controls
7. Questions
March 2015
PwC 2
Objectives
March 2015
PwC 3
SAP Security Design Overview
March 2015
PwC 4
SAP Security Design Overview
Introduction
March 2015
PwC 5
SAP Security Design Overview
Introduction
Org
Structure &
Security & Governance
Provisioning
Processes
SAP Security
Architecture
Monitoring
Effective SAP
M Security Design
Management
March 2015
PwC 6
SAP Security Design Overview
SAP Security Design Challenges
Misalignment of IT vs Business
Objectives
User provisioning process with Lack of Strategic Security Design
insufficient automation & Org Decisions
information Structure & No Role or Security Design
Security & Governance Ownership
Role Change Mgmt lacks risk and
quality controls Provisioning
Processes
Inefficient emergency support process
Overly Complex Security Design
SAP Security Lacks flexibility to respond to
Architecture ongoing changes
Management KPIs for Security Design Lacks scalability to grow with
are not established organization
Lack of automation for ongoing Inefficient Role Build Approach
monitoring & recertification No Documentation of Security
Monitoring
procedures Control Points
Insufficient SoD and/or Mitigating Inherent Segregation of Duties
control frameworks Risk
Effective SAP
M Security Design
Management
March 2015
PwC 7
SAP Security Design Overview
Audit Issues & Complexity
Poor security can lead to audit issues
When access controls are not in place, it impact the amount of reliance audit can
place on reports coming from SAP
Segregation of Duties is a key underlying principle of internal controls, and is the
concept of having more than one person required to complete a task. Security can
have a detrimental impact on this control (to be discussed in greater detail later in
presentation).
It is sometimes difficult for auditors to dig deep into SAP because security is complex:
In SAP ERP 6.0
o 108,000 transaction codes
o 2,600 authorization objects
Several transaction codes can perform similar tasks
March 2015
PwC 8
The SAP Authorization Concept
March 2015
PwC 9
The SAP Authorization Concept
Introduction
Org
Structure &
Security & Governance
Provisioning
Processes
SAP Security
Architecture
Monitoring
Effective SAP
M Security Design
Management
March 2015
PwC 10
The SAP Authorization Concept
Introduction (continued)
SAP Security Security within the SAP application is achieved through the
Architecture authorization concept.
The authorization concept is to help establish maximum security, sufficient privileges for
end users to fulfil their job duties, and easy user maintenance.
March 2015
PwC 11
The SAP Authorization Concept
Three levels of security in SAP
User master
record
User requires valid
user-ID and password 1
T-code check
User requires an
authorization for 2
transactions
Authority check
User requires an
authorization for
underlying 3
authorization objects
and field values
March 2015
PwC 12
The SAP Authorization Concept
The Components
Roles
SAP User Master Record Contains transaction codes, authorizations
Master data for SAP users
(mapped to one profile) and user assignments
Authority Check
Profiles Performed by SAP to help establish that a user
Container of authorizations has the correct authorization to execute a
particular task.
Authorization Object:
Template for security that contains fields with
blank values
March 2015
PwC 13
The SAP Authorization Concept
Bringing it together
To open the lock, the proper key must be cut specifically for
a certain lock
March 2015
PwC 14
The SAP Authorization Concept
User Types
SAP Authorization
Structure
User Type
User
Dialog A
System B
Communication C
Service S Role
Reference L
Profile
Authorization
March 2015
PwC 15
The SAP Authorization Concept
Authorization Structure
SAP Authorization
Structure
User
Role
Authorization
March 2015
PwC 16
The SAP Authorization Concept
Authorization Structure (continued)
SAP Authorization SAP Program Access
Structure Elements
Profile
Authorization
Authorization
Object
Authorization Authorization
Field Values Object Fields
March 2015
PwC 17
The SAP Authorization Concept
Authorization Structure (continued)
SAP Authorization SAP Authorization SAP Program Access
Structure Structure Elements
User
Role
USOBT_C
Authorization
USOBX_C Authorization
Object
(SU24)
March 2015
PwC 18
The SAP Authorization Concept
Why are authorization objects required?
In SAP, you can perform the same function with different transactions:
Transaction Code
MK01 FK01 XK01
Conventional approach
protection via menu/function
March 2015
PwC 19
The SAP Authorization Concept
The Authority Check
Transaction Code check:
Object S_TCODE Start T Code
Field 1 TCD Start T Code FB03
Authorization check:
Object F_BKPF_BUK Display posting
Field 1 ACTVT Display 03
Field 2 BUKRS Company Code 1000
March 2015
PwC 20
Approaches to SAP Security
March 2015
PwC 21
SAP Security Approaches
Task Based vs. Job Based Security Design
Job Based: Task Based:
Security is built based on positions/jobs within Security is built based on small, definable tasks,
the organization, such as AR credit associate. executed by the user, such as process cash
receipts.
Provisioning access is based on job
responsibilities. Larger number of roles per user decreased risk
of duplicate access.
Smaller number of roles per user increased risk
for granting functionality more than once. Transaction codes in one roles with minimal
exceptions
Transaction codes and authorizations typically
duplicated in many roles. User assignment flexibility simple to grant
additional access to only the tasks necessary.
Users may be granted more access than necessary
as a result of additional job or backup Supports future growth and sustainability role
responsibilities. modification decreased as a result of
functionality improvements and rollouts.
Appropriate for static organizations.
Appropriate for dynamic organizations.
March 2015
PwC 22
SAP Security Approaches
Job Based Security Design
Security roles are built based on positions/jobs for a group of users (e.g. Accounts
Payable Clerk).
A single role contains the access to perform a job.
Transaction codes and authorizations typically duplicated in many roles.
AP AP
Supervisor Clerk
AP Manager
March 2015
PwC 23
SAP Security Approaches
Task Based Security Design
A task-based design begins by bucketing transactions into one of 4 access tiers: General, Display,
Functional and Control Point. Task-based roles contain access to only one of these tiers.
March 2015
PwC 24
SAP Security Approaches
Task Based Security Design (continued)
Security roles are built based on positions/jobs for a group of users (e.g. Accounts
Payable Clerk).
User assigned to the tasks needed to perform his/her job (not a job-based role)
User receives multiple single roles
Flexibility to each individual users role assignments
AP Clerk
Organizational
User General AP Common Display Process Billing
Grouping - A
March 2015
PwC 25
Segregation of Duties & Sensitive
Access
March 2015
PwC 26
Segregation of Duties & Sensitive Access
Introduction
March 2015
PwC 27
Segregation of Duties & Sensitive Access
Introduction (continued)
March 2015
PwC 28
Segregation of Duties & Sensitive Access
Examples
Finance: Maintenance of accounting periods should be segregated from the posting of
financial transactions in the wrong period.
Inventory: The receipt/maintenance of inventory should be segregated from order
and invoicing activities.
Accounts Payable: Reconciling and releasing blocked vendor invoices should be
segregated from daily processing and posting activities.
Procurement: Maintenance of contracts and terms should be segregated from
payment and billing document changes.
March 2015
PwC 29
Segregation of Duties Walkthrough
March 2015
PwC 30
Segregation of Duties Walkthrough
March 2015
PwC 31
Segregation of Duties & Sensitive Access
How to monitor?
Companies have many different ways to monitor segregation of duties and sensitive
access:
SAP GRC Access Control
Other access control systems (Approva, ControlPannel, SecurityWeaver, ACL,
etc.) or homegrown monitoring tools
Reporting transaction code SUIM.
March 2015
PwC 32
Mitigating Controls
March 2015
PwC 33
Mitigating Controls
Introduction
March 2015
PwC 34
Mitigating Controls
Considerations
No Deactivate or
Is the risk truly a risk for
Switch to Low
compliance requirement?
Risk
Determine the
controls in place
Yes that mitigate
Preventive Detective
Mitigation
Process
March 2015
PwC 35
Questions?
This publication has been prepared for general guidance on matters of interest only, and does
not constitute professional advice. You should not act upon the information contained in this
publication without obtaining specific professional advice. No representation or warranty
(express or implied) is given as to the accuracy or completeness of the information contained
in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its
members, employees and agents do not accept or assume any liability, responsibility or duty of
care for any consequences of you or anyone else acting, or refraining to act, in reliance on the
information contained in this publication or for any decision based on it.
2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, PwC refers to
PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers
International Limited, each member firm of which is a separate legal entity.