Security Strategies for HCM Implementations

June 16, 2010

Scott Goolik
Director of Security and Controls - Symmetry

Kellie Fitzpatrick
COO Symphony Consulting

Download the presentation recording with audio from the Symmetry Knowledge Center www.sym-corp.com/knowledge-center

Introducing
Scott Goolik
Director of Security & Controls Symmetry Corporation 14 years experience in SAP security Lead architect for ControlPanelGRC compliance automation tools

Symmetry Corporation
Established 1996 Based in Milwaukee WI 100% SAP focus
All SAP applications All platforms

21st Century ERP Model

Quality proactive support delivered by US-based experts Accessibility 24x7 direct access to your support team Affordability highly competitive, fixed price contracts

Symphony Management Consulting

One of the leading providers of SAP HCM consulting services Established in 2002 and led by experienced SAP HCM consultants We strive to not only assist you in your current need, but to become a trusted advisor to your organization SAP Services Partner since 2007 Industry focus includes Chemicals, Healthcare & Biotech, Manufacturing & Distribution, Pharmaceuticals and State & Local Government Need help from an expert? Symphonys experts provide complimentary answers to some of your most difficult questions! Visit us at http://www.symphonyhcmexperts.com

Introducing
Kellie Fitzpatrick
Chief Operating Officer Co-owner Symphony Consulting Over 15 years experience in scoping, planning, implementing and upgrading SAP Human Resources

What We Will Learn

Determine when you should consider a separate landscape and when you should consider a combined landscape. Understand the limitations of implementing on a separate instance and the level of maintenance required. See real-life examples of companies that have implemented on separate landscapes, those that have implemented on the same landscape, and why that decision was right for them.

Single vs. Separate SAP Instances When Implementing HCM What does it mean?
Single Instance
One Instance of SAP across all business functions One transport path across all systems When SAP is currently installed on a single landscape it is Dev QA Prod only

Separate Instance
There are two different SAP instances running
Potentially one for FI, MM, SD, PM, CRM Another for HCM

Transports run across one landscape

Data is interfaced between multiple systems via an ALE Data is configured twice (once on each system)**

There are usually 2 of each box

** This typically means multiple maintenance and can result in inaccurate data or data integrity issues

Single Instance Advantages

Real-time data for all business functions in one system No need to transfer data across multiple instances via an interface (ALE) or configuration Support packs can be implemented for only HCM Configuration is tested, transported and configured to meet total business requirements one time and in one system Master data is accessed through a single point of entry
Global headcount reporting Compliance reporting Budget preparation

One system to maintain with reduced costs Security administration should be monitored on an ongoing basis
ControlPanelGRC can help and will be discussed later in this presentation

Single System Disadvantages

HCM requires support packs and updates multiple times a year
Usually four times a year, but definitely year-end Typically requires the entire organization to shut down the system over a weekend for a few hours

Requires Unicode compliance if implementing in multiple countries

Language and currency issues are addressed

HCM Talent Management functionality recommends at least ECC 5.0

Encourage ECC 6.0 due to functionality enhancements Enhancement Pack 4 or above should also be installed

Benefits of a Separate system for HCM

One system which is dedicated to only HCM data requirements Organization is running multiple large payrolls across multiple countries
Can cause system to run slower if running during the workday
Either way we would recommend you run after hours in a batch session

Time is evaluated for a large employee population at the same time

Can cause system to run slower if running during the workday
Either way we would recommend you run after hours in a batch session

Safe Harbor laws prevent employee data from being housed in a different country
If this is a concern, other entities have procured waivers from their employees to allow this to be done ~ P&G, Coke, PolyOne

Separate System Advantages

Ability to upgrade and apply support packs whenever necessary System downtime for the rest of the organization is decreased Ability to implement SAP HCM with the latest and greatest functionality if the rest of the organization is on a lower SAP version Ability to run payroll/time across multiple countries with minimal impact to departments outside HR Localization issues arising from Safe Harbor restrictions are minimized or eliminated

Separate System Disadvantages

ALE needs to be created and run for HR required data related to
Cost Centers G/L Accounts Work Orders Activity Types

The disability of having data in one system available real-time

Reporting may be limited by 24 hours Ability to set up specific items which relate to FI
Positions, Departments, Jobs (Cost Center integration)

Users may need to sign into multiple systems to complete their position responsibilities

Separate System Disadvantages

Additional Costs may be incurred by
Multiple upgrades Multiple support streams Multiple configuration tasks Multiple system maintenance

Requirement to understand two landscapes with multiple types of configuration with very different data When the other system upgrades data we need to test on both systems to ensure the data flow is not compromised

Common Misconceptions of Why a Separate Instance is Needed

HR support packs require us to apply support packs for every other module There is to much HR data to allow us to incorporate it on one instance Reporting is much more labor intensive Security issues are major
HR data is not secure if it is on the same system Employees have access to items they shouldnt A portal will open us up to data integrity and liability issues

Large Organization Same System

System Requirements
21,000 users Over 75,000 Employees all on ESS 35 countries 22 languages

Modules Implemented - Finance, HR, Materials, Production Planning, CRM

Specific HCM
PA, OM, PY, Time, ESS, MSS Globally Payroll runs in batch at night Time Eval runs in batch at night

Securities are assigned primarily to positions (structural) in order to ensure system is locked-down

Mid-size Organization Same System

System Requirements
500 users Over 3,000 Employees all on ESS US Only 2 languages

Modules Implemented - Finance, HR, Materials, Production Planning, CRM

Specific HCM
PA, OM, BN, PY, Time, ESS, MSS, Talent Management Payroll runs in batch at night Time Eval runs in batch at night

Securities are set up by person and are monitored frequently

Large Organization Separate System

Standardized on a common IT backbone
15,000 users Over 100,000 Employees 45 countries 175 legal entities 18 languages

Modules Implemented - Finance, HR and Supply Chain.

Due to size and requirements of payroll processing HCM is on a separate instance ALE is run at night and new positions are created the next day

Mid-size company example Separate System

System Background
1,000 users Over 5,000 Employees 12 countries 8 languages

SAP Environment 4.6c

Finance does not have a need to upgrade Finance did not want to apply support packs to all modules at the same time** There was no compelling reason to upgrade

HR ECC 6.0
Required Talent Management Functionality Security team did not want to continuously update employees
This was not necessary, however they were never told the system has structural authorization capability

The rest of the organization was on 4.7,

Prior to ECC 5.0 all modules had to apply support packs together

Data is being configured in two systems

Sometimes it isnt completed for weeks, workload issue

Security & HCM

Security is not a reason for a separate landscape Authorization flexibility in SAP is a key component to its value proposition
All critical data can be restricted! Can require a culture change

Remediation project is generally required for live customers during HCM implementation

Step 1 Review of HCM Authorizations in existing Roles

Review of P Authorization Objects in existing Roles
Or any Object in the HR Class! Needs to be reviewed and likely removed or restricted further If not required, update SU24 so you dont accidentally provide access in the future!

Step 1 Review of P_ORGIN in existing Roles

P_ORGIN is commonly in existing Roles
Authorization controls access to HCM Master Data very sensitive Can be automatically proposed when Production Planning Transactions are added to Roles Not likely required if there was no HCM data available in the system! Consider activating P_ORGINCON in the HCM system instead of P_ORGIN to increase future flexibility!

Step 1 Review of PLOG in existing Roles

PLOG is commonly in existing Roles
Authorization controls access to HCM Organizational Structure Can be automatically proposed when Production Planning, Controlling, or other Transactions are added to Roles These might be required going forward as the structures are used for more than just HCM
Need to restrict the OTYPE field according Exclude any used HCM Object Types definitely O, S, P, but check with your HCM team for others!

Step 1 Review of P_ABAP in existing or new HCM Roles

P_ABAP could be in existing Roles, but will be in HCM Roles
Provides the ability to bypass HCM Master Data Authorization checks during report execution Useful to provide someone with the ability to run a telephone list without giving them access to underlying HCM data Watch for this Authorization in Roles with REPID field set to wildcard or report SAPDBPNP!
Recommend updating SU24 so that you dont accidentally provide this access

Step 2 Sensitive Authorizations in existing and new Roles

Sensitive Authorizations can accidentally compromise data privacy
Display of Spool Output belonging to the Payroll Manager Displaying HCM Infotype data via SE16 or ABAP Query

Well provide some examples of what to look out for

Not a complete list just getting you pointed in the right direction!

Step 2 remove S_DEVELOP from end-user Roles

S_DEVELOP enables maintenance of ABAP Workbench Objects...
Which is bad in non-Development Systems Debug Replace (Activity 02 for Object Type DEBUG)
Enables Users to step around Authority-Checks

Debug Display (Activity 03 for Object Type DEBUG)

Enables Users to view data in Internal Tables before Authority-Checks determine access is not allowed

In general, no end-user should have any S_DEVELOP Authorization!

Step 2 remove S_BTCH_NAM from end-user Roles

S_BTCH_NAM enables Users to submit a batch job as someone else
If Im not Authorized to run an HCM report, I can schedule it as our Payroll Manager End-users rarely need S_BTCH_NAM Authorizations
Occasionally, Payroll Administrators might need this Authorization for the Background User that runs payroll End-users should not have S_BTCH_NAM with a wildcard!

Step 2 restrict S_TABU_DIS in end-user Roles

S_TABU_DIS enables Users to display tables via SE16 or ABAP Query
Use of SE16 and ABAP Query (i.e., SQ01-03) really should be limited to your IT folks (at a minimum)
ABAP Queries can be assigned to Transactions for end-users Displaying tables via these methods bypasses all HCM Authorizations

HCM data is generally stored in tables assigned to P Authorization Groups

Some HCM tables are unclassified causing risk for the &NC& Authorization Group Need to restrict S_TABU_DIS from having access to Authorization Groups that start with P and &NC&
Existing unclassified Tables need to be assigned to an Authorization Group!

Step 2 remove S_SPO_ACT from end-user Roles

S_SPO_ACT enables Users to access Spool Requests belonging to other Users
Would allow a User to view reports printed by my Payroll Manager In general, this Authorization should be removed from all Users
In some cases, it may be reasonable to provide groups of Users with the ability to display spools generated by a specific background user

Verify that SPOAUTH is not set to wildcard in Roles!

Step 3 Continuous Monitoring

Once Security is restricted, we need to make sure that it stays restricted
Dont want to find out about a breach after its too late! Establish procedures for periodic review of Sensitive Authorizations Other companies have used automated tools like ControlPanelGRC Risk Analyzer
Enables for periodic or real-time review of risks!

Data in Non-Productive Systems

Authorization restrictions are required in any system that contains live Production data
This could impact more than just the end-user community in Development and Q/A environments! Consider data scrambling to free up User Authorizations in the environment
Scramble Names, SSN, Birthday, Addresses, Pay/Additional Pay, Benefits Information, EH&S data, etc. Symmetry has tools and/or services to assist!

7 Key Points to Take Home

Implementations of HCM do not require separate instances Real-time data is essential to the daily operations of business Symphony is an SAP HCM only firm with extensive experience in global and local implementations Security should never be the reason to have a separate HCM landscape Security can be adapted to protect sensitive HCM data Tools like ControlPanelGRC can be used to provide assurance that sensitive data is restricted to appropriate Users Symmetry can assist with security architecture design and implementation, or risk assessment and remediation specifically for HCM

32

Download the presentation recording with audio from the Symmetry Knowledge Center www.sym-corp.com/knowledge-center

Heather Mickelson
414-732-2738 hmickelson@sym-corp.com

Kellie Fitzpatrick
704-556-2288 Kfitzpatrick@symphony-consulting.com

Scott Goolik
414-732-2740 scott.goolik@sym-corp.com