CSItools MetaBlogHeader2018 20180518 v03

Details

Is the organization secure with the current set up of the roles in SAP? Are your users happy with the assigned authorizations? If they are, the auditor probably is not happy with the assigned authorizations to the roles and users.

Maybe there are already plans to redesign the current authorization concept? How easy would it be if you can redesign the authorization concept with reverse business engineering? Instead of thinking and designing which authorization should be included in which role from scratch, just have a look at the authorization the users have and analyze the functionality the users have been using (or wanted to use) based on the executed transactions and assign these needed authorizations to the roles.

How content is the organization with the current set up of the roles in SAP? Are your users happy with the assigned authorizations? If they are, the auditor probably is not happy with the assigned authorizations to the roles and users.

Maybe there are already plans to redesign the current authorization concept? How easy would it be if you can redesign the authorization concept with reverse business engineering? Instead of thinking and designing which authorization should be included in which role from scratch, just have a look at the authorization the users have and analyze the functionality the users have been using (or wanted to use) based on the executed transactions and assign these needed authorizations to the roles.

Example:

User John Smits is assigned to the composite role for system administrator S99-XXXX_SYSTADM. This system administrator role has 13 single roles assigned. In this overview the assigned roles are showed whether or not the user is using transactions from these roles. If transactions are used via the role, the executed colomn has a checkmark and the role is executed by the user (Figure 1).

 Figure 1 Role details of user John Smits

If you double click on the role, you get the role details like the transactions, authorizations, executed transactions, if the transaction is locked in the SAP system et cetera (figure 2).

 Figure 2 Transaction details of role

 

Let’s go back to the user John Smiths. John wants to have broader access rights and was temporary assigned to a broad access role to solve an issue. This temp role was removed from the user after he solved the issue. Now let us have a look at the transactions of the user (figure 3).

 Figure 3 Total transaction of user John Smits with executed and missing information

The transactions in red are no longer assigned to the user (also checkmark in column Missing (3)). The transactions in black are still assigned to the user. The checkmark column executed (1) means the user has executed the transaction. The column Frequency (2) shows the number of times the user has executed the transaction.

With this information you can search the single roles that have the missing transactions and analyze if the user should be assigned to this single role(s). If you double click on the transaction, a new screen shows the information about the transaction and the roles that have the transaction assigned. For this example we want to add transaction MB03 so we double clicked on the transaction MB03. The transaction is assigned to 2 single roles Display Material Documents Inv – S99MXXXXMADID and Display Material Documents Purchasing – S99MXXXXMADPD (figure 4).

 Figure 4 Detail information about transaction including roles that have transaction included

SOD simulation

For this example we want to add the single role S99MXXXXMADID to the composite role S99-XXXX_SYSTADM of the user. To keep a compliant security concept we use the SOD simulation functionality of the CSI Role Build & Manage (RBM) tool (figure 5).

 Figure 5 SOD simulation for role requests


Running the SOD simulation gives the overview “before” and “after” adding the single role to the composite role. In this case, no new SOD conflicts will be created by adding the role (Figure 6)

 Figure 6 Results of SOD simulation for role request

And the request can be send automatically via workflow and email to the approver. After the request is approved by (all) the approver(s), it is even possible to have the change implemented in SAP directly, no longer manual role changes need to be done in the SAP system

Use reverse Business engineering to redesign of the complete role concept

The above example is just one way to use reverse Business engineering to redesign the security concept for just one user. Off course this is also possible for a complete redesign process. Instead of looking at one user, you look at the total usage of transactions of all the users and assign these used transactions with the correct authorizations to roles. (Figure 7).

 Figure 7 User vs (executed) transaction overview

And the functionality for reverse engineering goes even further. The used organizational levels can be read from the existing roles and documented in the central codification functionality of CSI RBM. Usaging of the deriving functionality of CSI RBM you can automatically derive all the roles, both single and composite for the new role concept for both organizational (like company codes) and non organizational (like movement types)values.

 

(C) Meta Hoetjes 2014
CSI Authorization Auditor and CSI Role Build and Manage are registered trademarks by CSI tools bvba
www.csi-tools.com