In order to maintain compliance in SAP systems, a well-established authorization management and a well-founded analysis of the separation of functions is necessary. This becomes all the more complex the more non-system solutions are available in your SAP ERP or S/4HANA landscape, because such systems usually have their own authorization structures.
It is therefore necessary to think about a reliable, cross-system authorization management in good time so that roles and authorizations are synchronized across all your SAP and non-SAP applications.
In this webinar, we will show you how to master comprehensive SoD analyses, business process analyses and the identification of authorization conflicts in the future – tool-supported and with a feasible administrative effort.
Topics of Focus:
• SoD analysis for SAP and non-SAP systems
• Cross-system authorization management with a central identity
• Evaluation of assigned roles and rights
• Advantages of the SAST User Access Management
• Best practice tips
-----------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
2. AXEL DALDORF
Senior PreSales Consultant SAST SUITE
Fon: +49 40 88173-4438
Email: axel.daldorf@akquinet.de
Web: www.sast-solutions.com
WELCOME!
Introducing your host today:
3. With the SAST SOLUTIONS portfolio of akquinet AG, we are your world-class provider for the holistic protection
of SAP ERP as well as S/4HANA systems - with real-time monitoring. In addition to our proprietary software suite,
we offer SAP security and compliance consulting and managed services from a single source.
Worldwide, more than 200 customers with 3.5 million SAP users currently rely on our vast expertise in protecting
their SAP systems from cyberattacks, manipulation, espionage and data theft.
Facts and figures
- 3 -
SAST SOLUTIONS customers worldwide
920
305
165
325
556
796
64
845
Employees
Turnovers Mio. €
5,3
16,3
41,5
28,2
118
2002 2005 2008 2011 2014 2018 2019 2020
132
124
akquinet AG
71
5. SAST gives you the choice!
SAP Security & Compliance – make or buy?!
SOFTWARE SUITE CONSULTING MANAGED SERVICES
Identity and User Access Management
Platform Security
Security Intelligence
Security Consulting
Security Advisory
Authorization Consulting
Software Implementation & Workshops
User Access Management
Platform Security
6. Migration of your SoD analyses into the SAP Cloud Apps.
SAP extension using external systems / cloud applications+
+
+
+
+
- 6 -
Systematics / Differences in authorizations and users
SAST Central Identity Module
Authorization analyses for ARIBA as an example
Q & A
7. The SAP Identity and Account Problem in Practice
Where does an Identity Account have authorizations? And which?
ID: P261165 (Max Müller)
SAP P11/100: MMUELER
SAP P21/200: P261165
Max.Mueller@Kunde.de
SAP P31/300: P261165
DB User: MUELLER
Max.Mueller@4711.kunden.sap.de
- 7 -
8. SAP extension using external systems / cloud applications
SoD conflict using SAP ERP and Ariba integration as examples
Account: Max.Mueller@Kunde.de
Gruppe: SUBMIT_PO
Account: P261165
Rolle: MAINTAIN_VENDOR
SoD
- 8 -
SAP Ariba Cloud Integration Gateway
9. Cross-system account and permission list.
Checking permissions:
Single critical / sensitive.
Separation of functions (SoD) in one system.
Function separation (SoD) across system boundaries.
Possibility of mitigation of risks at all levels.
Central evaluation without double IT systems.
Integration into existing SAST scenarios.
SAP extension using external systems / cloud applications
Requirements from Practical User and Authorization Administration
- 9 -
10. Identity: Describes a unique characteristic of a natural/technical person.
Account: Describes a user account in a defined IT system.
Role:
In SAP context, a set of users and their permissions (object, field, value).
In non-SAP context, a grouping of permissions (characteristics such as CREATE_PO).
Group: A set of users in a non-SAP context.
Systematics / Difference in user and authorization management
Terminology
- 10 -
11. The Central Identity function provides the following functions:
Import identities from
LDAP
HR
SAP
IDM
Import of accounts from systems
Import roles and roles assignment
Available for customers with release 5.20
Connection of external systems using adapters based on RFC, HTTP (SOAP/REST, XML), File.
Support of SAP Netweaver and Ariba from SAST SUITE 5.20, then S/4 HANA Cloud, HANA DB and
others planned.
SAST Central Identity Function
Overview
- 11 -
12. SAST Central Identity Function
"Sync on Premise" as basis for Cross System evaluations
Identity Source Adapter SAP on Premise with SAST SUITE
Identities
Accounts
Roles
Systems
ID-Sources
Info System
and
SOD Engine
and Rules
Cross System
Identity/Account Info
System
Cross System Role
Info System
Authorization and
SoD Scan Results
- 12 -
Account Adapter
Role / Group Adapter
Account Adapter
Role / Group Adapter
Account Adapter
Role / Group Adapter
Account Adapter
Role / Group Adapter
16. Initial situation
Japan's largest pharmaceutical company has SAP landscapes with around 4,000 users
in 50 countries worldwide.
User requests and authorization assignments were handled via Winword forms.
The SAP cloud application "Ariba" is used to optimize the procurement process,
but master data maintenance takes place in SAP ERP.
Standard software solutions on the market usually cover SoD risks only on a single system.
Example: Audit-proof SoD analyses at Takeda.
Project goals
1. Simplification and speed-up of the authorization assignment process.
2. Regular reports on potential risks/conflicts should optimize the control process additionally.
3. Protection of research projects and product innovations is of highest priority for Takeda.
- 16 -
17. Project implementation
Before the implementation of SAST SUITE, the authorization process was optimized.
Development of a cross SoD matrix with check content for SAP ERP and S/4HANA systems
in combination with Ariba and integration into the SAST SUITE.
Identification of various user IDs of a person and assignment to a central identity.
Synchronization of the SAP Cloud Application via SAP Cloud Connector daily or on demand.
Permanent check for SoD conflicts including recommendations for action via SAST SUITE.
Example: Audit-proof SoD analyses at Takeda.
- 17 -
Advantages for Takeda
Establishment of a transparent and secure SAP user management in only two months.
Automated reporting of role conflicts and risks.
Reduction of high and medium critical SoD conflicts by about 70%.
✓
✓
✓
18. - Manfred Meier -
“The SAST SUITE has given us the perfect
solution for our global SAP authorization
management.
At the same time our systems
are permanently monitored
for vulnerabilities.“
19. Take Home Messages for cross-system SoD analyses:
Uniform "central identity" necessary (organisation and standards).
Define your S/4HANA SoD matrix before creating the first role!
The introduction of a "mixed" architecture must be planned and
tightly controlled.
SoD analysis Hybrid-On-Premise / Cloud / Non-SAP possible.
Implement a sandbox system for "test drive" for IT and users.
- 19 -
✓
✓
✓
✓
✓
21. Keep the ball rolling with us…
SAST BLOG sast-blog.akquinet.com
New expert articles, practical tips, case studies, etc. every week
SAST NEWS Registration on the website or by mail: sast@akquinet.de
Current information every 6-8 weeks.
SAST WEBINARS Were you unable to attend a live webinar?
ON DEMAND The webinar archive allows you to individually schedule when you want
to take advantage of our recommendations.
SAST WEBINARS Further topics for 2020 are available on our event page on the web.
- 21 -