Conflicts between employers and works councils often arise in particular due to divergent views regarding the implementation and use of technical facilities, including the ability to monitor IT workplaces.
The benefits of constructive cooperation between works council, IT department, and HR are apparent. In this light, we have designed a webinar that demonstrates how you can use the SAST SUITE for the fair monitoring of the IT workplaces at your company – while at the same time complying with the German Works Constitution Act.
In addition to portraying the relevant intersections, we will show you the options you have for planning and managing SAP users directly in the system, as well as indicate the limits defined by the relevant laws. We will also present a tried and tested procedure model with a focus on an optimized authorization concept in SAP systems, enabling you to avoid conflicts from the start.
Topics of focus:
• Legal basis of the German Works Constitution Act in combination with the SAST SUITE
• Transaction statistics in the standard SAP system
• Privacy and data protection despite data loss prevention
• Procedure model for proactive conflict avoidance
• Model works agreement
-------------------------------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
2. WELCOME!
Introduction of your hosts today:
- 4 -
AXEL DALDORF
Senior PreSales Consultant SAST SUITE
UWE KETTERN
Senior PreSales Consultant SAST SUITE
4. § 87 – Co-determination rights
(1) The works council shall have a right of co-determination in […]
the introduction and use of technical devices designed to monitor the behaviour or
performance of the employees […]
§ 90 – Information and consultation rights
(1) The employer shall inform the works council in due time of any plans concerning
[…] technical plants
(2) The employer shall consult the works council in good time on the action envisaged
and its effects on the employees, taking particular account of its impact on the
nature of their work and the resultant demands on the employees so that
suggestions and objections on the part of the works council can be taken into
account in the plans. […]
Key points of the Works Constitution Act
- 6 -
5. Key points of the right of co-determination
- 7 -
Works Council
technical equipment for potential monitoring of behavior or
performance
Includes
protection from special dangers of technical surveillance
not protection from surveillance
employees not object of surveillance technology
Protection of
personality
in planning, introduction and operation of technical equipment
No right to prohibit
Right of co-
determination
6. Trade-offs in the introduction of technical aids:
Keep different interests in balance.
Legal and
regulatory
requirements
Protection of
critical data
- 8 -
7. Trade-offs in the introduction of technical aids:
Keep different interests in balance.
A user should not have more permissions than he
needs to perform his work.
Legal and
regulatory
requirements
Protection of
critical data
- 9 -
8. Trade-offs in the introduction of technical aids:
Keep different interests in balance.
A user should not have more permissions than he
needs to perform his work.
A user may not have authorizations that violate the
4-eyes principle.
Legal and
regulatory
requirements
Protection of
critical data
- 10 -
9. Trade-offs in the introduction of technical aids:
Keep different interests in balance.
A user should not have more permissions than he
needs to perform his work.
A user may not have authorizations that violate the
4-eyes principle.
The board of directors (management) is responsible
for compliance with the security guidelines.
IT is responsible of physical data security (virus
security, firewall, backup, ...).
The departments are responsible for logical data
security. (Who is allowed to record, change,
delete, evaluate, ...?).
Legal and
regulatory
requirements
Protection of
critical data
Least privileges
Segregation of
Duties
Data responsibility
Right of
Information and
consultation
Right of Co-
determination
Personal rights
- 11 -
11. Complex role and authorization concepts lead to confusion.
SAP ERP consists of over 150,000 transactions ➔ with the 4 standard functions
resulting in 600,000 possibilities.
Time and effort for authorization management is usually high.
Time-consuming survey of all key users regarding used transactions.
Determination of transaction accesses of users while maintaining separation of
functions.
Manual collection of data time-consuming and error-prone.
Authorization management in SAP environment
- 13 -
Role and authorization projects are among the most complex and expensive in the SAP environment.
!
The challenge
12. Risk of posting incoming invoices to
fictitious accounts
Cash outflow due to invoice
settlement
Posting Documents/Invoicing
Incoming goods
Posting of fictitious invoices
FB60 / FB65 /
FB01 / F-53
Far-reaching authorizations favor error and fraudulent actions
- 14 -
FUNCTION RISK AUTHORIZATION
Maintenance Supplier master
data
Creation of non-existent vendors FK01 / XK01
+
=
Maintenance master data
AND
Transactional data
(FK01 / XK01) +
(FB60 / FB65 / FB01 / F-53)
13. The Segregation of Duties Principle (SoD)
Level 1
SoD
Level 2
SoD
Level 3
SoD
Level-1-SOD
Level-2-SOD
Level-3-SOD
It must be ensured that in the single roles. no violation
of the principle of dual control regarding to transactions.
4-eyes principle exists in the single roles.
Step 1
It must be ensured (by assigning several single roles)
that there is no violation of the 4-eyes principle in the
composite roles regarding to transactions.
Step 2
It must be ensured that there is no violation of the dual
control principle in the user master regarding to
transactions. If segregation of duties conflicts cannot be
avoided at the user level, appropriate compensating
controls must be introduced.
Step 3
- 15 -
17. Comprehensive protection in real-time:
Overview of our software suite.
- 19 -
SECURITY INTELLIGENCE
PLATFORM SECURITY IDENTITY AND USER ACCESS MANAGEMENT
SAST SUITE for SAP ERP or S/4HANA
Interface Management
System Security Validation Authorization Management
Role Management
User Access Management
Password Self-Service
Risk and Compliance Management
Management Dashboard
Safe Go-Live Management
Code Vulnerability Analysis Self-Adjusting Authorizations
Superuser Management Security Radar
Download Management
18. SAST Authorization Management:
Governance, risk & compliance conformity for your SAP systems.
- 20 -
Extensive authorizations in SAP do favor errors and fraudulent actions.
Segregations of Duty (SoD) violate compliance rules and represent a high security risk.
Cross-system analyses and hardening of roles are time-consuming.
Detecting and resolving SoD conflicts with standard tools is almost impossible.
Experienced authorization experts are difficult to find and cost-intensive.
Complex authorizations often represent a serious security and compliance risk.
!
✓ Using SAST SUITE, enables you to monitor and evaluate your SAP authorizations, combinations,
processes and SoD ruleset.
The challenge
19. SAST Authorization Management:
Proactive Validation of SoD conflicts.
- 21 -
Request for new user ID and authorization
Approval by supervisor
✓
User-Admin assigns roles
✓
Supervisor notification: ok / not ok
Real-time scan
for SoD risks
SoD-
Matrix
Rules
20. Evaluation of the actual usage allows precise conclusions to be drawn about the applications
used. Transactions that...
… a user never used, can be revoked.
… not used by a any user, can be removed from the roles.
Evaluations are based on SAP's ST03N statistics records and are updated monthly.
Actual usage analysis and actual SoD analysis
- 22 -
21. Create roles as needed based on transactions used.
Revoke unnecessarily assigned permissions.
SAST Transaction usage per role/user
- 23 -
23. Intelligent risk management with real-time monitoring
- 25 -
SECURITY INTELLIGENCE
PLATFORM SECURITY IDENTITY AND USER ACCESS MANAGEMENT
SAST SUITE for SAP ERP or S/4HANA
Interface Management
System Security Validation Authorization Management
Role Management
User Access Management
Password Self-Service
Risk and Compliance Management
Management Dashboard
Safe Go-Live Management
Code Vulnerability Analysis Self-Adjusting Authorizations
Superuser Management Security Radar
Download Management
24. Data loss prevention for your SAP systems
- 26 -
Prevent your critical corporate data from misuse, industrial espionage, or theft.
Traceability of the critical download content from SAP systems.
Missing emergency workflows in the event of critical downloads.
The export of data from SAP systems is almost impossible to trace.
!
✓ With the SAST SUITE you log all your downloads including content analysis!
The challenge
25. Protection against data leakage with SAST SUITE
- 27 -
Consulting SAST SUITE
Monitoring Evaluation
Phase 3:
Warning for
critical and
unusual
downloads.
Phase 2:
Identify and log
critical and
unusual
downloads.
DATA LOSS PREVENTION
Monitoring
strategy/
risk
treatment
Data Access
authorization
Data Download
authorization
Phase 1:
Creating awareness – classification of data, access and
download authorization worthy of protection as well as
possibilities of access protection and continuous securing
of downloads in the SAP standard.
Data
classification
27. Recommendation of AKQUINET for a successful introduction
04
Announce the
contact person in
case of questions
03
Easily describe
the functional
scope of the
software
02
Define software
deployment goals
clearly and
unambiguously
01
Inform early (in
the planning
phase)
- 29 -
28. Evaluation of transaction statistics is only done in projects SAP role assignment.
Behavioral and performance data are neither collected nor considered.
There is no quantitative analysis of transaction calls, only an ABC analysis:
Transaction is used.
Transaction is used occasionally or only at a specific time.
Transaction is not used.
The transaction evaluation can only be executed by specially authorized SAP administrators.
Transaction evaluation is only available during direct analysis in the SAP system.
Proposal for the content of an agreement with the works council
In general, the SAP standard enables behavior and performance monitoring, and its use is therefore
subject to co-determination.
!
✓ The SAST SUITE allows you to technically implement organizational measures defined by you for
restriction.
- 30 -
29. Take Home Messages
Always keep legal requirements in mind.
Don't avoid discussion - open communication promotes acceptance.
Describe the goals and expectations of the software deployment as simply and
comprehensibly as possible.
Know about the range of services offered by the planned software - this is the
only way to honestly address employees' concerns.
SAST uses the SAP standard and does not generate its own data for performance
monitoring - So you remain transparent.
- 31 -
✓
✓
✓
✓
✓