Sap Security Workshop

13,165 views

Published on

Best practice security model

4 Comments
12 Likes
Statistics
Notes
No Downloads
Views
Total views
13,165
On SlideShare
0
From Embeds
0
Number of Embeds
42
Actions
Shares
0
Downloads
541
Comments
4
Likes
12
Embeds 0
No embeds

No notes for slide
  • Sap Security Workshop

    1. 1. Security Mapping Overview
    2. 2. What Are The Objectives of the Security Role Mapping Workshop? <ul><li>Familiarize Management and Super-users with Security Concepts </li></ul><ul><li>Review Global One Template Security Design </li></ul><ul><li>Discuss Expectations of Mapping sessions </li></ul><ul><ul><li>Review Role to SAP Position Mapping </li></ul></ul><ul><ul><li>Determine SAP Role to User Mapping </li></ul></ul><ul><li>Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue Resolution </li></ul><ul><li>Discuss Segregation of Duties as it Relates to Security </li></ul><ul><li>Next Steps </li></ul>
    3. 3. Control Techniques Business Process Controls Umbrella Non-SAP Business Processes SAP standard SAP configured Authorization Monitoring Manual SAP Risks Risks Risks Risks Risks
    4. 4. What Are The Objectives of the Security Role Mapping Workshop? <ul><li>Familiarize Management and Super-users with Security Concepts </li></ul><ul><li>Review Global One Template Security Design </li></ul><ul><li>Discuss Expectations of Mapping sessions </li></ul><ul><ul><li>Review Role to SAP Position Mapping </li></ul></ul><ul><ul><li>Determine SAP Role to User Mapping </li></ul></ul><ul><li>Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue Resolution </li></ul><ul><li>Discuss Segregation of Duties as it relates to Security </li></ul><ul><li>Next Steps </li></ul>
    5. 5. Why Have Security? <ul><li>Helps Users Perform Their Daily Responsibilities </li></ul><ul><li>Provides Accountability of User Actions </li></ul><ul><li>Limits Access to Certain Update Activities </li></ul><ul><li>Restricts Ability to View Sensitive Information </li></ul><ul><li>Supports Audit Trails of Activities </li></ul><ul><li>Protects Systems from Misuse </li></ul><ul><li>Helps to Provide Data Integrity </li></ul>
    6. 6. What defines a Security Role? <ul><li>Matches what a user does with where they are in the organization </li></ul><ul><li>Access to Perform Tasks Based on Responsibilities </li></ul><ul><ul><li>The Customer Service Representative has access to certain tasks </li></ul></ul><ul><ul><li>These tasks are known as transaction codes - VA01 - create sales order </li></ul></ul><ul><li>Access to Data Based on Organizational Responsibilities </li></ul><ul><ul><li>The Customer Service Representative has the access to create, change or view data related to only their organizational responsibilities </li></ul></ul><ul><ul><li>Example of organizational restriction: the Customer Service Representative has the access to create or change a sales order (VA01 & VA02) only for Argentina Company Code (AR1), but may be able to display more data (VA03). </li></ul></ul>
    7. 7. Security Design Approach Observation 3 SAP Position “ Customer Service” SAP transaction(s) are assigned to roles but a transaction should only be assigned to one role. Roles are mapped to SAP positions which are then mapped to users. Role(s) “ Change Sales Order” SAP Transaction(s) VA01
    8. 8. What Are The Objectives of the Security Role Mapping Workshop? <ul><li>Familiarize Management and Super-users with Security Concepts </li></ul><ul><li>Review Global One Template Security Design </li></ul><ul><li>Discuss Expectations of Mapping sessions </li></ul><ul><ul><li>Review Role to SAP Position Mapping </li></ul></ul><ul><ul><li>Determine SAP Role to User Mapping </li></ul></ul><ul><li>Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue Resolution </li></ul><ul><li>Discuss Segregation of Duties as it relates to Security </li></ul><ul><li>Next Steps </li></ul>
    9. 9. Global One Security Template Wave One Wave Two Wave Three Wave Four North America security design as the baseline Final Global Template Localize Global Template North American security foundation 80% 20% change from North America Minor changes to Global Template Security can be accommodated within reason. (e.g. new transaction codes and new SAP Positions) Design security for Global One
    10. 10. Security Design Approach Observation 3 SAP Position “ Customer Service” SAP transaction(s) are assigned to roles Roles are mapped to SAP positions which are then mapped to users. Role(s) “ Change Sales Order” SAP Transaction(s) VA01
    11. 11. <ul><li>How data is defined in the system </li></ul><ul><li>How SAP functionality can be designed to meet Global business requirements </li></ul><ul><li>How transactional data is registered and recorded in the system </li></ul><ul><li>The ability to use standard delivered reports/inquiries </li></ul><ul><li>How cross-company processing takes place </li></ul><ul><li>The complexity of data input </li></ul><ul><li>How roles and users operate within the system, both from a security access perspective as well as from a location and organizational model perspective </li></ul>The Enterprise Structure (Hierarchy) Drives...
    12. 12. Organizational Structure Options and Localization <ul><li>Instance </li></ul><ul><ul><li>Worldwide SAP System </li></ul></ul><ul><ul><li>Country-Specific SAP System </li></ul></ul><ul><li>Client </li></ul><ul><ul><li>Global Company </li></ul></ul><ul><ul><li>Business Unit </li></ul></ul><ul><li>Company </li></ul><ul><ul><li>Legal Entity </li></ul></ul><ul><ul><li>Country </li></ul></ul><ul><ul><li>Business Unit </li></ul></ul><ul><ul><li>Business Unit Segment </li></ul></ul><ul><li>Profit Center </li></ul><ul><ul><li>Business Unit </li></ul></ul><ul><ul><li>Country </li></ul></ul><ul><ul><li>Market Segment </li></ul></ul><ul><ul><li>Product Line </li></ul></ul><ul><ul><li>Product Category </li></ul></ul><ul><li>Operating Concern </li></ul><ul><ul><li>Global Company </li></ul></ul><ul><ul><li>Sales Organizations </li></ul></ul><ul><ul><li>Market Segments </li></ul></ul><ul><li>Controlling Area </li></ul><ul><ul><li>Global Company </li></ul></ul><ul><ul><li>Country </li></ul></ul><ul><li>Cost Center </li></ul><ul><ul><li>Department (Budget Center) </li></ul></ul><ul><ul><li>Plant </li></ul></ul><ul><ul><li>Work Station </li></ul></ul><ul><li>Credit Control Area </li></ul><ul><ul><li>Global Company </li></ul></ul><ul><ul><li>Country </li></ul></ul><ul><li>Sales Organization </li></ul><ul><ul><li>Business Unit </li></ul></ul><ul><ul><li>Country </li></ul></ul><ul><ul><li>Company Code </li></ul></ul><ul><ul><li>Market Segment </li></ul></ul><ul><li>Division </li></ul><ul><ul><li>Product Line </li></ul></ul><ul><ul><li>Business Unit </li></ul></ul><ul><li>Distribution Channel </li></ul><ul><ul><li>Sales Channel </li></ul></ul><ul><li>Plant </li></ul><ul><ul><li>Manufacturing Site </li></ul></ul><ul><ul><li>Warehouse </li></ul></ul><ul><ul><li>Distribution Center </li></ul></ul><ul><ul><li>Cost Center </li></ul></ul><ul><ul><li>Physical Building </li></ul></ul><ul><ul><li>Stockroom </li></ul></ul><ul><li>Storage Location </li></ul><ul><ul><li>Stock Room </li></ul></ul><ul><ul><li>Warehouse </li></ul></ul><ul><ul><li>Plant -Defined </li></ul></ul><ul><li>Purchasing Organization </li></ul><ul><ul><li>Company worldwide </li></ul></ul><ul><ul><li>Company </li></ul></ul><ul><li>Purchasing Group </li></ul><ul><ul><li>Entire Purchasing Org </li></ul></ul><ul><ul><li>Buyer </li></ul></ul><ul><li>Warehouse </li></ul><ul><ul><li>Storage Type </li></ul></ul><ul><ul><li>Storage Bin </li></ul></ul>
    13. 13. Scope of Organizational Hierarchy for Global One <ul><li>Finance </li></ul><ul><li>Company Code </li></ul><ul><li>Chart of Accounts </li></ul><ul><li>Controlling Area </li></ul><ul><li>Profit Center </li></ul><ul><li>Cost Center </li></ul><ul><li>Order to Cash </li></ul><ul><li>Sales Area </li></ul><ul><li>Sales Organization </li></ul><ul><li>Distribution Channel </li></ul><ul><li>Division </li></ul><ul><li>Sales Office </li></ul><ul><li>Sales Group </li></ul><ul><li>Sales Employee </li></ul><ul><li>Forecast to Stock </li></ul><ul><li>Plant </li></ul><ul><li>Purchasing Organization </li></ul><ul><li>Purchasing Group </li></ul><ul><li>Storage Location </li></ul><ul><li>Warehouse </li></ul>
    14. 14. What Are The Objectives of the Security Role Mapping Workshop? <ul><li>Familiarize Management and Super-users with Security Concepts </li></ul><ul><li>Review Global One Template Security Design </li></ul><ul><li>Discuss Expectations of Mapping sessions </li></ul><ul><ul><li>Review Role to SAP Position Mapping </li></ul></ul><ul><ul><li>Determine SAP Role to User Mapping </li></ul></ul><ul><li>Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue Resolution </li></ul><ul><li>Discuss Segregation of Duties as it relates to Security </li></ul><ul><li>Next Steps </li></ul>
    15. 15. Role Example Display Purchasing GM_XXX_FTS_DIS_PURCHASNG Role Transaction Create Purchase Req (ME51) SAP Position Change Purchase Req (ME52) Display Purchase Req (ME53) Display Materials (MM03) Create Purchase Order (ME21N) Change Purchase Order (ME22N) Jian Min Carlos Jorge Françoise Strategic Purchasing Plant Buyer Create/Change Purch Req GM_XXX_FTS_CHG_PUR_REQ Display Master Data GM_XXX_MDT_GEN_DISPLAY User Create/Change Purchase Order GM_XXX_FTS_CHG_PO
    16. 16. Transactions by roles
    17. 17. Master and Derived roles
    18. 18. List of SAP Positions
    19. 19. What Are The Objectives of the Security Role Mapping Workshop? <ul><li>Familiarize Management and Super-users with Security Concepts </li></ul><ul><li>Review Global One Template Security Design </li></ul><ul><li>Discuss Expectations of Mapping sessions </li></ul><ul><ul><li>Review Role to SAP Position Mapping </li></ul></ul><ul><ul><li>Determine SAP Role to User Mapping </li></ul></ul><ul><li>Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue Resolution </li></ul><ul><li>Discuss Segregation of Duties as it relates to Security </li></ul><ul><li>Next Steps </li></ul>
    20. 20. Who Are The Data Owners? <ul><li>There should be a defined “Data Owner” for all areas of the business (FTS, FIN, OTC). </li></ul><ul><li>These should be the people consulted to determine if users from another business area or region should be allowed access. </li></ul><ul><li>We recommend that Senior Management identify the names of these data owners for each area of the business. </li></ul><ul><li>The Data Owner for a business area or region may choose to delegate this responsibility to other staff: </li></ul><ul><ul><li>Financial data requests, to person X </li></ul></ul><ul><ul><li>Forecast to Stock data requests, to person Y </li></ul></ul><ul><ul><li>Order to Cash data requests, to person Z </li></ul></ul><ul><li>Once approved, the local security administrators can then grant the requested access. </li></ul>
    21. 21. AR UY CL CA US Southern Cluster North America Global EXAMPLE 1 - A Finance User works in Argentina; has access to view or modify Argentina data in SAP: - The Finance User wants access to view and update US information. The User needs to request approval from the US Data Owner. This should be the US Finance Data Owner. - Request should also be approved by the Finance Data Owner of the country the person works for, prior to being issued access. i.e. two approvals, one from Argentina and one from the US PY Security Access Approvers – Data Owners
    22. 22. Security Access Approvers – Data Owners PY CL AR Southern Cluster Global <ul><li>EXAMPLE 2 </li></ul><ul><li>A Plant User works in Argentina plant 4100; has access to view or modify plant 4100 data in SAP: </li></ul><ul><li>The User wants access to view and modify data in the Paraguay Plant and should request approval from the Paraguay Plant Data Owner. </li></ul><ul><li>Request should also be approved by the Argentina Plant Data Owner prior to being issued access. </li></ul>UY
    23. 23. What Are The Objectives of the Security Role Mapping Workshop? <ul><li>Familiarize Management and Super-users with Security Concepts </li></ul><ul><li>Review Global One Template Security Design </li></ul><ul><li>Discuss Expectations of Mapping sessions </li></ul><ul><ul><li>Review Role to SAP Position Mapping </li></ul></ul><ul><ul><li>Determine SAP Role to User Mapping </li></ul></ul><ul><li>Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue Resolution </li></ul><ul><li>Discuss Segregation of Duties as it relates to Security </li></ul><ul><li>Next Steps </li></ul>
    24. 24. Segregation of Duties – Security Team Approach <ul><li>Tailor the specific Segregation of Duties table (SAAT) for the functionality being implemented. </li></ul><ul><ul><li>Segregation of duties should be considered as roles are designed. </li></ul></ul><ul><li>Ensure all roles are reviewed with segregation of duties and sensitive transactions being taken into account. </li></ul><ul><ul><li>Review the role definitions to ensure that any segregation of duties conflicts, at the transaction level, are properly resolved. (no conflict should exist in a single role). </li></ul></ul><ul><li>Ensure all positions are reviewed with segregation of duties and sensitive transactions being taken into account. </li></ul><ul><ul><li>Review the positions to ensure all segregation of duties and sensitive access have been identified and the appropriate authorization given if any conflicts are to remain in place. </li></ul></ul><ul><li>Ensure all mapped users are reviewed with segregation of duties and sensitive transactions being taken into account. </li></ul><ul><ul><li>Review any conflicts with the relevant manager and ensure a risk acceptance decision has been taken before go live. </li></ul></ul>
    25. 25. What Are The Objectives of the Security Role Mapping Workshop? <ul><li>Familiarize Management and Super-users with Security Concepts </li></ul><ul><li>Review Global One Template Security Design </li></ul><ul><li>Discuss Expectations of Mapping sessions </li></ul><ul><ul><li>Review Role to SAP Position Mapping </li></ul></ul><ul><ul><li>Determine SAP Role to User Mapping </li></ul></ul><ul><li>Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue Resolution </li></ul><ul><li>Discuss Segregation of Duties as it relates to Security </li></ul><ul><li>Next Steps </li></ul>
    26. 26. Next Steps <ul><li>Data Owners will approve and sign-off on the following: </li></ul><ul><ul><li>Role to SAP Position Mapping </li></ul></ul><ul><ul><li>SAP Position to User Mapping </li></ul></ul><ul><ul><li>SOD Conflicts and Compensating Controls </li></ul></ul>
    27. 27. <ul><li>Questions? </li></ul>

    ×