The Original Sin

By this name, I mean when managers, executives, and security officers try to explain issues from SAP when implementing a project  (and many of these issues have also been inherited). Problems in terms of security quality in the user accounts, roles, profiles, and privileges that have been given to them.

By this name, I mean when managers, executives, and security officers try to explain issues from SAP when implementing a project  (and many of these issues have also been inherited). Problems in terms of security quality in the user accounts, roles, profiles, and privileges that have been given to them.

In general, when implementing a SAP ERP project, the definition of security – in terms of the privileges that are given to each user account – is addressed by the client, who is not assuming this is a priority, due to the unfamiliarity and misinformation of the consulting companies that are responsible for the implementation process.

SAP ERP System security is complex in both definition and administration. This is because SAP regulates security at the most granular level. Therefore, the effect of high integration of the processes is not seen as a disadvantage. Below I describe the problem:

1. The Problem

As a result, companies can take up to one or two years to find out they have a severe and unresolved problem: user accounts have a significant number of privileges that are not necessary. Generally, the information comes from the external auditor. The problem starts at the end of the project due to the dynamism of companies that assign and reassign functions to their collaborators, being IT responsible for authorising those privileges. Some undesirable effects are:

– Excessive access and attributes to users

– Exponential generation of vulnerabilities and associated risks

– Permanent exposure to external auditors

– Potential negative effect on the assets and risk classification, driven by the economic agents

2. The solution

The solution to this problem is to maintain the SAP ERP System’s security environment in governance, order, standardisation, and controlled risks. Although it seems a complex solution, a specific software is needed to solve this problem (because of the diversity of information and volume). Some companies – including large organisations with global operations – have requested the solution by applying SAP GRC Access Control software.

We know that the software is the key element to solve the problem, and although many companies have acquired it, just a few have adopted the methodology and the structure required. SAP Access Control demands human, physical and monetary resources that need to be sustainable over time. 

What about the rest? Most of them have shown no preference – until they find a specific fact of fraud – and others are aware of the problem, however, they don’t take any action until there is an urgency.

WOULD YOU LIKE TO SEE OUR SOFTWARE LIVE AND IN REAL TIME?