No more historically grown authorization concepts!
Anyone who has ever cleaned out their basement will be familiar with this: over the years, things have accumulated, some useful, others superfluous or even dangerous. The situation is similar in the IT landscape of many companies, especially when it comes to SAP authorization concepts. Historically grown structures as a result of years of adaptations, extensions and "emergency solutions".
SAP authorization concepts are complex. They must ensure that every employee has exactly the access rights they need for their work. Authorizations that are too restrictive can hinder the workflow, while authorizations that are too generous can pose security risks, such as the segregation of duties conflict "Maintain vendor master data AND post vendor invoice or credit memo".
The ways in which this process is carried out in the system are complex and difficult to check, as can be seen time and again in SAP security audits and even in current S/4 projects. Added to this is the need to adhere to legal requirements and internal compliance guidelines and to discuss these with the department heads.
Rules for risk
This is exactly where risk regulations come into play. Like an experienced tidying expert, they help to bring clarity to the chaos. But be careful: not every set of risk rules is helpful. Some overlook risks, others are too rigorous and remove useful authorizations. It is crucial to rely on a set of risk rules with the broad expertise and experience of SAP auditors.
A precise set of risk rules detects the most subtle deviations and determines which authorizations are problematic. Minimizing unnecessary access warnings and false positives increases efficiency and saves resources. A good risk policy creates common standards and improves communication between departments. Clean role design ensures efficient and precise assignment of authorizations that meet the company's requirements. Risk and process descriptions should be included so that an understanding is created on this basis in addition to the technical component. A risk policy should be subject to constant updates to reflect the dynamic nature of the technical content.
S/4 restart option
The switch to S/4 Hana offers the opportunity to start with an empty basement. But there are pitfalls lurking here too. The new architecture, the separation of front and back end and the introduction of SAP Fiori apps bring new challenges. Risk rules can help to maintain an overview and ensure that authorizations in the new system are kept much cleaner and more efficient than before. This means that the new basement is structured and free of legacy issues - which has a positive effect on the SAP security check.
Historically evolved SAP authorization concepts are a challenge, especially in the face of new requirements (technical, legal and content-related). However, with the right strategy, the right tools and an experienced team, they can be efficiently optimized. Anyone who sets themselves the goal of operating a secure and efficient SAP system that meets compliance requirements and reduces costs is preparing for the future.
However, those who do not use an up-to-date set of risk rules risk incurring additional costs for SAP authorizations in the future and jeopardizing corporate security. These gaps also lead to an increase in cyberattacks that can cause lasting damage to companies. At the end of the day, a tidy basement is a great feeling, isn't it?