Capgemini : Security in SAP®

This blog provides an overview of the concept of security and its supporting SAP applications.

Security in SAP is one of the top priorities for ensuring that the organization remains stable in terms of availability of systems, security of its information and adherence to financial regulations.

Recent financial irregularities, at a major energy corporation led to its bankruptcy. It brought into place the Sarbanes-Oxley (SOX) regulation. The section IT-404 of the SOX policy relates to segregation of duties (SoD), which simply means that no user should have conflicting or violating transactions assigned. This ensures that the landscape remains free of risk.

In SAP, SOD is achieved through a concept called authorization, which has two main elements: 'user,' and 'access' SAP applications such as ECC have built-in controls to restrict access to users. We will also look briefly into other powerful SAP applications for security, GRC, and IDM.

User management: The lifecycle of all types of users consists of three phases: creation, modification, and termination.

Access management: Access in SAP is controlled through roles, which in turn consist of objects, such as transaction codes. So, a user can only execute those transactions that he or she has been assigned to via a role.

GRC (governance, risk, and compliance) ensures that the systems remain risk-free throughout. This is achieved through controls such as Risk Library and Mitigation controls.

Risk Library is a collection of risks that is used to detect availability of risks to users. Mitigation controls are used to denote that the risk is accepted by the organization.

There are additional modules of GRC such as Process Control and Risk Management, which are used for advanced security functionalities, such as automated monitoring and policy management.

IDM (Identity Management) is a much more powerful application than GRC, where even non-SAP applications can be provided access. It can have HR systems, for instance success factors such as data-source, or it can behave as a source itself.

IDM has workflows for approvals from business owners and can call GRC for risk analysis.

So, these are few major components of SAP, for helping an organization stay secure.

The global reach and wider accessibility such as through mobile devices have made organizations more susceptible to threats making high-level security a must-have.

Please reach out to me if you would like more information on SAP security.