SAPAuthorization Concept

As loose as possible but as restrictive as necessary

Enterprise goals without complicate your staff’s day-to-day activities.

Critical & non-

critical Tx

Non-critical Data

Critical Data

SAP Authorization Concept

Background and Approach about Authorization Concept

• No means a strictly technical job

• It is not just responsibility of basis support

• Much of the work has to be performed by project

team members and enterprises staff members

• Because the SAP system currently features over

61,000 tx. do not underestimate the “effort

required” to develop an authorization concept

Authorization level approach

• At larger companies, specially global corporations,

more detailed approach is required.

• An authorization concept should always be tailored to

a specific company

• Company requirements are the relationship between

transactions and authorization objects

Transactions and Authorization Objects

• Transactions: corresponds to a function call to

execute a SAP program. ~ 61000 TX.

• Authorization objects: Protect access to a

functional area or data area in the SAP system.

~ 900 Auth. Obj.

Transactions between Authorization Objects

Client

Controlling

Area 1000

Company

Code 1000

Defining enterprise structure (1st. Step)

Credit Control Area 1000

OperatingConcern 1041

Personnel Area 1100

Personnel Subarea 1110

Personnel Subarea 1120

Personnel Area 1000

Personnel Subarea 1010

Personnel Subarea 1020

Enterprise relevant structure (What units are to be protected?)

Client

Controlling

Area

Company

Code

PurchasingOrganization

Purchasing Groups

Sales Organization

Division

Production

Plant

Distribution

Plant

Dist. Channel

Purchasing Groups

Storage Location

Authorization concept (2nd. Step. Determining the risk environment)

As loose as possible As restrictive as necessary

Factors to determining the risk environment

• Enterprise: Risk that threaten your existence, wealth, finances,

profit situation by business unit/area, business process, or projects

• Statutory regulations -> Corporate Governance: Countries have

recently passed risk management laws to reduce risk of corporate

collapse, these regulations aim to implement risk-monitoring systems.

• Corporate Governance -> Internal guidelines Internal guidelines:

Internal auditing, External auditing, Implementation of new

system/processes/guidelines (continuous improvement to prevent risks ).

The risk source (Processes, Areas, and so on)

• Enterprise processes that are not adequately secured can mean

a potential loss of data, inventories, and assets. Ex:

• Postings without document

• Inventory differences that are posted uncoordinated

• Uncoordinated changes to bill of materials

• Deliveries without accounting documents

• etc

The risk categories

• Regulatory risk: Possible violation with underlying laws that

may result in fines, contractual penalties, legal proceedings

• Financial risk: Mistakes that can result in a financial loose

• Operational risk: Incorrectly or insufficiently performed

business process can result in delays in delivery, production, or

similar processes resulting in fines, contractual penalties or

unsatisfied customers

The risk levels

• High risk: Task requiring extremely high protection. Are

conducted prior to execution of the business processes, and not

only after their results are known.

• Median risk: Task requiring median protection. The expected

damage amount is noticeable for the enterprise.

• Low risk: Task requiring low protection. Are posed by all

business processes that do not entail critical workflows or

results for the enterprise.

The risk valuation

• To identify all major risks, given priority in their examination and

the assignment of appropriate controls.

• Risks are assigned to a business process to be reviewed with enterprise

staff member to specific criteria. Risk can be assigned by risk category and

risk level: Risk categories define the type of underlying risk & amount of

loss, while risk levels describe their degree of criticality.

• Determining likelihood of occurrence of risk enables you to define which

specification of the control.

• Risk Index: Ocurrence Likehood * amount of loss

The risk valuation matrix

Risk Business proccess

Risk Category Risk Level AnnualLikehood of occurrence

Amount of loss

Annual Amount (Occurrences x Amount of loss)

A Purchasing Operational Median Occurrences $ $

C Purchasing Financial High Occurrences $ $

B Purchasing Regulatoryrisk

High Occurrences $ $

… … … … … … …

N Sales Operational Low Occurrences $+ $$+

… … … … … … …

Control categories (3th. Step)

• Authomatic controls

• Configurable controls

• Functional separation – application security

• Access protection – application security

• Reporting controls

• Guidelines

• Instructions

Control types (3th. Step)

• Preventive controls

To prevent or avoid faults from occurring before the process

has started.

• Detective controls

Discover existing errors within a review process.

The IBM phased Model

1. Definition of Global authorization

guidelines

2. Definition of Functions (Roles)

3. Design High-level Concept:

Task/Function -Matrix

4. Design Detailed Concept:

Organization Value Matrix

8. Definition of Composite Roles and Realization Template Roles

7. Realization: Build of Single Roles and

Profiles (Derivation) & Composite Roles

6. Test: Documentation, and

Review

5. Creation of User Master Records

9. Definition of Support Concept

10. Preparations for Go Live: Know-how

Transfer and Training

11. Go-live Support

12. Monitoring & Review

Pro

ject

Set

up

(In

tern

al a

nd

Ext

ern

al g

uid

elin

es)

Authorization Administration User Administration

Composite Role

Composite Role

Composite Role

Authorization Model Structure recomended

Template Single Role

TA

Organizational Value Sets

Derived Single Role (A)

Derived Single Role (B)

Derived Single Role (C)

Derived Single Role (A)

Derived Single Role (B)

Derived Single Role (C)

…

…

…