Upload
dtatun
View
388
Download
15
Tags:
Embed Size (px)
Citation preview
SAPAuthorization Concept
As loose as possible but as restrictive as necessary
Enterprise goals without complicate your staff’s day-to-day activities.
Critical & non-
critical Tx
Non-critical Data
Critical Data
SAP Authorization Concept
Background and Approach about Authorization Concept
• No means a strictly technical job
• It is not just responsibility of basis support
• Much of the work has to be performed by project
team members and enterprises staff members
• Because the SAP system currently features over
61,000 tx. do not underestimate the “effort
required” to develop an authorization concept
Authorization level approach
• At larger companies, specially global corporations,
more detailed approach is required.
• An authorization concept should always be tailored to
a specific company
• Company requirements are the relationship between
transactions and authorization objects
Transactions and Authorization Objects
• Transactions: corresponds to a function call to
execute a SAP program. ~ 61000 TX.
• Authorization objects: Protect access to a
functional area or data area in the SAP system.
~ 900 Auth. Obj.
Transactions between Authorization Objects
Client
Controlling
Area 1000
Company
Code 1000
Defining enterprise structure (1st. Step)
Credit Control Area 1000
OperatingConcern 1041
Personnel Area 1100
Personnel Subarea 1110
Personnel Subarea 1120
Personnel Area 1000
Personnel Subarea 1010
Personnel Subarea 1020
Enterprise relevant structure (What units are to be protected?)
Client
Controlling
Area
Company
Code
PurchasingOrganization
Purchasing Groups
Sales Organization
Division
Production
Plant
Distribution
Plant
Dist. Channel
Purchasing Groups
Storage Location
Authorization concept (2nd. Step. Determining the risk environment)
As loose as possible As restrictive as necessary
Factors to determining the risk environment
• Enterprise: Risk that threaten your existence, wealth, finances,
profit situation by business unit/area, business process, or projects
• Statutory regulations -> Corporate Governance: Countries have
recently passed risk management laws to reduce risk of corporate
collapse, these regulations aim to implement risk-monitoring systems.
• Corporate Governance -> Internal guidelines Internal guidelines:
Internal auditing, External auditing, Implementation of new
system/processes/guidelines (continuous improvement to prevent risks ).
The risk source (Processes, Areas, and so on)
• Enterprise processes that are not adequately secured can mean
a potential loss of data, inventories, and assets. Ex:
• Postings without document
• Inventory differences that are posted uncoordinated
• Uncoordinated changes to bill of materials
• Deliveries without accounting documents
• etc
The risk categories
• Regulatory risk: Possible violation with underlying laws that
may result in fines, contractual penalties, legal proceedings
• Financial risk: Mistakes that can result in a financial loose
• Operational risk: Incorrectly or insufficiently performed
business process can result in delays in delivery, production, or
similar processes resulting in fines, contractual penalties or
unsatisfied customers
The risk levels
• High risk: Task requiring extremely high protection. Are
conducted prior to execution of the business processes, and not
only after their results are known.
• Median risk: Task requiring median protection. The expected
damage amount is noticeable for the enterprise.
• Low risk: Task requiring low protection. Are posed by all
business processes that do not entail critical workflows or
results for the enterprise.
The risk valuation
• To identify all major risks, given priority in their examination and
the assignment of appropriate controls.
• Risks are assigned to a business process to be reviewed with enterprise
staff member to specific criteria. Risk can be assigned by risk category and
risk level: Risk categories define the type of underlying risk & amount of
loss, while risk levels describe their degree of criticality.
• Determining likelihood of occurrence of risk enables you to define which
specification of the control.
• Risk Index: Ocurrence Likehood * amount of loss
The risk valuation matrix
Risk Business proccess
Risk Category Risk Level AnnualLikehood of occurrence
Amount of loss
Annual Amount (Occurrences x Amount of loss)
A Purchasing Operational Median Occurrences $ $
C Purchasing Financial High Occurrences $ $
B Purchasing Regulatoryrisk
High Occurrences $ $
… … … … … … …
N Sales Operational Low Occurrences $+ $$+
… … … … … … …
Control categories (3th. Step)
• Authomatic controls
• Configurable controls
• Functional separation – application security
• Access protection – application security
• Reporting controls
• Guidelines
• Instructions
Control types (3th. Step)
• Preventive controls
To prevent or avoid faults from occurring before the process
has started.
• Detective controls
Discover existing errors within a review process.
The IBM phased Model
1. Definition of Global authorization
guidelines
2. Definition of Functions (Roles)
3. Design High-level Concept:
Task/Function -Matrix
4. Design Detailed Concept:
Organization Value Matrix
8. Definition of Composite Roles and Realization Template Roles
7. Realization: Build of Single Roles and
Profiles (Derivation) & Composite Roles
6. Test: Documentation, and
Review
5. Creation of User Master Records
9. Definition of Support Concept
10. Preparations for Go Live: Know-how
Transfer and Training
11. Go-live Support
12. Monitoring & Review
Pro
ject
Set
up
(In
tern
al a
nd
Ext
ern
al g
uid
elin
es)
Authorization Administration User Administration
Composite Role
Composite Role
Composite Role
Authorization Model Structure recomended
Template Single Role
TA
Organizational Value Sets
Derived Single Role (A)
Derived Single Role (B)
Derived Single Role (C)
Derived Single Role (A)
Derived Single Role (B)
Derived Single Role (C)
…
…
…