What is SAP Security?
SAP Security is one of the most important components of SAP, and although SAP Security is considered to be a specialist’s job, it is important that the IT department of an organization knows about its basic implementation and not have to depend on an expert for all the essentials. Organizations can take the maintenance of SAP Security in-house and it would help to follow our simple 10 step guideline for the implementation of SAP Security.
1. Align your SAP configuration settings with the policies of your organization
Your company should have an IT security policy that is in-line with the compulsory software requirements, which could include things like minimum length of a password, the strength of the password, number of failed password attempts allowed and so on. These parameters can be viewed using SAP transaction RSPFPAR.
2. Provide access to generic accounts
SAP has a plenty of generic user accounts, need to be incorporated by the SAP Security team, and should be done so during the installation process itself. The USER Ids must be already sealed up by the time the installation process is completed and the system has been set up.
3. Allocate wide access profiles
An organization needs generic Ids for accessing SAP, in addition to elite generic profiles that provide a complete access to the entire SAP system. However, the SAP Security team should do so only in the initial stages of the installing and set-up of the SAP system and in emergency situations.
4. There has to be a support and access to the entire team
The SAP Security team has to build special profiles and user roles for each member of the support staff or of each team member working on a project. The project team members are given the SAP_ALL profile or a wide-access profile which is similar to SAP_ALL.
5. Segregation of duties and responsibilities in the organization
SAP is an integrated system in which sales, CRM, manufacturing, financials, accounting, inventory – every module is integrated with one another. This presents great problems from the SAP Security point of view as it is critical that crucial data doesn’t fall into the hands of people with inadequate access or one who doesn’t have enough privileges. The management and the monitoring of segregation of duties of SoD is an incredibly important part of the SAP Security team’s work. The probable Sod risks how an organization does its business are determined, and then compliance with an organization’s rules are embedded for approval and provisioning of access provided.
6. Providing for emergency procedures and highly privileged account access
Determining organizational roles and responsibilities on a day-to-day basis is another important part of an SAP Security team’s work. Each of the access controls mandated for a member of the organization must be approved beforehand by the head of an SAP application support team or a similarly important authority. The emergency access procedures and processes involve tools like SAP GRC Super User Privilege Management (SPM).
7. Enable User access as well as housekeeping reviews
The SAP Security team must enable regular reviews of generic accounts, duplicate user IDs, password parameters, and conduct periodic reviews to check the appropriateness of the access thus given.
8. Change the management procedures if required
The SAP Security team must enable generic changes in management practices such as documentation and testing of all modifications, as well as a thorough maintenance of audit trails of business approvals that are required for all possible changes.
9. Provide access to functions that are considered to be sensitive
The SAP Security team must provide access to maintain as well as to create users and roles, to execute operating system commands, to transport objects and transactions, to create programs and to change them, to either open or close systems during configuration and lastly, provide the access required to debug programs, by making it possible for users of the SAP system to bypass any authorization checks, if required.
10. Allow for an ownership of the security processes of a business
Lastly, there has to be enough control that a business can exercise over the SAP Security in the organization. The business must determine the SAP Security levels and understand the implications of their implementation. The business must decide which employee is allowed access to a particular SAP module or function and who is not.