Chief Marketing Officer at ERP Maestro
5 Warning Signs that You Need an SAP Access Role Redesign
Everything seems to be running smoothly on the business end: invoices are paid on time, customers receive their goods as ordered. But beneath the surface, your organization is at risk. SAP access roles have bloated over time. What was once authority to create new vendors became a way to pay invoices, or a generic administration account sprung up and became a regular entry point for users who wanted to expedite customer orders or vendor payments.
Most users are not malicious, but bloated roles can pose a security threat nonetheless. Users with too many privileges can accidentally perform transactions or share sensitive data. Other users may share passwords just to get the job done quickly. The small percentage of malicious insiders, however, may have much more access than they need and are willing to exploit their privileges for their own personal gain – or to strike back at the company. No matter what type of insider is accessing the system, it might be time to take a serious look at your existing SAP access roles. Here are five warning signs that you need a role redesign.
User Responsibilities Have Changed Significantly, With Little Oversight
The first warning sign that you need an SAP access role redesign is what the users are accessing. As job responsibilities change, so do user privileges. However, employees that once primarily entered information like invoices or customer orders into the system may now be in charge of approving payments or shipments. While most users may harmlessly use this to expedite invoices, there is always the small percentage that may create phantom vendors and pay them, or change customer information without oversight.
Take the time to evaluate all user access to the system. Focus on the Principle of Least Privilege (PoLP), providing only the necessary level of access for users to do their jobs. Understand the jobs, tasks, and business functions that users perform, and limit roles to the transactions in business process procedures. Do not define roles by jobs, as this leads to access creep that will eventually expose the company to unnecessary risk.
Access Roles Do Not Have Appropriate Segregation of Duties
As part of poor role design, some users can perform a process from beginning to end. This is similar to user responsibilities bloating over time; once again, users can misuse the privileges they have. For example, one person might be able to order and receive goods – and then take those goods home. Very few, if any, users need that kind of end-to-end access. Ensure that user roles are designed so that users are able to perform only what is needed, which will provide a solid foundation for future role design.
There Is an SAP_ALL Account or Equivalent
There will be times when high-level employees need emergency access to the SAP system. However, a generic account assigned SAP_ALL, or something similar, is not the answer. These generic accounts provide too much access with no real accountability and must be removed from the system. There is no visibility into who is using the account and under what circumstances – a headache not only for SAP administrators but for internal auditors. Often, companies will set up these accounts to allow for manual emergency access, but with powerful “variant” transactions and little oversight, it can open up the organization to unnecessary risk. Instead of using these accounts, grant temporary access for users who need emergency access. Ensure that, after a specified period of time, the access is revoked to prevent unauthorized activity.
Role Structures Are Too Complex
Complex role structures come into play when risks are not considered as part of the design phase, as well as when users gain more access than necessary, whether through what was meant to be temporary or as their responsibilities changed. Roles were not maintained, or they were assigned by user rather than function. Users may have multiple role assignments, with additional unnecessary capabilities, rather than just the specific duties required added to their accounts. Changing these roles is often a slow, painful, manual process and requires extensive maintenance. As with bloated user accounts and roles with SoD issues, complex role structures require streamlining to ensure the roles only allow users to access necessary functions within the SAP system. Utilization data – that is, what users are actually doing in the system versus what they have permission to do – can help when simplifying and redesigning roles.
No Documented Processes Exist for Assigning or Removing Users
Most of the time, role design focuses heavily on the technical side but includes very little in the way of documenting the processes for assigning new user roles, changing user access privileges, or removing users from the system. In some companies, role design itself is not documented. Approval tracking may not be consistent; terminated users may still have access; and provisioning may be a slow, manual process.
Manual processes often are too slow to keep up with changes in employee turnover and job roles, and they can open up the organization to security risks. Documenting the process for provisioning and terminating users can open the door to automating the workflow, thereby speeding up the process, as well as helping to identify new risks and predict how the change to a role would impact the organization. Additionally, the overall design principles should be documented along with the appropriate processes for modifying the roles or creating new roles that will comply with the stated design.
An SAP access role redesign may seem daunting, but if any of these warning signs crop up in your organization, it’s absolutely necessary. Every organization sees user roles change, privileges added that can cause conflicts, complex role design, a lack of documented processes, and even the dreaded generic administrator accounts. Don’t wait until your organization’s vulnerabilities have already been exploited to thoroughly examine user roles and redesign them to shore up internal security.