All of the mentioned authorization issues can be easily remediated by conducting regular security reviews. Ignoring these issues or not attending to them on a regular basis can result in serious vulnerabilities.
Before SAP’s launch of their GRC tools, SAP Security Administrators used only a couple of transaction codes (T-codes) to audit and control security and [...]
SAP ERP systems are the core of many medium and large businesses these days. These systems administer Finance, Payroll, Customer Relationship Management, Human Resources and so on. Control of these systems is handled by a concept called SAP Authorizations (also referred to as authorizations or authorization objects). These authorizations establish what are referred to as [...]
What exactly is Enterprise Role Management? It is a conceptual extension of the original RBAC model beyond a single system to a cross-system enterprise-level RBAC approach. Unfortunately, because of marketing issues everybody understands something different under Enterprise Role Management. For the sake of simplicity we will assume in this article that ERM is the practice [...]
Segregation of Duties, also called Separation of duties (SoD) has been in the headlight of public accounting firms since the beginnings of the Sarbanes-Oxley regulations, specifically the 404 section. Wikipedia describes it as: “the concept of having more than one person required to complete a task. It is alternatively called segregation of duties or, in [...]
An important policy issue with strong corporate governance implications in SAP-enabled enterprises is whether to permit the design of security roles containing embedded Segregation of Duties (SOD) violations. SAP best practice clearly recommends against it, and most companies prohibit the practice, believing it signals a lack of control. This paper agrees that SAP best practice [...]