All of the mentioned authorization issues can be easily remediated by conducting regular security reviews. Ignoring these issues or not attending to them on a regular basis can result in serious vulnerabilities.

Before SAP’s launch of their GRC tools, SAP Security Administrators used only a couple of transaction codes (T-codes) to audit and control security and authorizations. These were some of the first Security Objects that were created to manage SAP security. For example:

• T-code SU01 to create users and also to check what roles and profiles a specific user has assigned to them.
• The T-code PFCG (SAP Profile Generator) is used to check the authorization data for every role at a very granular level, thereby enabling you to spot any stray authorization object/field that shouldn’t be assigned to a role.
• Using T-code SUIM gives you immediate access to a host of reports that will help you analyze and detect any security oddities; e.g. ‘Users with Unsuccessful Logons’.
• All of these reports can be directly accessed using T-code SA38 (which should be readily available to an Administrator), and the report’s technical name, e.g.

1. ‘Users by complex selection criteria – RSUSR002’, which is probably one of the most frequently used reports;
2. ‘Display Profile Parameter – RSPARAM’ is another critical report used to check the current system parameters for an SAP system.

These are only a small subset of manual checks and reports that need to be performed on a regular basis to ensure a secure SAP environment. These transaction codes offer much transparency to the inner workings of SAP, but at a cost. As mentioned previously, users with access to these codes have considerable power over the system and the organization that it is connected with.

To help organize and maintain the transparency provided through these Objects, SAP created early tools like AIS (Audit Information System) to provide comprehensive control to auditors within a complex SAP environment. Using the pre-configured Business and System Audit roles one can easily get access to a bevy of SAP application and system specific reports directly from the SAP user menu. All reports are categorized on business processes and technical settings.

Companies should look for an integrated set of applications that work across the enterprise in real-time to automate processes around risk management, access management, compliance management and a host of controls for testing, monitoring and reporting. SAP GRC tools primarily address:

• Risk management – use key risk indicator monitoring across the enterprise to help boost efficiency and optimize processes.
• Process Control – enables you to monitor key controls for business processes to help ensure enterprise wide compliance as well as increase efficiency across the board.
• Access Control – provides you with tools like Compliance Calibrator used for easily detecting Segregation of Duties violations across the enterprise, along with Firefighter, which allows for easy management and logging of ”super users” during crisis or emergency situations.
• Global Trade Services – is a comprehensive platform to ensure compliance and effectively manage risk and cost when dealing with international trade.
• Environment, health and safety management – integrated management of risks related to environment, health and safety; these tools help effectively ensure regulatory compliance.

ERP security is a wide-ranging effort that requires a host of different tools to properly manage Roles, Authorizations and Passwords. Not managing these various security objects properly can result in data loss, financial loss and legal exposure.

However, the management tools that we have discussed are only one part of a truly comprehensive ERP security plan. Such a plan requires the three main components:

• Password Management
• Identity Management
• Roles and Authorizations Management

Image from Flickr – Bedroom, Bathroon, and Kitchen Room