copyright © 2003 americas’ sap users’ group segregation of duties (sod) strategies, techniques,...
Post on 20-Dec-2015
222 views
TRANSCRIPT
![Page 1: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/1.jpg)
Copyright © 2003 Americas’ SAP Users’ Group
Segregation of Duties (SOD)
Strategies, Techniques, and Tools
Christopher LaneManager – PricewaterhouseCoopers
Jeremy StokeldSr Associate - PricewaterhouseCoopers
Monday, May 19,2003
![Page 2: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/2.jpg)
Security Overview
Elements of a Good Role Design
Maintaining the Standard
Q&A
Agenda
![Page 3: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/3.jpg)
Copyright © 2003 Americas’ SAP Users’ Group
Security Overview
![Page 4: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/4.jpg)
SAP Security Check
ProfileAuthorizations
andField Values
User Master Record
Overview - The Security Key Concept
![Page 5: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/5.jpg)
User
Role (Activity Group) – container for authorization data
Transaction Code – a task within SAP (~52,000+)
Field – element of data within a transaction, control point
Object – template containing up to 9 fields (“uncut key”)
Authorization – a completed object,
all field values are filled in (“cut key”)
Profile – container of authorizations (ring of “cut keys”)
Profile Generator – tool to construct/generate profiles,
tied to the USOBT_C and USOBX_C tables
Definition of Terms
![Page 6: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/6.jpg)
User Master Record
User
Level 1: User ID Access
Level 2: Transaction Code AccessExamples: SU01, MM01, SPRO
Level 3: Authorization AccessExamples: M_MATE_NEU,S_TABU_DIS
Role/Activity Group/Profile
Authorization Object Field Values
Overview – The Authorization Concept
![Page 7: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/7.jpg)
Tcode: F-43 Enter an Invoice
Authority Check 1:
Object: S_TCODE
Field: TCD = “F-43”
Authority Check 2:
Object: F_BKPF_BUK – Authorization for Accounting Documents
Field: ACTVT = “01” – Create
BUKRS = “1000” – Company Code
Security Check Example
![Page 8: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/8.jpg)
Copyright © 2003 Americas’ SAP Users’ Group
Elements of a Good Role Design
![Page 9: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/9.jpg)
Role-based vs. Manual Profiles
• User menus, tcode controlled
Tcode-based
• Not using asterisks or ranges
Task-based vs. Job-based
• What is the logical grouping of tcodes with minimal duplication and no segregation of duty conflicts?
Standardizing Control Points
• Which field-level security control points are we going to implement?
• What are the risks of not standardizing the control points?
Elements of a Good Role Design
![Page 10: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/10.jpg)
Copyright © 2003 Americas’ SAP Users’ Group
Maintainingthe Standard
![Page 11: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/11.jpg)
What can they really do?
• Sensitive Objects
• Sensitive Transactions
• Segregation of Duties
Tcode is only Half the story!
Where did it come from?
• Role (Activity Group) or Manual Profile
• Cross-Pollination
Ex: F_BKPF_BUK is referenced in over 250 Transactions
Tool Focus:
• Authorization Field-Level Analysis
• What-if Analysis
• Query (User Driven) vs Detect (Automatic)
Visibility
![Page 12: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/12.jpg)
Business Involvement?
• Why – It’s their data
• How – Visibility & Workflow Approvals
What is Security’s Role?
• Role Design, Maintenance, Control Optimization
Where is the Administrator’s True Value?
• System Watchdog
• Demand for Better Controls vs Resource Allocation
Tool Focus:
• Automatic Request Routing
• Preventative Check - Forced vs. Optional
• Approver Presentation – Data vs Information
Ownership
![Page 13: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/13.jpg)
Change History
• Record of Action
What, Where, When, By Whom, Why
• Searchable Data
Saved e-mails rarely tell the whole story!
Meeting Audit Standards
• Identification of Controls
• Documentation of Testing
Tool Focus:
• Change History / Approval Record
• Mitigating Controls
Documentation
![Page 14: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/14.jpg)
Where is the control – Its In the Process!
• Visibility – current issues & change impact
• Ownership – approval, risk presentation
• Documentation – audit requirements
Tool Focus:
What Belongs in a Tool?
Reality –
When resources are strained, manual processes are the first to go.
Summary
![Page 15: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/15.jpg)
Christopher Lane
PwC Security, Manager
Phone: 713-870-6449
Email: [email protected]
Jeremy Stokeld
PwC Security, Sr. Associate
Phone: 713-501-5957
Email: [email protected]
Contact Info:
![Page 16: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/16.jpg)
Copyright © 2003 Americas’ SAP Users’ Group
Questions
![Page 17: Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers](https://reader036.vdocuments.net/reader036/viewer/2022062320/56649d425503460f94a1d23a/html5/thumbnails/17.jpg)
Copyright © 2003 Americas’ SAP Users’ Group
Thank you for attending!
Please remember to complete and return your evaluation form following this session.
Session Code: 505