Beruflich Dokumente
Kultur Dokumente
Segregation of Duties,
Sensitive Access &
Mitigating Controls
Jonathan Levitt
March 2015
Agenda
1. Introduction
2. SAP Security Design Overview
3. The SAP Authorization Concept
4. Approaches to SAP Security
5. Segregation of Duties & Sensitive Access
6. Mitigating Controls
7. Questions
PwC
March 2015
2
Objectives
At the end of the session, the participant will:
Gain an understanding of the SAP security environment and why security is important
to the audit;
Define and understand what a segregation of duties conflict in SAP is, and how to
monitor/address it; and
Define and understand mitigating controls.
PwC
March 2015
3
PwC
March 2015
4
2.
3.
PwC
March 2015
5
Security &
Provisioning
Processes
Org
Structure &
Governance
SAP Security
Architecture
Monitoring
Effective SAP
Security Design
Management
PwC
March 2015
6
Security &
Provisioning
Processes
Org
Structure &
Governance
SAP Security
Architecture
Management KPIs for Security Design
are not established
Lack of automation for ongoing
monitoring & recertification
procedures
Insufficient SoD and/or Mitigating
control frameworks
Misalignment of IT vs Business
Objectives
Lack of Strategic Security Design
Decisions
No Role or Security Design
Ownership
Effective SAP
Security Design
Management
PwC
March 2015
7
It is sometimes difficult for auditors to dig deep into SAP because security is complex:
In SAP ERP 6.0
o 108,000 transaction codes
o 2,600 authorization objects
Several transaction codes can perform similar tasks
PwC
March 2015
8
PwC
March 2015
9
Security &
Provisioning
Processes
Org
Structure &
Governance
SAP Security
Architecture
Monitoring
Effective SAP
Security Design
Management
PwC
March 2015
10
SAP Security
Architecture
The authorization concept is to help establish maximum security, sufficient privileges for
end users to fulfil their job duties, and easy user maintenance.
PwC
March 2015
11
User master
record
User requires valid
T-code check
User requires an
authorization for
transactions
Authority check
User requires an
authorization for
underlying
authorization objects
and field values
PwC
March 2015
12
Profiles
Container of authorizations
Roles
Authority Check
Authorization Object:
PwC
March 2015
13
To open the lock, the proper key must be cut specifically for
a certain lock
PwC
March 2015
14
System
Communication
Service
Reference
User
Role
Profile
Authorization
PwC
March 2015
15
Role
Profile
Authorization
PwC
March 2015
16
Role
Profile
PwC
Authorization
Authorization
Object
Authorization
Field Values
Authorization
Object Fields
March 2015
17
SAP Authorization
Structure
User
Role
Menu Items
USOBT_C
USOBX_C
(SU24)
Authorization
Data
PwC
Profile
Authorization
Authorization
Object
Authorization
Field Values
Authorization
Object Fields
March 2015
18
FK01
XK01
Conventional approach
protection via menu/function
Create Vendor
PwC
March 2015
19
S_TCODE
Start T Code
Field 1
TCD
Start T Code
FB03
Authorization check:
PwC
Object
F_BKPF_BUK
Display posting
Field 1
ACTVT
Display
Field 2
BUKRS
Company Code
03
1000
March 2015
20
PwC
March 2015
21
PwC
Task Based:
March 2015
22
AP
Supervisor
AP
Clerk
AP Manager
PwC
March 2015
23
What
User General
AR Common Display
Display
AP
Contract Maintenance
Where
PwC
FI Common Display
Process Billing
Organizational
Grouping - A
Vendor Master
Maintenance
Organizational
Grouping - B
User General
PwC
AP Common Display
Process Billing
Organizational
Grouping - A
March 2015
25
PwC
March 2015
26
PwC
March 2015
27
Example risk:
Example risk:
PwC
March 2015
28
PwC
March 2015
29
PwC
March 2015
30
PwC
March 2015
31
PwC
March 2015
32
Mitigating Controls
PwC
March 2015
33
Mitigating Controls
Introduction
Defining and applying Mitigating Controls
If violating access cannot be remediated as there is a legitimate business purpose for
access then mitigation is going to be required. Mitigating controls are designed to cover
the residual risk of a user having that access.
For example, if a business unit is too small to segregate duties in the purchasing
department and users must have the ability to create and approve purchase orders for the
business to function, the business may choose to establish a mitigating control to analyze
transactions by users with access to both sides of the SOD conflict to mitigate the risk:
Risk: A user can create and approve a fictitious PO.
Key Control: The ability to release (approve) and create purchase orders is
segregated.
Mitigating Control: Location supervisor analyze purchase orders entered into SAP
by the two Purchasing Clerks from the business unit
PwC
March 2015
34
Mitigating Controls
Considerations
Is the risk truly a risk for
compliance requirement?
Yes
No
Deactivate or
Switch to Low
Risk
Determine the
controls in place
that mitigate
Preventive
Detective
Scenario 1:
No intent to grant access.
Scenario 2:
Some Users Require
Access
Scenario 3:
Remediation of Access
Occurring
Scenario 4:
Detective Controls
Management intends to
enforce the SOD however
most users currently have
access as the business
processes require redesign
and/or the access
remediation.
March 2015
35
Questions?
This publication has been prepared for general guidance on matters of interest only, and does
not constitute professional advice. You should not act upon the information contained in this
publication without obtaining specific professional advice. No representation or warranty
(express or implied) is given as to the accuracy or completeness of the information contained
in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its
members, employees and agents do not accept or assume any liability, responsibility or duty of
care for any consequences of you or anyone else acting, or refraining to act, in reliance on the
information contained in this publication or for any decision based on it.
2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, PwC refers to
PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers
International Limited, each member firm of which is a separate legal entity.