For a long time, access to SAP applications has been governed by creating and modifying user roles. These are largely static, role-based controls and take a direct approach to granting access. Roles enable access and allow the execution of a certain set of transactions. Any user who needs access to specific data and transactions is assigned the respective roles.
However, the increasing number of security breaches and mounting compliance regulations have necessitated the enforcement of highly granular controls. But implementing these controls by creating new and unique roles will only increase complexity and make compliance much more difficult.
Watch Now: How to Enhance and Extend SAP Role-Based Controls
While roles are important to segregate user responsibilities and ensure users don’t have conflicting entitlements that could enable fraud, they fall short when it comes to implementing layered controls within the scope of the role’s entitlements.
SoD Enforcement: Though conflicts can be minimized when designing roles, users can still abuse privileges within their transaction limits. For example, a user authorized to issue Purchase Orders under $10,000 can still commit fraud as long as the POs are under the capped amount.
Data Change/Theft: Users who have access to data by virtue of their roles will always have access to that data regardless of the access scenario. For example, sales reps with access to annual sales figures can access them even when they are at client locations, which is not appropriate. The ability to modify such critical data or download it can pose a serious security concern.
Adjusting Entitlements Based on Regulations: With new regulations coming into effect frequently, manually modifying hundreds of roles can be tedious and error-prone. Making any regulatory change at the access level with role adjustments is a slow and time-consuming process. Any role misconfigurations could also result in heavy compliance fines.
Policy and Business Strategy Alignment: Enforcing policy decisions through roles is often challenging for security and compliance teams. Even a simple policy, like preventing payments after business hours, can be difficult. The only option is to completely cut off access after hours, which may not be feasible when attempting to maintain business continuity across various time zones.
The limitations of role-based access controls can be overcome by adding a layer of controls that work atop existing role entitlements. These controls, also known as attribute-based access controls (ABAC), can regulate access based on various contextual parameters. In theory, users will still have access to all data and transactions afforded by their roles, but the ability to view the data and execute the transactions will be tied to contextual attributes. The enforcement of these controls is driven directly by business, security, and compliance policies. The attributes can include:
ABAC uses contextual data to help drive policies at the data, field, and transaction levels. For example, access to HR master data can be granted only if the user is connected via a secure network. If the user is accessing the data remotely, the access can be denied, or all sensitive employee data can be masked.
Similarly, granular controls can be enforced based on the type of device, time, IP address, etc. This allows businesses to orchestrate fine-grained policies that enhance data security and implement compliance mandates across all SAP applications.
Watch our on-demand demo webinar to learn how Pathlock helps you:
Get in touch with our SAP security and compliance experts to learn how policy-driven access controls can enhance your SAP security and compliance.
Share
As organizations transition to modern, cloud-centric enviro...
When it comes to granting access, following the principle o...
U.S. Sugar is an agricultural business that grows and proce...
PeopleSoft is an extremely powerful system for HCM, Financi...