Sap Roles and Authorizations

SAP Authorizations and
GRC
By:
Ravi B Hemanth
1 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Objectives
 Learn how a role is built up in SAP, what role-based access is

and why it is important.
 Understand why security and Segregation of Duties (SoD) is
important in SAP.
 Understand the business value and usage of the applications
in the SAP GRC Access Control Suite.
Why is security important in SAP?
 Data theft and espionage is a growing crime - several

examples where millions have been lost in damages.
 Intruders target user profiles with extended authorizations.
 Long-term damages include financial damages, image loss
declined stock, law suits and compliance violations.
Figures
U.S fraud cost were $52.6 billion in 2005
Intellectual property theft costs U.S.

companies between $200 billion and $250
billion a year in sales
Famous scandals
 Worldcom
 Lost $127 billion in market value.
 24 000 people lost their jobs.
 Share value $62 to $0.20 in less than 3 years.
 Enron
 Lost $ 19 billion in market value.
 5500 people lost their jobs.
Who are they?
Paul Sarbanes Michael Oxley
Sarbanes-Oxley (SOX)
 In 2001/2002 large US companies like Enron or WorldCom

went bankrupt.
 Their management had hidden and changed financial data
and betrayed investors.
 In 2002 The Sarbanes-Oxley Act was made law to establish
better controlling and accounting transparency.
 The strongest focus is on Internal Controls.
Why SOX?
 All companies that are registred on the NYSE/NASDAQ stock

market, must be compliant with SOX.
 Massive impact for large enterprises who had to take
measures to ensure internal control.
 SOX has generated thousands and thousands of hours of
consultant work!
 There will be a similar law within EU - "Euro SOX".
Segregation of Duties
 Definition:
“Key duties and responsibilities in authorizing, processing,
recording and reviewing official business transactions must
be separated among individuals to reduce the risk of error or
fraud”.
 Applied on our client:
“One person should not control all stages of a process, a
situation in which error or irregularities could occur without
detection”.
SAP Security Concept for Roles and Authorizations
SAP example
Materials Finance and

Management Controlling
Production
Planning
Sales and
Distribution Mr. Smith
Human
Resources
As a Financial Accountant, Mr. Smith probably has job

duties that involve accessing components of the Finance and
Controlling module (FI/CO).
Transactions
 A user performs tasks in SAP by entering transaction codes.

 A transaction code is a command that takes the user to a
certain program in the SAP system.
 The term ”transaction” is usually used to refer to the
program that is run when the corresponding transaction
code has been entered.
 For example, the user enters the transaction code FB02 to
run the transaction/program that is used to change
documents in the general ledger.
Example: FB02
FB02
FB02
FB02
SAP Security model overview
Authorization Profiles
Composite Profile
User Master Record
or
Authorization Simple Profile
Authorization field
Authorization Object
User Master Record
Example of a User Master Record
User Name Initial User User Type Valid Dates Authorization

Password Group Profiles
Profiles
Composite Profile
Simple Profile A
Allow Display access to documents
Simple Profile B
Allow Change access to documents
Authorization field
Data Dictionary
Data Element
Authorization field
Authorizations
Object Field Value

name
S_TCODE TCD FB02
S_TCODE
Authorization
TCD FB03 Authorization
Authorization fields
EXAMPLE: TCD
EXAMPLE: S_TCODE
EXAMPLE: FB02 EXAMPLE: FB03
Auth. Object check under transactions
Maintain
Transaction Activity Display
Object Company Code Company Code value
FB02
Authorization check
ABAP/4 Code
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'

ID 'BUKRS' FIELD s_bukrs
ID 'ACTVT' FIELD '02'. Authorization Object
IF sy-subrc <> 0.
MESSAGE E002(ZI) WITH text-200 s_bukrs
ENDIF.
ST01: Trace Display
SAP Access Role concept
 Historically, users were given SAP access by direct
assignment of Profiles, but to facilitate a more business
oriented access management, the role layer was added.
 Roles were added as an additional abstraction level, in order
to facilitate authorization design.
 Compare to object-oriented programming instead of
programming in machine language.
Access Hierarchy
F
A V
A
F
A V
C S
P
A F
P V
A
User S
PP A F
C V
A
MR. SMITH
S F
A
FINANCIAL ACCOUNTANT
V
U = User
GENERAL LEDGER JOURNALS MAINTAIN
FB02
C = Composite role
S = Single role F V
$TCD FB02
P = Profile $TCD FB03
$........... ……
A = Authorization object $........... ……
F = Field
$.........
$.......
$.........
A ……
……
……
$........ ……
V = Value
S_TCODE
Profiles
 Single roles hold a 1:1 mapping towards Profiles.
User C S
P
P
S
MR. SMITH PP
C
FINANCIAL ACCOUNTANT S
Single roles
 A Single Role corresponds to a Job task in the system, for
example General Ledger Journals Maintain.
User C S
S
MR. SMITH
C
FINANCIAL ACCOUNTANT S
Composite roles
 A Composite Role corresponds to a Job role in reality, for example

Financial Accountant.
 All users in the SAP systems have at least one and usually several
Composite Roles assigned to them.
 A Composite Role is a predefined collection of Single Roles that have a
relation to each other, and that together give the necessary access for
the user to fulfill a certain job role.
Composite
User role
MR. SMITH
Composite
role
FINANCIAL ACCOUNTANT
(TECHNICAL NAME: RMUS_01_CCC01_FIN:0013)
PFCG: Role Maintenance
The technical name for Financial

Accountant.
Single roles
Display Authorization Data
Display Authorization objects and values
Summary
 User master records, profiles, transactions, objects etc. -
generic technical design in all SAP systems.
 Composite role/Single role concept - built-in possibilities in
SAP that is used as best practice.
 How can the role concept be used to perform Segregation of

duties?
 … to be SOX compliant?
Sarbanes-Oxley (SOX) compliance and Segregation of Duties
(SoD)
Sarbanes-Oxley and
Segregation of Duties
 The Sarbanes-Oxley act (SOX)
is intended to ensure the
correctness of US companies’
accounting Authori Custod Record Control
 One effect of SOX is referred zation y
to as the Segregation of
Duties (SoD) directive
 The SoD directive stipulates
that no person must control
several key steps in a
connected process
Approve Receive Enter Goods Clear
Purchase Order Goods Receipt Vendor
What is the impact of SOX and SoD on Roles and Authorizations
in SAP?
Access Control Systems
Mandatory Access Discretionary Access Role Based Access

Control (MAC) Control (DAC) Control (RBAC)
 Access objects and  Each user is able to  Access is granted by
users classified on a pass on the assigning each user

linear security scale permissions he or she one or more access
(E.g. Level 1, Level has to other users roles
2, ...)  A user is given access  Each user is given
 If the user’s security access to the objects
to an object if he or
permission ”level” she has been given that his or her roles
exceeds that of the access to it by specify
object’s the user is another user  A user may be given
granted access to  There is commonly access either by new

that object one user with roles or by changing a
irrevocable access to role that the user
all access objects already has
Low maintenance (E.g. root, High versatility
administrator, ...)
Role Based Access
Role Architecture Role Provisioning

 A library of roles must be built  Provisioning is the process by
and maintained which users are given new

 Principles must be established roles
and followed for the role  Slow provisioning costs
library to remain consistent money in lost productivity
SOX directives
Role Architecture
Role Architecture
• No role must contain internal SoD risks

- Control over several steps in a process would mean that
no user could have this role
Permissions
Enter Goods Receipt
Access Role
Permissions
Clear Vendor
Role Architecture
Role Based Access – Design Principles

 Each access role mapped to a job role
 Global template roles define action level security – ”what”
 Locally derived roles define data level security – ”where”
Access Roles vs. Job Roles
Role Architecture
• An access role is a role defined in the system; a job

role is a real-world role
- An access role contains all permissions needed to
perform the tasks needed to complete the job role
- Permissions = Actions + Data Access
• Benefit: Access roles are free from internal SoD risks
(as long as job roles are)
User Access role Permissions

(e.g. a financial accountant) Financial Accountant e.g. change G/L document, post G/L document
User Access role Permissions

(e.g. a sales assistant) Sales Assistant e.g. create sales orders, change sales orders
Role Architecture
Action level security?
Data level security?
Role Architecture
• Action level security defines access to activities

- In SAP, actions level security can be thought of as
access to transactions
• Action level security is specified on a global level
- A financial accountant has the same access irrespectively
of in which country he or she works
Access role template Permissions

Financial Accountant TCODE: FB01
Role Architecture
Data level security
Role Architecture
• Data level security defines access to data

- Access to display/maintain certain company
codes, sales organizations, plants, etc.
• Locally derived roles define data access
Global Template Role

e.g. Financial Accountant_Template
TCODE: FB01
ACTVT: -
BUKRS: -
Local Role
Local Role e.g. Financial Accountant_China
e.g. Financial Accountant_Sweden
TCODE: FB01
TCODE: FB01 ACTVT: 01
ACTVT: 01 BUKRS: 6200
BUKRS: 4200
Role Provisioning
Role Provisioning
 No person must be given roles that give access to several

steps in a connected process

Segregation is possible by process or geography
Access role
Security Advisor Sweden Process
separation
Access role
Financial Accountant Sweden
OK Access role
Billing Administrator Sweden
SoD Risk
Mr. Smith Access role
OK
Billing Administrator Norway
Geographic
separation
Role Provisioning
Traditional Role Based Access

 User admin team grants  Role provisioning flow
access based on line manager controlled entirely by
demands business
 Access applied for on an as-  Access applied for on a job
needed basis role basis

 User admin team responsible  Business is responsible for
for security while business is maintaining security and

trying to operate operational effectiveness
Role Provisioning
Role provisioning process
Role Provisioning
 Role provisioning flow controlled entirely by business

 Business is responsible for maintaining both security and
operational effectiveness
 Access applied for on a job role basis
Security
Application Business approval Assignment
approval
Role Provisioning
Why is a business approval needed?
Role Provisioning
 SOX requires that a valid business reason for the order must
exist

Verify that the requested role match actual personal
identity and job role

Verify that the end-user has a need to know of the
information that will be available via the role
Business approval
Role Provisioning
Security approval
Role Provisioning
 The security approval checks that no SoD risks appear for

the user
 Verify that no SoD risks appear for the user
 Verify that user is not given access to unnecessary critical
actions (create users, change roles, etc.)

 Verify that user is not given access to display sensitive
data (financial statements etc.)
Security
approval
SOX audits
SOX Audits
 What SoD risks do you have?

 Do you have proof that all access is properly authorized?
 How do you ensure the consistency of your roles?
 How are sensitive activities monitored?
SAP GRC Suite
VIRSA systems
 In April 2006, SAP bought VIRSA systems and started transforming the
VIRSA suite into SAP GRC
 VIRSA stands for “Versatile Innovative Risk and Security Administration”
 US company, founded in 1996
 Today more than one million end users are subject to compliance at
more than 170 customers worldwide
 Major references (Vodafone, IBM, Unilever, Panasonic, BASF, Boeing,
Burger King, Sony, Nortel, Siemens, Gillette)
 Virsa provides the only solutions that monitor and enforce business
controls in real time across enterprise systems
 Virsa is the global leader in cross-enterprise compliance solutions
 The company is privately funded with venture investment from SAP
Ventures, Kleiner Perkins Caufield & Byers, and Lightspeed Venture
Partners.
GRC Suite
SAP GRC Suite overview
connection is
Online ordering tool = possible
Access Enforcer Role Expert
Access in FireFighter
SAP
Compliance Calibrator
FireFighter logs
GRC Suite
Cross Enterprise Risk Management

Enterprise Portals Risk Manager
Provisioning Superuser Fail-safe risk Role

access control prevention management
Risk Terminator Firefighter Access Enforcer Role Expert
SoD analysis, critical transaction monitoring, & preventive simulation

SAP Compliance Calibrator by Virsa Systems
/VIRSA/ZVRAT
 Part of the SAP GRC Suite

 Core application of the suite
 Uses the ERP Risk Framework (within ”Rule Architect” for
SoD risk analysis of users
 SAPgui based (4.0, current version)
 Web based NetWeaver (5.2, release Q3 2007)
 Compliance Calibrator
 Source of ERP risk framework used for all SOD analysis
 Is used to monitor users, roles, risks and mitigation
controls
 Compliance Calibrator increases visibility regarding SoD
and assists in managing risks and users
Risk Definition
Rule Architect
Selection Screen (Cockpit)
User Analysis
Risk definition 1 Risk definition 2
Function A Function B Function C
Transaction Transaction Transaction

Transaction Transaction Transaction
. . .
. . .
Risk No
risk
User X User Y
Risk Report
Access Enforcer
Access Enforcer:
Purpose
 Used primarily to perform segregation of duty (SoD)
analysis before roles are approved and allocated to users.
 Reduction of lead-times for roles allocation leads to
significant business improvements. The user administration
will be fully automated.
 The tool will enforce the role approval process, secure that
SoD checks are performed and that potential risks are
mitigated - all prior to role allocation.
Access Enforcer:
Business value
 Facilitate the SOX compliance from an SAP security
perspective.
 Increase the accuracy of SAP user authorizations and adhere
the GAC principles.
 Reduce maintenance costs for the SAP user administration.
 Reduce lead-times for roles allocation - leads to significant
business improvements.
 Reduce security audit costs for SAP environments.
Access Enforcer:
User administration process
 The purpose of a User Administration Process is to

assign/remove roles from SAP user accounts.
 An online ordering tool and Access Enforcer ensure that the
proper approval for every request is done and that all
assigned roles are compliant to the security policy.
Access Enforcer:
Order process
All orders for access to IT applications are managed via

a tool for ordering online.
Access Enforcer:
Requests for approval
 The first approver in the workflow receives the requests that
was ordered in the online ordering tool.
Access
Roles Enforcer:
included in the order
Access Enforcer:
Risk Analysis
 When the approver clicks Risk Analysis, Access Enforcer runs

an analysis on the user's current roles in combination with
the new roles that were ordered.
 In fact, Access Enforcer makes a call to Compliance
Calibrator, where the SoD risk framework is stored.
 Compliance Calibrator runs the analysis and returns the
result.
Access Enforcer:
Risk Analysis result
The risks are listed with a

Risk ID, Risk Description
and Status.
SoD risk: FB01 and ME21
Access Enforcer:
Risk simulation
 Now we can uncheck Financial Accountant and Simulate the

risks without that role.
Access Enforcer:
Risk Analysis result
Role Expert:
First approval step finished
What is Role Expert?
 Tool for documenting roles and authorizations.

 Web based application.
 Automates creation and management of role definitions.
 RE enforces (sve. upprätthåller, genomdriver) best practice
to ensure that role definitions, development, testing and
maintenance is consistent through the implementation.
Role Expert functionality
 Track progress during role implementation.

 Monitor the overall quality of the implementation.
 Perform risk analysis at role design time.
 Set up a workflow for role approval.
 Provide an audit trail for all role modifications.
 Maintain roles after they are generated to keep role
information current.
Role Expert:
Search screen
Enter TMUS*. (Technical

name for single roles in
the system called MUS).
Role Expert:
Search results
Role Expert:
Role definition
Role Expert:
Add transactions
Role Expert:
Company mapping
FireFighter
FireFighter
Summary
SAP uses a complex structure The Sarbanes-Oxley act (SOX)
to manage authorizations: imposes requirements on
 Fields companies’ management of
 Objects roles and authorizations:
 Profiles  Segregation of Duties (SoD)
 Roles  Business approvals
 Audit trails
Role Based Access (RBAC) is To manage compliance SAP

required to fulfil the roles offers the GRC Suite:
and authorization  Compliance Calibrator (SoD)
requirements of large  Access Enforcer (Role
organizations: provisioning)
 Globally governed role  FireFighter (Critical access)
architecture  Role Expert (Role

 Business controlled role architecture)
provisioning

Sap Roles and Authorizations

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sap Roles and Authorizations

Uploaded by

Copyright:

Available Formats

SAP Authorizations and

 Learn how a role is built up in SAP, what role-based access is

 Data theft and espionage is a growing crime - several

U.S fraud cost were $52.6 billion in 2005

Intellectual property theft costs U.S.

 24 000 people lost their jobs.

 Share value $62 to $0.20 in less than 3 years.

 5500 people lost their jobs.

Paul Sarbanes Michael Oxley

 In 2001/2002 large US companies like Enron or WorldCom

 All companies that are registred on the NYSE/NASDAQ stock

Materials Finance and

As a Financial Accountant, Mr. Smith probably has job

 A user performs tasks in SAP by entering transaction codes.

Authorization Simple Profile

Example of a User Master Record

User Name Initial User User Type Valid Dates Authorization

Allow Display access to documents

Allow Change access to documents

Object Field Value

S_TCODE TCD FB02

AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'

GENERAL LEDGER JOURNALS MAINTAIN

GENERAL LEDGER JOURNALS MAINTAIN

 A Composite Role corresponds to a Job role in reality, for example

The technical name for Financial

 How can the role concept be used to perform Segregation of

Mandatory Access Discretionary Access Role Based Access

users classified on a pass on the assigning each user

granted access to  There is commonly access either by new

Role Architecture Role Provisioning

and maintained which users are given new

library to remain consistent money in lost productivity

• No role must contain internal SoD risks

Role Based Access – Design Principles

• An access role is a role defined in the system; a job

User Access role Permissions

User Access role Permissions

Action level security?

Data level security?

• Action level security defines access to activities

Access role template Permissions

Data level security

• Data level security defines access to data

Global Template Role

 No person must be given roles that give access to several

Mr. Smith Access role

Traditional Role Based Access

needed basis role basis

for security while business is maintaining security and

Role provisioning process

 Role provisioning flow controlled entirely by business

Why is a business approval needed?

 The security approval checks that no SoD risks appear for

 Verify that user is not given access to unnecessary critical

actions (create users, change roles, etc.)

data (financial statements etc.)

 What SoD risks do you have?

Access Enforcer Role Expert

Cross Enterprise Risk Management

Provisioning Superuser Fail-safe risk Role

SoD analysis, critical transaction monitoring, & preventive simulation

 Part of the SAP GRC Suite