Professional Documents
Culture Documents
10 SAP Implementation Steps
10 SAP Implementation Steps
Look for the following, which should all be set to follow the organisation’s
predefined rules:
The most critical setup ID is the SAP* ID. Its status, along with that of other
generic IDs, can be checked using the SAP report RSUSR003.
The passwords of these generic IDs should be reset, and the high-
privileged profiles (SAP_ALL and SAP_NEW) should be removed. It is
important to note that the SAP* account can recreate itself with a default
and commonly known password when deleted. Accordingly, it is important
that the SAP* account is secured but not deleted and system parameter
login/no_automatic_user_sapstar is set to = 1.
To ensure support and project team users have been adequately restricted,
look for role specifications outlining the access requirements of these users
and a set of roles defined for each group. Broadly speaking, at a minimum,
roles defined for the following groups should be found:
Developers
BASIS Administrators
Functional / Configuration
A process should also be in place that confirms the roles are correctly
defined for the organisation’s needs.
Emergency access procedures and processes and the use of tools such as
SAP GRC Super User Privilege Management (SPM) can control and
monitor the allocation and use of high-privilege access.
The auditor may be able to provide a list of those functions that should be
more carefully restricted, such as the following:
Conclusion
The advice above covers only the rudiments of security in an SAP
deployment. However, exploring these elements is intended to demonstrate
that these SAP security basics are similar to those that should be found in
any well-controlled application security environment. Ultimately, SAP is just
another business application and, whilst the use of specialist SAP skills is
essential to getting things right the first time, it is also important that an
organisation’s IT security department embrace its responsibilities in the
SAP deployment and not defer all responsibility to SAP specialists.
The key is to remember that the CIO is accountable for the overall security
and compliance of the enterprise. At this level, there is little room for
distinction between general IT security, such as email, firewalls and Web
servers, and SAP security, which includes the control of how people access
the system, the data they process, and the functionality they execute.
Effective IT departments adopt a similar philosophy by viewing the IT
security picture in its entirety across the whole organisation, thereby
reducing the risk of breaches of any kind.