We have been asked by a prominent utilities firm to thoroughly investigate their SAP environment to analyze access right risks down to the deepest access right objects.
Starting positions at the client:
- Hundreds of SAP users
- SAP ERP and IS-U modules
- Lots of internal development in the SAP environment
- Risks of custom transactions were never assessed
- SAP role contents were never reviewed at object level (data owners checked only the role level)
- IDM (Identity Management System) SOD matrix could not handle the access rights at object level
- This task required lots of manual work, involving critical internal experts and external consultants
The assignment was to pinpoint the riskiest areas, users, and roles, essentially creating an access risk map or heatmap. This would enable the firm to prioritize necessary changes to address the most significant risks cost-effectively. Minimizing the number of interviews was also a priority due to the client’s project workloads.
Initially, we provided a special software to collect the data, which selects the user and access right object data from their production system to check if there is no malicious code in the data collector, we provided that in source code. After the malicious code check, internal approvals, and tests by the client, they ran the code and gave the collected data for analysis (as there is an anonymization function, there were no privacy related issues).
Special software was provided in the initial phase to gather data, extracting user and access right object information from their production system. To ensure the absence of malicious code in the data collector, its source code was offered for analysis. Once internal approvals and tests had been conducted, the client executed the code and supplied the accumulated data for examination, with an anonymization function preventing any privacy concerns.
Subsequent to this, an analysis software, equipped with a special set of patterns, carried out a risk-based evaluation. These patterns were expanded with the client’s assessed custom transactions before any evaluation.
Based on the risk scoring outcomes, a single meeting was held at the client’s premises to discuss preliminary results and findings. Comprehensive final reports, encompassing graphs, detailed analysis, and recommended actions, were then produced, showcasing the most significant access right risks in terms of users and roles
The provided solution rendered highly accurate results with minimal errors, answering pivotal questions about risky users, roles, and access object elements. The client gained invaluable understanding regarding access right issues within their previously SAP environment.
Despite limited resources, they were able to efficiently address primary access risk issues. As per the client’s specifications, significant IT and business resources were spared, and extensive interviews were avoided. The entire project spanned roughly one month post-data collection, though this duration could vary based on the complexity of the initial risk scoring for custom transactions.
If you want to get an insight about the status of access rights in your SAP landscape in a very short timeframe, contact us here to get a free demo assessment.