We have been asked by a prominent utilities firm to thoroughly investigate their SAP environment to analyze access right risks down to the deepest access right objects.
- Starting positions at the client:
- Hundreds of SAP users
- SAP ERP and IS-U modules
- Lots of internal development in the SAP environment
- Risks of custom transactions were never assessed
- SAP role contents were never reviewed at object level (data owners checked only the role level)
- IDM (Identity Management System) SOD matrix could not handle the access rights at object level
- This task required lots of manual work, involving critical internal experts and external consultants
We were asked to identify the riskiest areas, users, roles as a kind of access risk map or heatmap. This ensured them that their staff should only make the necessary changes first in order to handle the biggest risks cost-effectively. Minimizing the number of interviews was also important due to their project workloads.
In the first part of our work, we gave special software to collect the data, which selects the user and access right object data from their production system to. In order to check there is no malicious code in the data collector, we provided that in source code. After the check, internal approvals and tests by the client, they ran the code and gave us the collected data (as there is an anonymization function, there were no GDPR related issues).
After that, we ran an analysis software based on a special set of patterns that performs risk-based evaluation. This set of patterns were extended by the assessed custom transactions of the client before the evaluation.
The whole solution we gave them provided very reliable results with a low error rate. They answer questions such as who the riskiest users are (in terms of technical users, IT admins, or business users), what roles includes the riskiest access objects elements, and so on.
Based on our results the client got valuable insights of access right issues in their SAP environment (the previous “black box” became a “white box” for them!). With their limited resources, they could effectively address the biggest issues regarding access risks. As requested by the client, we did not use significant IT and business resources, and did not have to conduct extensive and lengthy interviews. The whole timeframe of the work was approx. 1 month after data collection (this can be more if the initial risk scoring of the custom transaction requires more effort).
If you want to get an insight about the status of access rights in your SAP landscape in a very short timeframe, contact us here to get a free demo assessment.