We have been asked by a financial organization to help them restructuring all their SAP roles down to the deepest access object levels to meet the need-to-know (or least privilege) principle and prevent frauds, misuse and errors with the unnecessary rights.
Starting positions:
- Hundreds of SAP users
- SAP ERP and BW
- Lots of internal development in the SAP environment
- Access right risks have been previously detected and reported by us
- Data owners did not know the exact meaning of the access object levels
- The client did not want to reorganize the current business processes
- Restructuring had to be based on the real access right usage of the users
- The client wanted us to minimize the IT or business process interviews to preserve their internal resources for other tasks
- Previous vendor failed in the restructuring (due to many yet inefficient user interviews, lack of proper SW tool, lack of user behavior information, etc.)
We took part in the restructuring of the roles and we offered our SW based methodology to save resources to the client. In our approach, we have collected the users’ access right data and compared them with the real usage of their rights. In both parts of the task we used our SW tool, the data collector and the analyzer (the data collector was given to the user in source code to enable them to review it against malicious code).
We collected data as described above, then requested and analyzed the user activity data. Based on our SW supported analysis we came to the interviews with knowing the user behavior at the different organizational units, and we only had to ask about the problematic elements. In this way we could minimize the number, participants and length of the required interviews. These interviews gave us enough information for suggesting the new roles and their contents. The planned roles were reviewed and accepted by the data owners. For making the final decisions we could advise the risk level of the different transactions or access objects to them.
Based on our final reports, the new, reengineered access roles could already be produced and tested by the client.
The result: After being put the new roles into the production environment, they did not reveal any shortcomings in their daily work, although users had significantly less (80% less!) access right objects in their profiles than before! The timeframe of work was approx. two months.
Due to the work summarized above, incidents previously experienced by the client have been eliminated. This saved the client significant resources and time at all levels of the organization. Our solution proved the fact that the cheapest defense is the prevention.