Abstract
This article attempts to demystify the feature-rich SAP security functions, to demonstrate how they can cooperate to build a strong security posture, and how to avoid some classic pitfalls.
ERP systems continue to gain importance in the developed world, and while there are many alternatives to choose from (including competitive vendors as well as OpenSource projects such as Compierre), SAP is a major force in this field. Over the years SAP established a rich security model, including infrastructure aspects such as secure net-working and separation of production and non-production environments, but more importantly they also included all relevant Identity and Access Management aspects, as well as electronic signature aspects. As a result, a SAP customer is today facing a wide range of potential safeguards to chose from, each with their own cost/benefit ratio. However, it is generally accepted that application level securty is in the end more important than infrastructure security. The SAP authorisation model is at the heart of application security in FI, CO, HR, MM etc. It evolved over the years from a fairly simple, profile-based model with capabilities towards today's model that includes identities, roles, profiles and fine-grained authorisation object management. Dedicated authorisation objects have been estab-lished for the different functional areas within SAP, and various additional software components both from SAP and from external vendors can assist with building and managing SAP authorisations. Those include e.g. Virsa FF/SAP GRC, Axl & Trax (ex-CSI) and more recent CA’s ERCM. PwC also still maintains their own ACE review tool. Under the scrutiny of the ever increasing regulatory compliance, a company has to make the right options, or will face expensive mistakes. We will in this article address both the theoretical aspects of the SAP security model, including the authorisation model, and the more practical aspects as how to organise a SAP security project and how to tackle undesired side effects when implementing a real project.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements (available from www.iso.ch)
SAP Berechtigungswesen, IBM Business Consulting Services, ISBN 3-89842-312-3, 2003
Editor information
Rights and permissions
Copyright information
© 2010 Vieweg+Teubner | GWV Fachverlage GmbH
About this chapter
Cite this chapter
Sel, M., Van Der Auwera, K. (2010). Demystifying SAP security. In: Pohlmann, N., Reimer, H., Schneider, W. (eds) ISSE 2009 Securing Electronic Business Processes. Vieweg+Teubner. https://doi.org/10.1007/978-3-8348-9363-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-8348-9363-5_3
Publisher Name: Vieweg+Teubner
Print ISBN: 978-3-8348-0958-2
Online ISBN: 978-3-8348-9363-5
eBook Packages: Computer ScienceComputer Science (R0)