Identifying (Critical) User Permissions in SAP with dab: AuthorizationAssurance

Everyone who works with SAP is aware of the need for the different authorizations and may also know about its complexity. Occasionally, there were even times when you tried to perform a certain transaction in SAP and you were not allowed or received a message that you do not have the permission to perform a certain action.

The SAP system allows different users to perform different activities by assigning authorizations to them which determine which actions a user can execute in the SAP System. These specific authorizations are related to a specific object which for each field define a certain value or values. The main purpose of assigning authorizations to users is to define a role concept, which protects the system for unauthorized access or from performing unauthorized transactions.

Some of the main activities which need special authorization in order to be allowed are: creating an invoice, releasing an invoice, verifying an invoice, creating a purchase order, creating a sales order, changing outbound delivery etc. Even more significant are the combinations of these authorizations which give critical permissions to a certain user such as:

creating, releasing and verifying an invoice.

Considering the significant role that SAP Authorizations play when it comes to protecting transactions from user access, dab: Daten - Analysen & Beratung GmbH has developed an analytic which identifies users having certain authorizations. In practice this is something that is not easily visible as permissions were granted through roles and profiles. This can lead to confusing structures after a while as user’s areas of responsibilities change consistently.

The script on dab: AuthorizationAssurance extracts the relevant data and shows which users in the SAP system can access certain programs and data. All done on the at least required permissions to perform an action, which are listed in a separate file and are identified with a unique ID. This way, the analytic is able to match SAP permission settings with actions that can be performed in SAP very flexible. Auditors can individually define what exactly should be checked e.g. users able to post certain documents or even critical combinations of permissions (post and release) or just show who has got a certain authorization.

the solution

The dab: AuthorizationAssurance is developed by picking the necessary data and information from the relevant tables in the SAP System and combining them with the separate Authorization_Check file where all the matching criteria are maintained. The table below shows one example of permissions and the combination of such a segregation of duties conflict. Initially as seen, all the corresponding objects, fields, and values needed to create a purchase order are listed and highlighted in blue. The “Purchase order – create” permission has a Unique ID = 001. Next in the table are listed all the objects, fields, and values required for releasing a purchase order, and they fall under Unique ID=002. Finally, in order to be able to create and release a purchase order in SAP, all of the objects, fields, and values under Unique ID=003 are required.

The required authorization objects with their fields and values are defined in this separate file. These can also be modified by internal experts quite simple to catch all system specific customizations.

The result of the analysis identifies all the users with permission on the requested actions. It also gives a detailed list of permissions per user and other information such as: department, type, locks, etc.

The solution can be fully automated in the background. To run it, a valid license for Galvanize Robotics including the SAP Connector, for data extraction and data analysis, is required. This analytic has a scope of functions including:

• Comparison of the set of authorizations in the SAP system with about 600 predefined processes/critical combinations.
• Flexibility to define own processes/combinations
• Check for critical profiles e.g..: SAP_ALL or SAP_NEW and identify the number of users per authorization conflict
• Leaving the option for any existing system-specific transactions (“Z” T-Codes)
• Enrichment of the results with user master and login data
• Identification of users with the highest number of authorization conflicts
• The highest number and average number of roles assigned per user
• The highest and average number of profiles assigned per user.

All the information can be presented in a more organized manner using certain visualizations, tables, and metrics. The storyboard below shows few of the graphics which can be used to present the dab: AuthorizationAssurance results: