What you should know about SAP security (and what your auditors don’t know)

October 25, 2022

Audit controls are not the best way to identify risks coming from bad habits in the SAP system administration. 

As discussed in the previous posts, SAP system security is complex to define and manage, due to the high integration of the modules. This suggests that some of the risks are not observed due to the complexity of the system that comes from a security administration, which is not always well controlled (and is also less monitored).

Let me show you an example: transactions and authorisations that continue to be used by users, even though the termination of the roles has been flagged as expired.

How to detect such condition with CentinelBox: 

  1. Transactions used after the validity date 
  2. Verify that the processes described below have been executed on a daily basis in the Jobs Executed report.

How to solve this problem?

There are two ways of addressing this issue

1. By running the PFUD transaction and the PFCG_TIME_DEPENDENCY report, which also performs an adjustment to the user accounts in terms of the assigned privileges.

They perform similar tasks, in terms of adjusting the master data of user accounts with their privileges, which makes it possible to deny access to expired roles.

This action can be programmed with the PFCG_TIME_DEPENDENCY job (which requests the RHAUTUPD_NEW program) so that it is executed automatically through a JOB. 

In a simple way, both reports remove the privileges granted in invalid roles. However, the roles are presented equally among the roles assigned in transaction SU01.

2. By running the PRGN_COMPRESS_TIMES report, which performs unassigned roles that have expired. This report executes different tasks: 

  • Get rid of duplicate roles that users may have been assigned: once the report detects the duplicity, it keeps only the assignment with the longest validity period (as long as one of the roles is still valid).
  • Removes privileges granted in roles that are not current.
  • Removes non-current roles from the list of assigned roles. 
  • Processes can be performed in simulation or real mode.

Below you will see a simulation of the process: 

Interfaz de usuario gráfica, Texto, Aplicación, Correo electrónico Descripción generada automáticamente

Interfaz de usuario gráfica Descripción generada automáticamente

Outcome:

Interfaz de usuario gráfica Descripción generada automáticamente con confianza media

To run the execution, uncheck the simulation execution, check the execution and deletion of overdue assignments and execute.

Interfaz de usuario gráfica, Aplicación, Tabla Descripción generada automáticamente

Outcome:

Interfaz de usuario gráfica, Tabla Descripción generada automáticamente

Would you like to see our software live and in real time? 

Leave a Reply

Your email address will not be published. Required fields are marked *