Practical Guide to Authorizations in SAP - Design and Maintenance
Flatrate
19 € pro Monat
Einzellizenz 1000+ E-Books und Videos Sofortiger Zugang 12 Monate(228 €pro Jahr) Automatische Verlängerung
Mehr Informationen
Master the principles of building secure, scalable, and sustainable authorization concepts in SAP.
This expert guide explores the evolution of SAP authorizations and the increasing demand for robust authorization concepts in today’s complex business landscapes. Whether you’re starting from scratch or refining an existing model, this book walks through every phase of an authorization concept project, from preparation and design to building, testing, go-live, hypercare, and ongoing maintenance. Learn how to align technical architecture with business requirements and how to avoid common mistakes that can jeopardize even the most carefully planned projects. With a wealth of real-world insights, expert tips, and architectural best practices, this book is an invaluable resource for SAP architects, project leads, and administrators dedicated to building secure, long-lasting authorization frameworks.
- Authorization concepts in SAP
- Authorization project processes
- Alignment of architectural and business needs
- Tips and tricks for architects and administrators
Leseprobe
2.1 Regulations
Wherever in the world a company operates, there are always regulations they have to comply with in order to ensure legal activities. These regulations can relate to data protection and cybersecurity, accountability in terms of taxes and financial governance, and measures to ensure the quality and safety of products and services. All these different regulations have one thing in common—companies need a proper authorizations concept in their SAP systems in order to be compliant.
Depending on a company’s geographical region, industry, size, and legal ownership, regulations of various origins, nature and detail can apply to the systems being operated. There are generally four important types of regulations, all of which impact a company’s SAP authorization concept:
- Data protection
- Regulations and the “need-to-know” principle
- IT-Security
- Financial and operational compliance
2.1.1 Data protection
Data protection regulations such as EU-GDPR (European Union General Data Protection Regulation) or PIPL (Personal Information Protection Law) aim to protect personal data from misuse and unauthorized disclosure and distribution. Given the variety and quantity of personal data contained in any SAP system—from employee data to highly sensitive data such as that relating to people in witness protection programs—it is highly unlikely that an SAP system will not be affected by legal compliance requirements.
2.1.2 Regulations and the need-to-know principle
Whatever regulations the SAP system must comply with, most decisions regarding its exact design, the quantity and content of roles, and the assignment of roles to users all adhere to one core guideline—the need-to-know principle, also known as the principle of least privilege.
Principle of least privilege—one role per person?
A common question that arises when discussing the need to comply with the principle of least privilege in authorization concepts is: does that mean the company needs one role per person?
That would be considered impossible!
Some stakeholders point out that the variety of functions and responsibilities in their company make it impossible to reduce access, because the company is small, and everybody has many tasks, in different combinations.
Like many other areas, IT security is one where compromises between security, feasibility, and business impact need to be reached. Most companies find it impossible to create, assign and maintain an authorization role strictly containing one employee’s rights in order to comply 100% with the principle of least privilege. Most companies, however, are able to describe the positions that perform certain processes and identify the tasks that belong to that position’s responsibilities. These two levels, the position and the task are key concepts in the overall role structure.
2.1.3 IT security
Risks indirectly relating to an end user’s business activities refer to the associated IT components—software, customizing, parameter settings, connectivity with other systems, the patching strategy applied, or the overall vulnerability management. In addition, these regulations affect the administration of SAP systems up to their authorization concept.
2.1.4 Financial and operational compliance
Regulations relating to financial and operational compliance aim to prevent fraud and minimize consumer risks. Fundamentals such as the principle of completeness and erasure prohibition (restricting the deletion or removal of data) in accounting tasks need to be observed without any compromises. This has very clear implications for a company’s authorization concept.
DORA regulation—need-to-know principle
Article 21 of the Digital Operations Resilience Act (DORA) states that “access rights to information assets, ICT assets, and their supported functions, and to critical locations of operation of the financial entity, are managed on a need-to-know, need-to-use and least privileges basis, including for remote and emergency access” (Commission delegated regulation 2024/1774 with regard to 2022/2554 of the European Parliament and of the Council of 14 December 2022).
