Here are 6 harsh realities that we discovered from our customers:
1. Users are still using SAP_ALL Power Profiles
Although SAP doesn’t recommend using the power profile SAP_ALL, many organizations are still using it. They should definitely not. This authorization profile enables way too much activity. Having power users with SAP_ALL access is a backdoor invitation for hackers and it’s simply not appropriate from a business perspective, particularly from a GRC point of view, because having SAP_ALL is a clear violation of all the rules of SoD. See our article that discusses the dangers of SAP_ALL in detail. If SAP_ALL and other power authorization profiles are being used, this issue is one of the first things that we recommend resolving as the first step of narrowing down authorizations or executing on a GRC project.
2. Enterprises do not monitor access to sensitive activities like SU01 and F110
This is a shocker because the list of highly sensitive activities is well defined in most organizations. Business users know these risky activities and take extra time to classify them as “sensitive.” Auditors tend to ask who is allowed to use them during audits. But many organizations aren’t investing the extra mile in monitoring the usage of these activities, to check if all users that have the authorizations to use these sensitive activities are really using them. In our blog about SU01, we highly recommend using a portal instead and to narrow down the access to sensitive activities to only users who really need it.
3. People are still retaining the authorizations from their last position, together with their current ones
We have found that in many companies, people that have moved into a new position keep both their old authorizations from Position A and their new authorizations from Position B. Many organizations tend to fail twice in controlling the position change. The first thing missing is a procedure for tracking the position change and cancelling a person’s old authorizations. The second thing missing is an automatic mechanism for enforcing this procedure.
It’s refreshing to see organizations that do have an automatic mechanism that identifies employees’ movement. They monitor the HR system to identify the move from Position A to B, automatically send an authorization review to the new manager asking if this employee still needs their previous authorizations, the manager enters his decision, and either the old authorizations are removed automatically or the helpdesk will carry out the decision.
4. 87% of users’ authorizations are not being used at all!
It’s amazing that the average is so high. The methodology of creating authorization roles, that include authorizations for multiple tasks, creates the situation in which people are getting many more authorizations than they really need. Add to this the fear of taking authorizations away from users and the lack of clear process for requesting and granting authorizations, and you will understand that amazing figure. Organizations commonly believe their users are utilizing 80%-90% of their authorizations, when in fact they are only using 13%. We can’t stress enough – monitor and reduce unused authorizations in roles.
5. A company’s own development (Z Objects) doesn’t include authorization checks, making reports accessible to almost anyone
Organizations develop objects on their own to add capabilities to the standard SAP software. There can be many, many self-developments in the system. The surprise here is that a large portion of these organizations are not including authorization checks in their development, creating huge security gaps left open to anyone who can execute the reports.
6. Attention is not being paid to which SAP Queries were executed, including very sensitive ones
SAP Query is a great tool that SAP gave to business users so they could create ad-hoc reports without needing to bother their development team. But this great tool, if not treated properly, also gives them the power to inquire about whatever sensitive material they want, such as employee details or customers with the highest revenue. If no one monitors which queries were executed and why, almost anyone can execute and misuse queries. In our opinion, companies must monitor who is executing which query and get alerts for suspicious usage of sensitive cases.
Xpandion is the leading provider of ERP usage inspection solutions, delivering unprecedented real-time visibility into management systems, significantly improving security, optimizing licensing usage and enabling GRC/SOX compliance. Contact us now.