• Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

How to Eliminate "Deceiving" Authorization Roles

  • Font size: Larger Smaller
  • Hits: 7053
  • 2 Comments
  • Print

If your organization has run an SAP system for three years or more, you probably suffer from what we like to refer to as “Deceiving Authorization Roles syndrome.”
SAP Authorization Roles with deceiving one
Whether you’re familiar with this pesky problem or not, maintaining authorization roles for a few years, adding and removing activities and authorization objects, and creating new ones and deleting others all create situations in which authorization roles have names that incorrectly represent their content. This can lead to SAP admins unintentionally granting users with the wrong authorizations.

 

 

What Are Deceiving Authorization Roles?

The term “deceiving authorization role” describes an authorization role that possesses a name or description that incorrectly describes its content.
This situation is often caused by human error, due to the difficulties of maintaining authorization roles and attempting to oversimplify them. Oftentimes, the most efficient way to solve an authorization requirement is to add it to a role, without taking into account (or ignoring the fact) that its name does not reflect the new addition.
Examples of deceiving authorization roles in SAP include roles titled “VIEW” with authorization objects that allow “Change” or “Create” (ACTVT = 01, 02) and authorization roles with the description “Finance – handle assets” with T-Codes from logistics modules such as MM01.

SAP Authorization Role Display vs Change Activity

In the image: T-Code PFCG displaying a "View" type rolw with an Authorization object that includes a "Change" activity

What Risks Do Deceiving Authorization Roles Pose to Your Organization?

The risk with deceiving authorization roles is clear: granting users with incorrect authorizations results in a massive security breach.
Let’s take an example in which the authorization role HR_VIEW_INFOTYPE_0002 accidently includes an authorization of type “Change”. If a user requires an authorization role to view employees’ personal information, for example, he is generally assigned the HR_VIEW_INFOTYPE_0002 role. With this role, he is also granted the ability to change employee data, resulting in unnecessary sensitive authorizations and making him a prime target for hacker hijacking in the future.
Furthermore, your organization will find itself facing some angry faces once this information is discovered during an audit, when it has to explain why there are “Change” permissions in “View” authorization roles.

Can Your Organization Prevent the Creation of Deceiving Authorization Roles?

This is a tricky question. Theoretically, your organization can avoid creating deceiving authorization roles by putting the proper policies in place and adding additional people into the process of changing authorization roles.
You might think that if more eyes see any changes before roles go to production, this will eliminate the chance for error. From our experience, this does not prevent errors and only lengthens the process.
In our experience, even the most organized companies have deceiving authorization roles in their role catalog. It’s only human nature to make mistakes - especially during the long lifecycle of authorization roles, where people get replaced and policies change. These factors make it easy to accidentally create deceiving authorization roles and result in the need for action to periodically locate and eliminate them.

How Can Your Organization Effectively Handle Deceiving Authorization Roles?

First, you’ll need to locate deceiving authorization roles and subsequently handle each one. Surprisingly, the first part is harder than the latter. When you find a deceiving authorization role, handling it is a simple task– but finding it between thousands or tens of thousands of roles can be like finding a needle in a haystack.
Start by using the following searches:
1. Roles with names that include the words ’VIEW’ or ’DISPLAY.’ You can do this by using T-Code ‘SUIM’ or by searching in table ‘AGR_DEFINE’ field ‘AGR_NAME’ using T-Code ‘SE16.’
2. Roles with descriptions that include the terms ‘VIEW,’ ‘DISPLAY,’ ‘DISPLAYING,’ etc.
3. Roles with names that include the terms “TEMP” and “TIMELY,” meaning they are temporary roles that, in most cases, shouldn’t get to the production environment.

SUIM Search SAP Authorization Roles

The image above shows how to use T-Code SUIM to search for “display” roles

You’ll have to be cleverer to locate roles from “FINANCE,” which include T-Codes from non-finance modules, and roles with more than 90% T-Codes from one module and a few “sneaky” T-Codes from another module.
For these kinds of queries, you’ll need a software tool such as ProfileTailor Dynamics that can examine each role and perform a detailed analysis. Click here for a free demo.
Additionally, if your company includes organization objects in the role’s name, such as adding company codes to derived roles’ names – for example, Z_MM_PURCHASING_1100 (company code 1100) – this is a good place to find deceiving situations of included company codes inside. In this case, you’ll also need to rely on an intelligent software tool such as ProfileTailor Dynamics. Click here for a free demo.

What to Do with Deceiving Authorization Roles After You Find Them

Found some deceiving authorization roles? You now need to handle them individually. This is an easy task in most cases; however, it requires a few considerations.
If the role is ‘DISPLAY’,’ by name, but includes ‘CHANGE’ or ‘CREATE’ abilities: You should carefully examine the attached user accounts and determine what roles each account actually needs. If no accounts need the additional abilities, you can delete them from the authorization role. On the other hand, if some users do need the extra abilities, you can move the capability to another role. Whatever you decide, try not to leave the incorrect ‘DISPLAY’ title in an authorization role that includes other actions.
If a role is marked as ‘HR’ and includes financial T-codes, you should split it into two different roles or add users with the most appropriate authorization role from finance. Don’t forget to remove the financial T-codes from the HR role. To select the best option, you can also use “Role Replacer” in ProfileTailor Dynamics. Click here for a free demo.

SAP Authorization Role Replacer by Xpandion

Other situations, such as non-matching company codes or other organizational objects, should be solved individually, according to the situation and possible solutions.

Additional Examples of Deceiving Authorization Roles

Have additional examples of situations that result in deceiving authorization roles? We’d love to hear about them. Help the community and add your examples in the comments, below!

 

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.

Comments

  • Guest
    Richard Symes 20/07/2015

    If you don't run a SoD (segregation of duties) tool like ProfileTailor ... like we do and have done since 2010 ... you can have no proper control over SAP Security.

    Xpandion are such a great company to be a customer of ... such great innovators with their software over the past years.

  • Guest
    Moshe Panzer 20/07/2015

    Thank you so much Richard, we're honored to get such a comment!
    Moshe

Leave your comment

Guest 24/03/2017

Headquarters

+972-3-624-4245

157 Yigal Alon Street,

Tel Aviv 67443, Israel

info@xpandion.com

US Office

+1-800-707-5144

33 West 19th Street, New York,

NY 10011, USA

info.us@xpandion.com

India Office

+91-989-2546216

C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India

info@xpandion.com