In 1914, American judge Louis Brandeis coined the famous quote “Sunlight is said to be the best of disinfectants,” and it has proven to be most accurate in 2014 too.
Many of our current and potential clients fear what may be revealed when the light is shined upon them. Some say it loud and some say it quietly in their hearts, “What if, when we use your software it’s revealed that 50% of our own developed T-Codes are not being used? Who will justify the huge development of Z T-Codes that was asked for which no one utilizes? Will I be the scapegoat?”
Ignorance is bliss. If you don’t know about it, then you don’t have to deal with the reality of the situation and no one can be guilty of anything. This is the secret point of view of people who resist implementing auditing software.
Note: This blog is not related to GRC, which of course some companies are obligated to maintain. I’m referring to security and authorizations – all the auditing stuff of knowing who-is-using-what.
Someone in the organization has to be brave enough to say, “We want to know what’s really going on. We want to take the responsibility to improve our situation!” And indeed, after taking the step and implementing ProfileTailor Dynamics Security and Authorizations, they easily identify and solve a lot of authorization-related issues, which, lets face it, might become security breaches.
Here are the top three most common solutions that our customers choose to focus on, after implementing the software:
1. Eliminating Unused T-Codes and Authorizations: When you know what is being used, then you know what is not being used. From there, the most sensible action from a security point of view is to eliminate the T-Codes that nobody is using, so they will not be misused.
For example, if someone developed Z_INVOICE to issue invoices and nobody uses it, lock it via T-Code SM01. This way you ensure that nobody can misuse it to issue false invoices. It’s a simple action with high impact. Afterwards, if someone really needs this T-Code, the request can be examined and the T-Code can be unlocked again.
The same goes for authorization roles: If no one uses a specific authorization role, delete it everywhere except in the QA system. This way you will still have access to it, but there won’t be potential to misuse it in production.
2. Watching Sensitive Data Directly: It is amazing to see the impact on customers when they discover who is looking at sensitive data in production. Using T-Codes like SE16 and SE16N and also using simple SAP queries, sophisticated users like IT people, top-users and even employees who are good at Google Search can access very sensitive data, and in most organizations – yes, they will! People are most interested in financial data and salary information – “How much are they paying the outsourcing company for my services?” is often asked by external employees, “What is our revenue?” is asked by people who hold company stock, and “Let’s find out what my boss’s salary is…” is asked a lot too.
Our customers can see the access to financial data tables like BKPF and BSEG (and even BSIK and BSAK) by people who are not meant to be there, but thought that it would be interesting to take a peek anyway. Following these findings, our customers can reevaluate access to SE16 and SE16N and inspect SAP queries more seriously.
What should you do when you find out these things are happening? That’s another story – see our blog “CISO Advice: Shooting Might Not Be The Best Option.”
Let me take a step back and say that in fact we only find a few cases of misuse of SE16, SE16N and SAP queries because most uses are for legitimate purposes. But the ones that break the rule, the non-legitimate purposes, that is what worries CISOs and Authorization Managers.
3. Access to Company Codes and Other Organizational Objects: When you have the data, it is very simple to produce an Excel sheet that lists employees to company codes, for example. Then you can easily trace potential security breaches, like employees from the warehouse who can access the company codes for management. When the data is stored (a.k.a. “buried”) inside roles and authorization objects – nobody has the time or patience to inspect it thoroughly, but when it lies in a simple Excel table, mistakes can be easily traced by managers and they can take action to fix the situations.
These are the most common examples from our customers, who are not only brave enough to ask the right questions but also to fix what needs to be fixed. And then after they’ve fixed the situation, they want to be alerted when a sensitive authorization is granted, or when a user misuses SE16. They are committed to keeping the system secured and clean, and ProfileTailor Dynamics helps them by sending alerts for various scenarios. Ask about this feature here.
So thrive in the sunlight. Don’t worry, you won’t get burned. You’ll be the hero!
Xpandion is the leading provider of Authorizations software solutions for ERP. If you have any questions or concerns about your authorizations, contact us now.