Interview SAP Identity Access Governance en Access Control
Chris Radkowski is solution manager for SAP Identity Access Governance and Access Control.
Date: 2 July 2021
Nr. Question Answer 1 Do you notice that
setting up authorizations in SAP is difficult?
Yes, I do. Especially maintaining an SAP system is complicated.
2 What kind of problems are you running into when setting up and maintaining authorizations?
There are several design methodologies for security authorization implementation, such as:
1. Task based where organizations harmonize activities for certain tasks (often we are talking about around 200 tasks). When using a task based methodology, boundary controls should be added. These make sure that users can only see transactions related to their region or country. For example, a user can only pay vendors in their own region.
Tasks and boundaries are then assigned to the users.
2. Job Based where roles are based on job titles. These roles are then assigned to the users.
Job based requires more specific technical roles to be assigned. Task based requires fewer roles, however these are more broad in definition.
What we often see is that new roles are created, or rights are added to specific roles, just for one specific project. When this project is finished, these rights are not revoked, and the extra roles are not deleted. This means that the number of roles increases over time, as well as the number of assigned rights per role.
In case a role that is not used anymore is identified, it is often not deleted because it is often not known what the impact on the system and the business is. This is a really big problem and unsustainable for many organizations over time.
Harmonizing the access and authorization is usually really complicated.
Authorizations in SAP systems that have been running for a few years are often such a mess that it would take a very large project to clean everything up. That could take years. This is why our solutions include features and reporting that can help identify and clean up unused or unassigned system roles and permissions.
3 What should a company do to properly set up
This is what Access Governance processes are for. To properly manage and maintain user access across enterprise systems and applications. Periodic reviews of who has access (user access reviews) is a critical aspect. It is very
authorizations and to maintain them correctly?
important to keep the number of defined roles under control by reviewing them regularly. When temporary access is given or temporary roles are created, they should be deleted as soon as they are not needed anymore.
4 How do you view the 4 options of monitoring?
Monitoring is a key part of Access Governance. Understanding who has access and reviewing cases of unassigned roles, unused roles, assignments with SoD risks, users without authorization assignments (ghost accounts) are important processes for security and integrity.
One additional solution that organizations are implementing is for ABAC – attribute based access control. This solution can intercept transactions before they take place. This is called SAP Dynamic Authorization Management by NextLabs. This was build 6 years ago. It is a standalone service, but it integrates with the SAP identity access governance tool.
This tool can identify risky transactions based on pre-defined rules. In case a risky transaction is found, there are the following options:
Allow
Don’t allow
Allow with restrictions/conditions (e.g. user should give extra information, logging on this transaction is turned on, details of this transaction are automatically documented in an exception log).
The pre-defined roles are defined in code such as “IF A then B”. This means that any rule that is needed can be defined. Configuring the system however, is not easy. You would need consultants with the knowledge to configure the system.
In general I think it is a great idea to make the role concept simpler and have monitoring to compensate this.
I think that in most circumstances, you want transactions to go through, you don’t want to block them. You want to track what happens and alert someone who should look into it.
In case of specific incidents such as hackers or fraud, you do want to block.
For example when new accounts are created and high level authorizations are assigned. You want to track unusual patterns of activity in special cases such as people looking at high dollar transactions, new suppliers or new vendors that are created.
5 Do customers ask for these kinds of monitoring tools?
Is SAP Dynamic Authorization
As far as I know, SAP Dynamic Authorization Management is used by many large organizations who need to add conditional access and context for granting access in real time. Defense and aerospace industries are using this solution to help address ITAR compliance. ITAR compliance requires location and citizenship checking prior to granting access. This can be complex to
already being used by customers?
automate in certain situations, however SAP Dynamic Authorization Management can support the real time decision making required.
Interview SAP Access Violation Management
Susan Stapleton is vice president, Customer Advisory at Pathlock (previously called Greenlight). She has years of experience with SAP implementations.
Date: 7 July 2021
Nr. Question Answer
1 What do the reports created by the Access violation tool look like?
The control owner gets shown an overview (list) of all exceptions that took place in SAP.
2 How often can the reports be updated? Can this also be done in real time?
Clients can choose how often reports are generated. This is usually done once per month or once per week. In some cases only once or twice per year. Clients don’t choose to generate reports daily or even more often.
It is meant to be a detective control. Information could become
meaningless if you spam the control owner constantly with exceptions.
In my opinion it works best to report weekly or monthly.
It is possible to run the controls more frequently. The Pathlock system is not particularly taxing on SAP.
3 What can be monitored? Are there any restrictions on this?
If you buy a standard license, you get 50 SoD controls. Pathlock has a library of 200 standard SoD risks that can be monitored. They can also develop custom controls for their clients. They do focus mostly on SoD controls.
4 If there are restrictions, why? What adjustments in SAP are needed to ensure that these restrictions no longer exist.
There are no limitations.
5 What is the process for implementing SAP Access Violation Management?
Customers can perform the implementation on their own. Pathlock also has consultants who can help them.
Clients can:
Define how often the queries are run.
What to include or exclude.
Change the queries themselves.
It is important to put in the time to implement the tool as best you can, to make sure that what you get out is what you want. It should not be too few or too much. Therefore it is also important to collaborate with the business so they can inform IT what should be monitored.
6 What risks arise with the implementation?
Monitoring either too few or too much.
On the other hand, using the Access violation tool gives users more awareness, because they have to look at all exceptions. Therefore they will also hesitate more to give new users more rights.
7 To what extent can SAP Access Violation
Management be customized per company and what is
“hard coded”?
Everything can be configured. Our system is very configurable by the user to make updates to ensure the correct information is reported.
In general, no development, technical assistance or programming is needed.
8 Can exceptions be made?
E.g. “If the transaction is made by this batch account it will not show up on the report”
Yes, this is possible, the client can configure and update the queries.
9 What should a company do to ensure that there are not too many notifications?
Implement the controls correctly, really think about what is necessary to monitor, what exceptions should be implemented.
10 How do you avoid false positives without filtering out real issues?
Proper configuration of the queries based on the client’s business processes and risks.
11 What is the purpose of the monitoring tool in relation to authorizations?
Pathlock does not have a specific relation with their tool and
authorizations in mind. The idea is to keep the authorizations as they are and use the Pathlock tool to monitor the actions that have taken place.
The tool can be used to identify particularly ‘dangerous’ roles, but the tool was not particularly meant for this.
12 In which cases are periodic reports not enough and should you do more?
The “second transaction” is often not critical enough that you have to stop it. Often there are so many of them that you cannot monitor it all.
It depends on the company and the risk if you want to do that.
Susan has previously tried to block transactions before they are posted. She has implemented this at one client. This client wanted to stop sales orders in case they went against policies. This specific client delt with a small volume of large dollar transactions.
The biggest issues that Susan notices are:
Clients with no controls
Clients who do not corelate tings back to the user and do not look across different processes. People are smart, especially
in finance. They know how to pass the checks that are in place.
13 Is the Access violation tool certified?
AVM is not certified.
Usually, both internal and external auditors interrogate the controls to ensure the company has the proper controls defined, validate that the controls are performing as expected, then rely on AVM for future audits. They can see if any of the controls have been altered since their last review or audit. Each company will have different controls that need to be validated.
We don’t have formal certifications but we do know that auditors like PWC, KPMG and Deloitte rely on AVM results in their audits.
Interview SAP Business Integrity Screening
Gerhard Hafner is Chief Product Owner for SAP Business Integrity Screening Date: 16 July 2021
Nr. Question Answer
1 What do the reports and notifications created by the Business integrity screening tool look like?
The BIS tool is integrated into SAP. You can define rules in SAP Rules then are combined to detection strategies. If the scores of the rules are beyond a threshold defined in the strategy, the application creates exceptions (alerts). The alerts then can be investigated and documented.
2 How often can notifications be given, does this happen real time?
The list of exceptions is updated (almost) in real time.
I would configure it to give notifications daily. Then you can correct the wrong documents before the period close. Also, when notifications are given once a day, the amount of transactions is not too much to monitor. The earlier you are informed of a violation, the faster you can work on the root cause.
3 What can be monitored? Are there any restrictions on this?
The BIS tool can monitor everything you want it to monitor in SAP. It is even possible to load non-SAP data into the tool and then use rules that screen both SAP and non-SAP data. Overcoming data silos is very often a key success factor to detect suspicious transactions.
4 If there are restrictions, why? What adjustments in SAP are needed to ensure that these restrictions no longer exist.
There are no limitations.
5 What is the process for implementing SAP Business Integrity Screening?
The user can use pre-defined controls. In case these are not sufficient, it is also possible to develop your own controls using SQL.
6 What risks arise with the implementation?
Implementing too many controls. Through-put is an important criterium. If too many controls are implemented, it is going to take longer to process certain actions in SAP.
7 To what extent can SAP Business Integrity Screening be customized per company and what is “hard coded”?
Nothing is hard coded.
8 Can exceptions be made?
E.g. “If the transaction is made by this batch account it will not show up on the report”
Yes, using SQL.
9 What should a company do to ensure that there are not too many notifications?
The system comes with an in memory database. You can run and simulate controls on the fly, look into the resulting notifications and then change parameters of the controls if needed.
BIS also provides a lot of capabilities to use predictive tools. These can be used to improve your controls. Customers still do not get all information they could get from their data.
10 How do you avoid false positives without filtering out real issues?
Make sure you configure the controls correctly.
Use the embedded calibration and simulation capabilities to continuously check if changes in parametrization can reduce the number of false positives.
11 What is the purpose of the monitoring tool in relation to authorizations?
Monitoring tools and authorizations are two different worlds that I would never mix.
BIS is used as an additional line of defense on top of authorizations.
I would always combine authorizations and monitoring, not use one instead of the other. Use the right control mix.
12 In which cases are periodic reports not enough and should you do more?
Using BIS it is possible to block a transaction after, for example, a suspicious invoice was booked.
BIS can also already block transactions before they are saved.
You do a call when the user saves. In case of a violation, the transaction can be blocked before it is saved.
I would definitely not use this all the time.
You want to understand who is breaking the rule and why.
Often when you get a notification, nothing is wrong, it is not a real violation.
People who commit fraud often do this more often. Sometimes, it is better to see what happens and monitor it. Then you can take measures later.
How much time do you want to invest to detect a case of 100 euro?
Better wait to find more, or focus on the big ticket.
Bigger violations are often performed by people in higher positions, who have a good understanding of how the system works.
You do want to filter out the real risky things, when a large amount of money leaves the organization at once, such as CEO fraud. Therefore I would block transactions specifically in case of large transactions.
Most of our customers use BIS for compliance. Not to detect fraud. In general, I would say that it already helps that you make known to your employees that you have a detection system in place.
13 Is the Business integrity screening tool certified?
No, it is not.
Interview SAP UI Masking
Tobias Keller is Product manager for UI Masking at SAP.
Deepak Gupta is head of strategic programs & innovation at SAP, who is also working on the UI Masking tool.
Gabriele Fiata is the head of the Cybersecurity and Enterprise Risk management team at SAP.
Deepa Sharma is Senior developer at SAP who is working as architect for the UI Masking tool.
Manpreet Kaur is developer for the UI Masking tool at SAP.
Date: 22 October 2021 & 12 November 2021
Nr. Question Answer
1 Can you give me some background information on the UI Masking tool?
UI Masking is a tool used for masking specific data in specific scenarios. It can for example be used to block secret recipes or privacy sensitive data. It can also be used to disable specific buttons for specific users in specific scenarios.
The masking functionality is built on the server side, before it goes out to the presentation layer. De tool manipulates the data before it is shown on the screen of the user.
The blocking functionality is built into the application layer.
The UI Masking tool is currently available on the market, but the functionality to block transactions in specific scenario’s is still in development. This functionality is called Data Exploit Prevention, and will be a part of the UI Masking tool.
2 When do you expect the Data Exploit Prevention functionality to be done?
No timeline is available at the moment. We expect to release the Data Exploit Prevention tool in the coming year (2022).
3 So with this tool it is possible to block a transaction before it is saved, based on the data entered by the user?
Yes, this is possible. It is also possible to base the decision to block on other information such as:
The current time and date
The IP address of the user
Whether this user has performed any other suspicious activities in the past
The assigned rights to the user
Any information on the screen or elsewhere in the system.
It is also possible to have a ‘reveal on demand’ button, that the user can click in case he/she wants to see the blocked data. The user gets a notification saying that if this button is clicked, the
information will be revealed or unblocked, but this will be logged by the system. The data will only be revealed or unblocked in case the user is authorised to access this data.
4 If a user tries to perform an action, and triggers the system to block this action. What does the user see?
The user gets a message that he/she is not allowed to perform this action. The information the user has entered into the system will not be saved in this case.
5 Is there a possibility to store the information the user has entered, tell the user that he/she cannot go on because the system has triggered a warning, so the transaction first needs an approval. Then send a notification to the control owner informing him that a suspicious transaction was found and that he has to approve the transaction. If he approves, the transaction will then be unblocked.
We are working on the following functionality:
The user gets a message that he/she is not allowed to perform a certain action, because it has triggered an exception. Then a button is presented that the user can press to unluck the functionality to perform the action. The user is informed that if he/she still wants to perform the action, he/she can press the button to unlock it. In case the user does so, the relevant data is stored in a separate table.
This means that no actual transaction is created at this point. A warning is send to the control owner who can either approve or deny. In case he/she approves, the functionality is released and the user can go through with performing the action.
This functionality is not currently implemented but it is technically possible.
6 Will the release that contains the Data Exploit Prevention functionality (expected in 2022) also include this workflow functionality?
No, we are first working on the blocking functionality. This will be released first. After this is done, we will start working on the workflow functionality. There is no release date planned yet for releasing the workflow functionality.