Security

Strategies for HCM

Implementations
June 16, 2010

Scott Goolik

Kellie Fitzpatrick

Director of Security and Controls - Symmetry

COO Symphony Consulting

Download the presentation recording with audio from the

Symmetry Knowledge Center
www.sym-corp.com/knowledge-center

Introducing
Scott Goolik
Director of Security & Controls
Symmetry Corporation
14 years experience in SAP security
Lead architect for ControlPanelGRC
compliance automation tools

Symmetry Corporation
Established 1996
Based in Milwaukee WI
100% SAP focus
All SAP applications
All platforms

21st Century ERP Model

Quality proactive support
delivered by US-based experts
Accessibility 24x7 direct access
to your support team
Affordability highly competitive,
fixed price contracts

Symphony Management Consulting

One of the leading providers of SAP HCM consulting services
Established in 2002 and led by experienced SAP HCM consultants
We strive to not only assist you in your current need, but to become
a trusted advisor to your organization
SAP Services Partner since 2007
Industry focus includes Chemicals, Healthcare & Biotech, Manufacturing &
Distribution, Pharmaceuticals and State & Local Government
Need help from an expert? Symphonys experts provide complimentary
answers to some of your most difficult questions!
Visit us at http://www.symphonyhcmexperts.com

Introducing
Kellie Fitzpatrick
Chief Operating Officer
Co-owner Symphony Consulting
Over 15 years experience in scoping, planning,
implementing and upgrading SAP Human
Resources

What We Will Learn

Determine when you should consider a separate
landscape and when you should consider a combined
landscape.
Understand the limitations of implementing on a
separate instance and the level of maintenance required.
See real-life examples of companies that have
implemented on separate landscapes, those that have
implemented on the same landscape, and why that
decision was right for them.

Single vs. Separate SAP Instances When Implementing HCM

What does it mean?
Single Instance
One Instance of SAP across all business functions
One transport path across all systems
When SAP is currently installed on a single landscape it is Dev QA
Prod only

Separate Instance
There are two different SAP instances running
Potentially one for FI, MM, SD, PM, CRM
Another for HCM

Transports run across one landscape

Data is interfaced between multiple systems via an ALE
Data is configured twice (once on each system)**

There are usually 2 of each box

** This typically means multiple maintenance and can result in inaccurate
data or data integrity issues

Single Instance Advantages

Real-time data for all business functions in one system
No need to transfer data across multiple instances via an interface
(ALE) or configuration
Support packs can be implemented for only HCM
Configuration is tested, transported and configured to meet total
business requirements one time and in one system
Master data is accessed through a single point of entry
Global headcount reporting
Compliance reporting
Budget preparation

One system to maintain with reduced costs

Security administration should be monitored on an ongoing basis
ControlPanelGRC can help and will be discussed later in this presentation

Single System Disadvantages

HCM requires support packs and updates multiple times a
year
Usually four times a year, but definitely year-end
Typically requires the entire organization to shut down the system
over a weekend for a few hours

Requires Unicode compliance if implementing in multiple

countries
Language and currency issues are addressed

HCM Talent Management functionality recommends at least

ECC 5.0
Encourage ECC 6.0 due to functionality enhancements
Enhancement Pack 4 or above should also be installed

Benefits of a Separate system for HCM

One system which is dedicated to only HCM data requirements
Organization is running multiple large payrolls across multiple
countries
Can cause system to run slower if running during the workday
Either way we would recommend you run after hours in a batch session

Time is evaluated for a large employee population at the same time

Can cause system to run slower if running during the workday
Either way we would recommend you run after hours in a batch session

Safe Harbor laws prevent employee data from being housed in a

different country
If this is a concern, other entities have procured waivers from their
employees to allow this to be done ~ P&G, Coke, PolyOne

Separate System Advantages

Ability to upgrade and apply support packs whenever necessary
System downtime for the rest of the organization is decreased
Ability to implement SAP HCM with the latest and greatest
functionality if the rest of the organization is on a lower SAP
version
Ability to run payroll/time across multiple countries with minimal
impact to departments outside HR
Localization issues arising from Safe Harbor restrictions are
minimized or eliminated

Separate System Disadvantages

ALE needs to be created and run for HR required data related
to

Cost Centers
G/L Accounts
Work Orders
Activity Types

The disability of having data in one system available real-time

Reporting may be limited by 24 hours
Ability to set up specific items which relate to FI
Positions, Departments, Jobs (Cost Center integration)

Users may need to sign into multiple systems to complete

their position responsibilities

Separate System Disadvantages

Additional Costs may be incurred by

Multiple upgrades
Multiple support streams
Multiple configuration tasks
Multiple system maintenance

Requirement to understand two landscapes with multiple

types of configuration with very different data
When the other system upgrades data we need to test
on both systems to ensure the data flow is not
compromised

Common Misconceptions of
Why a Separate Instance is Needed
HR support packs require us to apply support packs for
every other module
There is to much HR data to allow us to incorporate it on
one instance
Reporting is much more labor intensive
Security issues are major
HR data is not secure if it is on the same system
Employees have access to items they shouldnt
A portal will open us up to data integrity and liability issues

Large Organization Same System

System Requirements

21,000 users
Over 75,000 Employees all on ESS
35 countries
22 languages

Modules Implemented - Finance, HR, Materials, Production

Planning, CRM
Specific HCM
PA, OM, PY, Time, ESS, MSS Globally
Payroll runs in batch at night
Time Eval runs in batch at night

Securities are assigned primarily to positions (structural) in order to

ensure system is locked-down

Mid-size Organization Same System

System Requirements

500 users
Over 3,000 Employees all on ESS
US Only
2 languages

Modules Implemented - Finance, HR, Materials, Production

Planning, CRM
Specific HCM
PA, OM, BN, PY, Time, ESS, MSS, Talent Management
Payroll runs in batch at night
Time Eval runs in batch at night

Securities are set up by person and are monitored frequently

Large Organization Separate System

Standardized on a common IT backbone

15,000 users
Over 100,000 Employees
45 countries
175 legal entities
18 languages

Modules Implemented - Finance, HR and Supply Chain.

Due to size and requirements of payroll processing
HCM is on a separate instance
ALE is run at night and new positions are created the next day

Mid-size company example Separate System

System Background

1,000 users
Over 5,000 Employees
12 countries
8 languages

SAP Environment 4.6c

Finance does not have a need to upgrade
Finance did not want to apply support packs to all modules at the same time**
There was no compelling reason to upgrade

HR ECC 6.0
Required Talent Management Functionality
Security team did not want to continuously update employees
This was not necessary, however they were never told the system has structural
authorization capability

The rest of the organization was on 4.7,

Prior to ECC 5.0 all modules had to apply support packs together

Data is being configured in two systems

Sometimes it isnt completed for weeks, workload issue

Security & HCM

Security is not a reason for a separate landscape
Authorization flexibility in SAP is a key component to its value
proposition
All critical data can be restricted!
Can require a culture change

Remediation project is generally required for live customers during

HCM implementation

Step 1 Review of HCM Authorizations in existing Roles

Review of P Authorization
Objects in existing Roles
Or any Object in the HR Class!
Needs to be reviewed and
likely removed or restricted
further
If not required, update SU24 so
you dont accidentally provide
access in the future!

Step 1 Review of P_ORGIN in existing Roles

P_ORGIN is commonly in existing Roles
Authorization controls access to HCM Master Data very sensitive
Can be automatically proposed when Production Planning Transactions
are added to Roles
Not likely required if there was no HCM data available in the system!
Consider activating P_ORGINCON in the HCM system instead of
P_ORGIN to increase future flexibility!

Step 1 Review of PLOG in existing Roles

PLOG is commonly in existing Roles
Authorization controls access to HCM Organizational Structure
Can be automatically proposed when Production Planning, Controlling,
or other Transactions are added to Roles
These might be required going forward as the structures are used for
more than just HCM
Need to restrict the OTYPE field according
Exclude any used HCM Object Types definitely O, S, P, but check with
your HCM team for others!

Step 1 Review of P_ABAP in existing or new HCM Roles

P_ABAP could be in existing Roles, but will be in HCM Roles
Provides the ability to bypass HCM Master Data Authorization checks
during report execution
Useful to provide someone with the ability to run a telephone list
without giving them access to underlying HCM data
Watch for this Authorization in Roles with REPID field set to wildcard or
report SAPDBPNP!
Recommend updating SU24 so that you dont accidentally provide this
access

Step 2 Sensitive Authorizations in existing and new Roles

Sensitive Authorizations can accidentally compromise data privacy
Display of Spool Output belonging to the Payroll Manager
Displaying HCM Infotype data via SE16 or ABAP Query

Well provide some examples of what to look out for

Not a complete list just getting you pointed in the right direction!

Step 2 remove S_DEVELOP from end-user Roles

S_DEVELOP enables maintenance of ABAP Workbench Objects...
Which is bad in non-Development Systems
Debug Replace (Activity 02 for Object Type DEBUG)
Enables Users to step around Authority-Checks

Debug Display (Activity 03 for Object Type DEBUG)

Enables Users to view data in Internal Tables before Authority-Checks
determine access is not allowed

In general, no end-user should have any S_DEVELOP Authorization!

Step 2 remove S_BTCH_NAM from end-user Roles

S_BTCH_NAM enables Users to submit a batch job as someone
else
If Im not Authorized to run an HCM report, I can schedule it as our
Payroll Manager
End-users rarely need S_BTCH_NAM Authorizations
Occasionally, Payroll Administrators might need this Authorization for the
Background User that runs payroll
End-users should not have S_BTCH_NAM with a wildcard!

Step 2 restrict S_TABU_DIS in end-user Roles

S_TABU_DIS enables Users to display tables via SE16 or ABAP
Query
Use of SE16 and ABAP Query (i.e., SQ01-03) really should be limited to
your IT folks (at a minimum)
ABAP Queries can be assigned to Transactions for end-users
Displaying tables via these methods bypasses all HCM Authorizations

HCM data is generally stored in tables assigned to P Authorization

Groups
Some HCM tables are unclassified causing risk for the &NC& Authorization
Group
Need to restrict S_TABU_DIS from having access to Authorization Groups
that start with P and &NC&
Existing unclassified Tables need to be assigned to an Authorization Group!

Step 2 remove S_SPO_ACT from end-user Roles

S_SPO_ACT enables Users to access Spool Requests belonging to
other Users
Would allow a User to view reports printed by my Payroll Manager
In general, this Authorization should be removed from all Users
In some cases, it may be reasonable to provide groups of Users with the
ability to display spools generated by a specific background user

Verify that SPOAUTH is not set to wildcard in Roles!

Step 3 Continuous Monitoring

Once Security is restricted, we need to make sure that it stays
restricted
Dont want to find out about a breach after its too late!
Establish procedures for periodic review of Sensitive Authorizations
Other companies have used automated tools like ControlPanelGRC
Risk Analyzer
Enables for periodic or real-time review of risks!

Data in Non-Productive Systems

Authorization restrictions are required in any system that contains
live Production data
This could impact more than just the end-user community in
Development and Q/A environments!
Consider data scrambling to free up User Authorizations in the
environment
Scramble Names, SSN, Birthday, Addresses, Pay/Additional Pay, Benefits
Information, EH&S data, etc.
Symmetry has tools and/or services to assist!

7 Key Points to Take Home

Implementations of HCM do not require separate
instances
Real-time data is essential to the daily operations of
business
Symphony is an SAP HCM only firm with extensive
experience in global and local implementations
Security should never be the reason to have a
separate HCM landscape
Security can be adapted to protect sensitive HCM data
Tools like ControlPanelGRC can be used to provide
assurance that sensitive data is restricted to
appropriate Users
Symmetry can assist with security architecture design
and implementation, or risk assessment and
remediation specifically for HCM

32

Download the presentation recording with audio from the

Symmetry Knowledge Center
www.sym-corp.com/knowledge-center

Heather Mickelson

Kellie Fitzpatrick

Scott Goolik

414-732-2738
hmickelson@sym-corp.com

704-556-2288
Kfitzpatrick@symphony-consulting.com

414-732-2740
scott.goolik@sym-corp.com