TETRIX – SAP Security

Future Setup
CONFIDENTIAL
Summary

 SAP system setup issues

 Concerns and observations

 Role design issues

Concernes and Observations

Skill and awareness issues

• No dedicated resources for SAP security.

• Current basis team doesn’t have sufficient skills to define and manage security
setup.
• Lack of business process understanding
• Insufficient awareness about security standards and configurations
• Multiple wrong practices observed which are drastically impacting security
posture.
• Concerns of sustainability of the new design in near future due to above issues.
Concernes and observations

SAP System Setup issues

• Weak passwords for many interface/service accounts

• Passwords not changed in many years for some of the interface users
• Interface/service user accounts used as dialog users to perform critical activities
with no tracking.
• Basis has extensive access to view sensitive business data, perform business
transactions and change master data which is very bad practice.
Role Design issues

Critical Business Transactions

• IT and BPM’s have highly elevated access without any monitoring

• Many business users have access to other business areas which are not their
primary responsibility.
• Multiple users have access to perform user management, role changes and lot of
other critical administrative activities.
• Many users have access to execute programs in production system with
transactions such as SE38/SA38/SE37.

SoD (Segregation of duties)

• Insufficient awareness for SoD within business functions

• Full SoD Risk assessment and control design is needed to ensure compliance.
• Provisioning process needs improvement to ensure robust security and SoD.