This document discusses security issues with an SAP system setup, including a lack of dedicated security resources and skills, weak passwords that have not been changed for interface users, excessive access privileges for basis administrators and business users, and insufficient role design that does not properly enforce segregation of duties principles. It notes multiple serious security risks and concerns about sustainability without addressing these issues.
This document discusses security issues with an SAP system setup, including a lack of dedicated security resources and skills, weak passwords that have not been changed for interface users, excessive access privileges for basis administrators and business users, and insufficient role design that does not properly enforce segregation of duties principles. It notes multiple serious security risks and concerns about sustainability without addressing these issues.
This document discusses security issues with an SAP system setup, including a lack of dedicated security resources and skills, weak passwords that have not been changed for interface users, excessive access privileges for basis administrators and business users, and insufficient role design that does not properly enforce segregation of duties principles. It notes multiple serious security risks and concerns about sustainability without addressing these issues.
• Current basis team doesn’t have sufficient skills to define and manage security setup. • Lack of business process understanding • Insufficient awareness about security standards and configurations • Multiple wrong practices observed which are drastically impacting security posture. • Concerns of sustainability of the new design in near future due to above issues. Concernes and observations
SAP System Setup issues
• Weak passwords for many interface/service accounts
• Passwords not changed in many years for some of the interface users • Interface/service user accounts used as dialog users to perform critical activities with no tracking. • Basis has extensive access to view sensitive business data, perform business transactions and change master data which is very bad practice. Role Design issues
Critical Business Transactions
• IT and BPM’s have highly elevated access without any monitoring
• Many business users have access to other business areas which are not their primary responsibility. • Multiple users have access to perform user management, role changes and lot of other critical administrative activities. • Many users have access to execute programs in production system with transactions such as SE38/SA38/SE37.
SoD (Segregation of duties)
• Insufficient awareness for SoD within business functions
• Full SoD Risk assessment and control design is needed to ensure compliance. • Provisioning process needs improvement to ensure robust security and SoD.