Secure, compliant, and effective business processes are critical for business. In SAP, segregation of duties (SOD) is key to this.
What happens when an SAP SOD exception is needed?
Often, positions and rights that present a conflict of interest would involve a user. It may be that an employee is part of a small team, or a security clearance prohibits others from participating. Whatever the reason, in a business process, this user needs the ability to handle multiple steps — as an exception
Things can be tricky. If an exception happens, the healthy preventive controls will no longer function—one of SAP’s most significant weaknesses in static, role-based access control.
Moving from preventive to detective approach
… It would help if you now collected access logs and false filter positives, and finally sent them to the appropriate owner for review and sign-off. Besides the additional overhead of manual checks and approvals, detective controls build space for human error and maximize dwelling time until spotted red flags.
So why is SAP SOD Controls limited?
Without the ability to distinguish possible violations from real violations, proactive tests are a non-starter. The (preventive) SAP access controls assess authorizations based on two things: 1.) user role and 2.) task-dependent permissions (think transactions). Although this works in the vast majority of situations, implementing SAP SOD requires more granular controls.
Consider what an actual SAP SOD violation entails.
SAP SOD ‘s main aim is to eliminate conflicts of interest in business processes. While conflicting transactions are not necessarily a conflict of interest unless the subject is the same.
For example, a user creates and approves multiple purchase orders. Looking at transactions, this can be breached. Looking deeper into the PO details, the user may never have created and adopted the same PO, so there was no violation.
SAP can show you 1.) user and role, and 2.) transactions, but the 3rd component is missing: field-level values in the PO itself. This lack of visibility in attributes outside functions and permissions makes preventive controls non-starter and clutters with false-positive SAP SOD audit logs when exceptions are produced.
The solution to this problem? Enforcing SAP SOD attribute-based access controls
Attribute-based access controls (ABAC) require “attributes” to be used in authorization decisions. These attributes will come from user information like role, department, nationality, or even the security clearance level of a user. History of access such as IP address, location, time, device, and the transaction can be considered. For SAP SOD, data attributes can now be included in the authorization logic. This means that SAP field-level values can be used to determine whether to block or allow a transaction, and these details can Use in reporting activities.
In the example above, Data Attributes can be used to determine when a user conducted the first transaction and make the inference that the second transaction will result in a violation.
Combining role-based access controls (RBAC) from SAP with attribute-based access control (ABAC) solution enables granular control and visibility that provides Wide-ranging business benefits.
Flexibility in SAP SOD Exception situations – RBAC + ABAC hybrid
The RBAC+ABAC hybrid solution opens the possibility of implementing preventive controls in exceptional SAP SOD Scenarios. Scenarios. By doing so, you can offer users excellent flexibility preventing any actual violations.
Together, this hybrid approach (RBAC+ABAC) allows a dynamic SAP SOD model that avoids violations while also allowing the flexibility of assigning contradictory roles (if necessary) and strengthens role-based policy to prevent over-provisioning.
RBAC+ABAC Hybrid Using Appsian
Appsian adds to SAP GRC Access Control an additional authorization layer that correlates user, data, and transaction attributes with identified SAP SOD conflicts to block conflicting transactions at runtime.
Contact Us to learn more about a hybrid access control approach can strengthen your organization.
ERP Data Security for Peoplesoft ,SAP, OracleEBS 