Comprehensive authorization management and the SoD analysis that comes with it are essential measures in safeguarding SAP systems, especially in the context of compliance. However, problems can arise when connecting external solutions to an SAP landscape. SAP Ariba, for example, comes with its own role and authorization concept - one that often doesn't match the SAP standard. This makes truly comprehensive SoD analysis simply impossible.
The solution? Cross-system authorization management that monitors roles and authorizations while factoring in all the relationships among them. The authorization management module of SAST SUITE makes it possible to customize SoD functions in a way that incorporates roles and permissions into SoD analysis, even when non-SAP systems like Ariba are involved.
In this webinar, you'll learn how to take control of extensive SoD and business process analyses while identifying authorization conflicts across multiple systems.
-------------------------------------------------------------------------------------Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
2. Migration of your SoD analyses into the SAP Cloud Apps.
SAP extension using external systems / cloud applications+
+
+
+
+
- 2 -
Systematics / Differences in authorizations and users
SAST Central Identity Module
Authorization analyses for ARIBA as an example
Q & A
3. The SAP Identity and Account Problem in Practice
Where does an Identity Account have authorizations? And which?
ID: P261165 (Max Müller)
SAP P11/100: MMUELER
SAP P21/200: P261165
Max.Mueller@Kunde.de
SAP P31/300: P261165
DB User: MUELLER
Max.Mueller@4711.kunden.sap.de
- 3 -
4. SAP extension using external systems / cloud applications
SoD conflict using SAP ERP and Ariba integration as examples
Account: Max.Mueller@Kunde.de
Gruppe: SUBMIT_PO
Account: P261165
Rolle: MAINTAIN_VENDOR
SoD
- 4 -
SAP Ariba Cloud Integration Gateway
5. Cross-system account and permission list.
Checking permissions:
Single critical / sensitive.
Separation of functions (SoD) in one system.
Function separation (SoD) across system boundaries.
Possibility of mitigation of risks at all levels.
Central evaluation without double IT systems.
Integration into existing SAST scenarios.
SAP extension using external systems / cloud applications
Requirements from Practical User and Authorization Administration
- 5 -
6. Identity: Describes a unique characteristic of a natural/technical person.
Account: Describes a user account in a defined IT system.
Role:
In SAP context, a set of users and their permissions (object, field, value).
In non-SAP context, a grouping of permissions (characteristics such as CREATE_PO).
Group: A set of users in a non-SAP context.
Systematics / Difference in user and authorization management
Terminology
- 6 -
7. The Central Identity function provides the following functions:
Import identities from
LDAP
HR
SAP
IDM
Import of accounts from systems
Import roles and roles assignment
Available for first customers from the SAST SUITE 5.10 SP1 and with the release 5.20
then planned for all customers.
Connection of external systems using adapters based on RFC, HTTP (SOAP/REST, XML),
File.
Support of SAP Netweaver and Ariba from SAST SUITE 5.10 Sp1, then S/4 HANA Cloud,
HANA DB and others planned.
SAST Central Identity Function
Overview
- 7 -
8. SAST Central Identity Function
"Sync on Premise" as basis for Cross System evaluations
Identity Source Adapter SAP on Premise with SAST SUITE
Identities
Accounts
Roles
Systems
ID-Sources
Info System
and
SOD Engine
and Rules
Cross System
Identity/Account Info
System
Cross System Role
Info System
Authorization and
SoD Scan Results
- 8 -
Account Adapter
Role / Group Adapter
Account Adapter
Role / Group Adapter
Account Adapter
Role / Group Adapter
Account Adapter
Role / Group Adapter
11. How to integrate your SoD analyses into the SAP cloud apps.
Take Home Messages
SAST SUITE Cross-System Authorization Analysis for Non-SAP Systems.
Interfaces are provided in the standard system.
Uniform "identity" required (organization and standards).
SoD analysis Hybrid-On-Premise / Cloud / Non-SAP possible.
Central user overview available / no IDM functions planned.
+
+
+
- 11 -
+
+