Sap Security Workshop

The Power of Integration

Security Mapping Overview


What Are The Objectives of the Security Role Mapping Workshop?

• Familiarize Management and Super-users with Security Concepts Familiarize Management and Super-users with Security Concepts

• Review Global One Template Security Design Review Global One Template Security Design

• Discuss Expectations of Mapping sessionsDiscuss Expectations of Mapping sessions

•Review Role to SAP Position MappingReview Role to SAP Position Mapping

•Determine SAP Role to User MappingDetermine SAP Role to User Mapping

• Discuss Data Owners, Who Will Be Responsible for Local User Access Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue Resolutionand Issue Resolution

• Discuss Segregation of Duties as it Relates to SecurityDiscuss Segregation of Duties as it Relates to Security

• Next StepsNext Steps


Control Techniques

Business Process Controls Umbrella

Risks

RisksRisks

Risks

Risks

Non-SAP

Business Processes

SA

P s

tand

ard

SA

P c

onfi

gure

d

Aut

hori

zati

on

Mon

itor

ing

Man

ual

SAP



• Familiarize Management and Super-users with Security Concepts Familiarize Management and Super-users with Security Concepts • Review Global One Template Security Design Review Global One Template Security Design




• Discuss Data Owners, Who Will Be Responsible for Local User Access and Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue ResolutionIssue Resolution

• Discuss Segregation of Duties as it relates to SecurityDiscuss Segregation of Duties as it relates to Security



Why Have Security?

• Helps Users Perform Their Daily Responsibilities

• Provides Accountability of User Actions

• Limits Access to Certain Update Activities

• Restricts Ability to View Sensitive Information

• Supports Audit Trails of Activities

• Protects Systems from Misuse

• Helps to Provide Data Integrity


What defines a Security Role?

• Matches what a user does with where they are in the organization

• Access to Perform Tasks Based on Responsibilities•The Customer Service Representative has access to certain tasks

•These tasks are known as transaction codes - VA01 - create sales order

• Access to Data Based on Organizational Responsibilities•The Customer Service Representative has the access to create, change

or view data related to only their organizational responsibilities

•Example of organizational restriction: the Customer Service Representative has the access to create or change a sales order (VA01 & VA02) only for Argentina Company Code (AR1), but may be able to display more data (VA03).


Security Design Approach

Observation 3

Role(s)“Change Sales

Order”

SAP Position

“Customer Service”

SAP transaction(s) are assigned to roles but a transaction should only be assigned to one role.

SAP Transaction(s)

VA01 Roles are mapped to SAP positions which are then mapped to users.




• Review Global One Template Security Design Review Global One Template Security Design • Discuss Expectations of Mapping sessionsDiscuss Expectations of Mapping sessions







Global One Security Template

Wave One

Wave Two

Wave Three

Wave Four

North America security design as the

baseline

Design security forGlobal One

Final Global Template

Final Global Template

LocalizeGlobal

Template

LocalizeGlobal

Template

North American security foundation

80%

20% change from North America

Minor changes to Global Template Security can be accommodated within reason. (e.g. new transaction codes and new SAP Positions)


Security Design Approach

Observation 3

Role(s)“Change Sales

Order”

SAP Position

“Customer Service”

SAP transaction(s) are assigned to roles

SAP Transaction(s)

VA01 Roles are mapped to SAP positions which are then mapped to users.


How data is defined in the system How SAP functionality can be designed to meet Global

business requirements How transactional data is registered and recorded in the

system The ability to use standard delivered reports/inquiries How cross-company processing takes place The complexity of data input How roles and users operate within the system, both from a

security access perspective as well as from a location and organizational model perspective

The Enterprise Structure (Hierarchy) Drives...


Organizational Structure Options and Localization

– Instance– Worldwide SAP System– Country-Specific SAP System

– Client– Global Company – Business Unit

– Company– Legal Entity– Country– Business Unit– Business Unit Segment

– Profit Center– Business Unit– Country– Market Segment– Product Line– Product Category

– Operating Concern– Global Company– Sales Organizations– Market Segments

– Controlling Area– Global Company – Country

– Cost Center– Department (Budget Center)– Plant– Work Station

– Credit Control Area– Global Company– Country

– Sales Organization– Business Unit – Country– Company Code– Market Segment

– Division– Product Line– Business Unit

– Distribution Channel– Sales Channel

– Plant– Manufacturing Site– Warehouse– Distribution Center– Cost Center– Physical Building– Stockroom

– Storage Location– Stock Room– Warehouse– Plant -Defined

– Purchasing Organization

– Company worldwide– Company

– Purchasing Group– Entire Purchasing Org– Buyer

– Warehouse– Storage Type– Storage Bin


Scope of Organizational Hierarchy for Global One

Finance Company Code Chart of Accounts Controlling Area Profit Center Cost Center

Order to Cash Sales Area Sales Organization Distribution Channel Division Sales Office Sales Group Sales Employee

Forecast to Stock Plant Purchasing Organization Purchasing Group Storage Location Warehouse







•Determine SAP Role to User MappingDetermine SAP Role to User Mapping• Discuss Data Owners, Who Will Be Responsible for Local User Access and Discuss Data Owners, Who Will Be Responsible for Local User Access and

Issue ResolutionIssue Resolution




Display Purchasing

GM_XXX_FTS_DIS_PURCHASNG

Role Example

Role

Transaction

CreatePurchase Req

(ME51)

SAP Position

ChangePurchase Req

(ME52)

DisplayPurchase Req

(ME53)

Display Materials(MM03)

Create Purchase Order

(ME21N)

Change Purchase Order

(ME22N)

Jian Min Carlos JorgeFrançoise

Strategic

Purchasing Plant Buyer

Create/Change Purch Req

GM_XXX_FTS_CHG_PUR_REQ

Display Master Data

GM_XXX_MDT_GEN_DISPLAY

User

Create/Change Purchase Order

GM_XXX_FTS_CHG_PO


Role Transaction Role/Transaction DescriptionGM_XXX_FTS_CHG_PO MASTER CREATE/CHANGE PO

ME21N Purchase Order

ME22N Purchase Order

GM_XXX_FTS_CHG_PUR_REQ MASTER CREATE/CHANGE PURCHASE REQME52N Modify Existing Generated Purchase Requisitio

ME56 Assign Source to Purch. Requisition

ME57 Assign and Process Requisitions

ME58 Ordering: Assigned Requisitions

ME51 Create Purchase Requisition

ME52 Change Purchase Requisition

ME51N Create Purchase Requisition

GM_XXX_FTS_DIS_PURCHASNG MASTER PURCHASING DISPLAY AND REPORTINGMD04 Display Stock/Requirements Situation

ME03 Display Source List

ME43 Display Request For Quotation

ME48 Display Quotation

ME4B RFQs by Requirement Tracking Number

ME53 Display Purchase Requisition

ME4L RFQs by Vendor

ME4M RFQs by Material

ME4N RFQs by RFQ Number

ME4S RFQs by Collective Number

ME53N Display Purchase Requisition

GM_XXX_MDT_GEN_DISPLAY Master Data General DisplayMM03 Display Material &

CS03 Display Material BOM

CS09 Display Allocations to Plant

CS11 Display BOM Level by Level

CS12 Multi-level BOM

CS14 BOM Comparison

XD03 Display Customer (Centrally)

ZMPR Production Readiness Online Report

Transactions by roles


Master and Derived roles

Master Role Derived Role DescriptionGM_XXX_FIN_DIS_FINANCE MASTER DISPLAY FINANCIAL DOCUMENTS

GD_AME_FIN_DIS_FINANCE DRV DISPLAY FINANCIAL DOCUMENTS - SCLGD_AR_FIN_DIS_FINANCE DRV DISPLAY FINANCIAL DOCUMENTS - AR1GD_CL_FIN_DIS_FINANCE DRV DISPLAY FINANCIAL DOCUMENTS - CL1GD_GBL_FIN_DIS_FINANCE DRV DISPLAY FINANCIAL DOCUMENTS - ALLGD_PY_FIN_DIS_FINANCE DRV DISPLAY FINANCIAL DOCUMENTS - PY1GD_UY_FIN_DIS_FINANCE DRV DISPLAY FINANCIAL DOCUMENTS - UY1

GM_XXX_OTC_CHG_PICKING_WAVES MASTER CHANGE PICKING WAVESGD_AME_OTC_CHG_PICKING_WAVES CHANGE PICKING WAVES - AMEGD_AR_OTC_CHG_PICKING_WAVES CHANGE PICKING WAVES - ARGD_CL_OTC_CHG_PICKING_WAVES CHANGE PICKING WAVES - CLGD_PY_OTC_CHG_PICKING_WAVES CHANGE PICKING WAVES - PYGD_UY_OTC_CHG_PICKING_WAVES CHANGE PICKING WAVES - UY


Process Area SAP Position Role Transaction

FTS PLNTBUYER Plant BuyerGM_XXX_FTS_CHG_PO_PROD

ME21NME22N

GM_XXX_FTS_CHG_PUR_REQGM_XXX_FTS_CHG_VDR_EVALGM_XXX_FTS_DIS_PURCHASNGGM_XXX_FTS_MRP_EVALGM_XXX_FTS_MRP_SINGLEGM_XXX_FTS_MTN_CONTGM_XXX_FTS_MTN_INFO_RECGM_XXX_FTS_MTN_QUOTA_ARRGM_XXX_FTS_MTN_SCH_AGREEGM_XXX_FTS_MTN_SRC_LST

FTS STRATPURCH Strategic PurchasingGM_XXX_FTS_CHG_CONDGM_XXX_FTS_CHG_PUR_REQ

ME51ME51NME52ME52NME56ME57ME58

GM_XXX_FTS_CHG_VDR_EVALGM_XXX_FTS_DIS_PURCHASNGGM_XXX_FTS_MRP_EVALGM_XXX_FTS_MRP_SINGLE

List of SAP Positions








• Discuss Data Owners, Who Will Be Responsible for Local User Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue ResolutionAccess and Issue Resolution




Who Are The Data Owners?

•There should be a defined “Data Owner” for all areas of the business (FTS, FIN, OTC).

•These should be the people consulted to determine if users from another business area or region should be allowed access.

•We recommend that Senior Management identify the names of these data owners for each area of the business.

•The Data Owner for a business area or region may choose to delegate this responsibility to other staff:

•Financial data requests, to person X•Forecast to Stock data requests, to person Y•Order to Cash data requests, to person Z

•Once approved, the local security administrators can then grant the requested access.


ARUYCL CAUS

Southern Cluster North America

Global

EXAMPLE 1 -

A Finance User works in Argentina; has access to view or modify Argentina data in SAP:

- The Finance User wants access to view and update US information. The User needs to request approval from the US Data Owner. This should be the US Finance Data Owner.

- Request should also be approved by the Finance Data Owner of the country the person works for, prior to being issued access.

i.e. two approvals, one from Argentina and one from the US

PY

Security Access Approvers – Data Owners


Security Access Approvers – Data Owners

PYCLAR

Southern Cluster

Global

EXAMPLE 2

A Plant User works in Argentina plant 4100; has access to view or modify plant 4100 data in SAP:

• The User wants access to view and modify data in the Paraguay Plant and should request approval from the Paraguay Plant Data Owner.

• Request should also be approved by the Argentina Plant Data Owner prior to being issued access.

UY









• Discuss Segregation of Duties as it relates to SecurityDiscuss Segregation of Duties as it relates to Security• Next StepsNext Steps


Segregation of Duties – Security Team Approach

• Tailor the specific Segregation of Duties table (SAAT) for the functionality being implemented.

•Segregation of duties should be considered as roles are designed.

• Ensure all roles are reviewed with segregation of duties and sensitive transactions being taken into account.

•Review the role definitions to ensure that any segregation of duties conflicts, at the transaction level, are properly resolved. (no conflict should exist in a single role).

• Ensure all positions are reviewed with segregation of duties and sensitive transactions being taken into account.

•Review the positions to ensure all segregation of duties and sensitive access have been identified and the appropriate authorization given if any conflicts are to remain in place.

• Ensure all mapped users are reviewed with segregation of duties and sensitive transactions being taken into account.

•Review any conflicts with the relevant manager and ensure a risk acceptance decision has been taken before go live.


Next Steps

• Data Owners will approve and sign-off on the following:•Role to SAP Position Mapping •SAP Position to User Mapping•SOD Conflicts and Compensating Controls


Questions?

Sap Security Workshop

Documents

Transcript of Sap Security Workshop