securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02

8/6/2019 securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02

1/34

SecurityStrategies for HCMImplementations

Scott GoolikDirector of Security and Controls - Symmetry

June 16, 2010

Kellie FitzpatrickCOO Symphony Consulting


2/34

Download the presentation recording with audio from the

Symmetry Knowledge Center

www.sym-corp.com/knowledge-center
http://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slideshare


3/34

Introducing

Scott Goolik

Director of Security & ControlsSymmetry Corporation

14 years experience in SAP security

Lead architect for ControlPanelGRC

compliance automation tools


4/34

21st Century ERP Model

Quality proactive supportdelivered by US-based experts

Accessibility 24x7 direct accessto your support team

Affordability highly competitive,fixed price contracts

Symmetry Corporation

Established 1996

Based in Milwaukee WI100% SAP focusAll SAP applicationsAll platforms


5/34

Symphony Management Consulting

One of the leading providers of SAP HCM consulting services

Established in 2002 and led by experienced SAP HCM consultants

We strive to not only assist you in your current need, but to become

a trusted advisorto your organization

SAP Services Partner since 2007

Industry focus includes Chemicals, Healthcare & Biotech, Manufacturing &

Distribution, Pharmaceuticals and State & Local Government

Need help from an expert? Symphonys experts provide complimentaryanswers to some of your most difficult questions!

Visit us at http://www.symphonyhcmexperts.com
http://www.symphonyhcmexperts.com/http://www.symphonyhcmexperts.com/


6/34


7/34

What We Will Learn

Determine when you should consider a separatelandscape and when you should consider a combined

landscape. Understand the limitations of implementing on a

separate instance and the level of maintenance required.

See real-life examples of companies that have

implemented on separate landscapes, those that haveimplemented on the same landscape, and why thatdecision was right for them.


8/34

Single vs. Separate SAP Instances When Implementing HCM

What does it mean? Single Instance

One Instance of SAP across all business functions One transport path across all systems

When SAP is currently installed on a single landscape it is Dev QA Prod only

Separate Instance There are two different SAP instances running

Potentially one for FI, MM, SD, PM, CRM Another for HCM

Transports run across one landscape Data is interfaced between multiple systems via an ALE Data is configured twice (once on each system)**

There are usually 2 of each box

** This typically means multiple maintenance and can result in inaccuratedata or data integrity issues


9/34

Single Instance Advantages

Real-time data for all business functions in one system

No need to transfer data across multiple instances via an interface(ALE) or configuration

Support packs can be implemented for only HCM Configuration is tested, transported and configured to meet total

business requirements one time and in one system

Master data is accessed through a single point of entry Global headcount reporting

Compliance reporting Budget preparation

One system to maintain with reduced costs

Security administration should be monitored on an ongoing basis ControlPanelGRC can help and will be discussed later in this presentation


10/34

Single System Disadvantages

HCM requires support packs and updates multiple times ayear Usually four times a year, but definitely year-end

Typically requires the entire organization to shut down the systemover a weekend for a few hours

Requires Unicode compliance if implementing in multiplecountries Language and currency issues are addressed

HCM Talent Management functionality recommends at leastECC 5.0 Encourage ECC 6.0 due to functionality enhancements

Enhancement Pack 4 or above should also be installed


11/34

Benefits of a Separate system for HCM

One system which is dedicated to only HCM data requirements

Organization is running multiple large payrolls across multiplecountries

Can cause system to run slower if running during the workday Either way we would recommend you run after hours in a batch session

Time is evaluated for a large employee population at the same time Can cause system to run slower if running during the workday

Either way we would recommend you run after hours in a batch session

Safe Harbor laws prevent employee data from being housed in adifferent country If this is a concern, other entities have procured waivers from their

employees to allow this to be done ~ P&G, Coke, PolyOne


12/34

Separate System Advantages

Ability to upgrade and apply support packs whenever necessary

System downtime for the rest of the organization is decreased

Ability to implement SAP HCM with the latest and greatestfunctionality if the rest of the organization is on a lower SAPversion

Ability to run payroll/time across multiple countries with minimalimpact to departments outside HR

Localization issues arising from Safe Harbor restrictions areminimized or eliminated


13/34

Separate System Disadvantages

ALE needs to be created and run for HR required data relatedto Cost Centers

G/L Accounts Work Orders

Activity Types

The disability of having data in one system available real-time Reporting may be limited by 24 hours

Ability to set up specific items which relate to FI Positions, Departments, Jobs (Cost Center integration)

Users may need to sign into multiple systems to completetheir position responsibilities


14/34

Separate System Disadvantages

Additional Costs may be incurred by

Multiple upgrades

Multiple support streams Multiple configuration tasks

Multiple system maintenance

Requirement to understand two landscapes with multipletypes of configuration with very different data

When the other system upgrades data we need to teston both systems to ensure the data flow is notcompromised


15/34

Common Misconceptions ofWhy a Separate Instance is Needed

HR support packs require us to apply support packs forevery other module

There is to much HR data to allow us to incorporate it onone instance

Reporting is much more labor intensive

Security issues are major

HR data is not secure if it is on the same system

Employees have access to items they shouldnt

A portal will open us up to data integrity and liability issues


16/34

Large Organization Same System

System Requirements 21,000 users

Over 75,000 Employees all on ESS

35 countries 22 languages

Modules Implemented - Finance, HR, Materials, ProductionPlanning, CRM Specific HCM

PA, OM, PY, Time, ESS, MSS Globally Payroll runs in batch at night

Time Eval runs in batch at night

Securities are assigned primarily to positions (structural) in order toensure system is locked-down


17/34

Mid-size Organization Same System

System Requirements 500 users

Over 3,000 Employees all on ESS

US Only 2 languages

Modules Implemented - Finance, HR, Materials, ProductionPlanning, CRM Specific HCM

PA, OM, BN, PY, Time, ESS, MSS, Talent Management Payroll runs in batch at night

Time Eval runs in batch at night

Securities are set up by person and are monitored frequently


18/34

Large Organization Separate System

Standardized on a common IT backbone

15,000 users

Over 100,000 Employees 45 countries

175 legal entities

18 languages

Modules Implemented - Finance, HR and Supply Chain.

Due to size and requirements of payroll processing

HCM is on a separate instance

ALE is run at night and new positions are created the next day


19/34

Mid-size company example Separate System System Background

1,000 users Over 5,000 Employees 12 countries 8 languages

SAP Environment 4.6c Finance does not have a need to upgrade Finance did not want to apply support packs to all modules at the same time** There was no compelling reason to upgrade

HR ECC 6.0 Required Talent Management Functionality

Security team did not want to continuously update employees This was not necessary, however they were never told the system has structural

authorization capability

The rest of the organization was on 4.7, Prior to ECC 5.0 all modules had to apply support packs together

Data is being configured in two systems Sometimes it isnt completed for weeks, workload issue


20/34

Security & HCM

Security is not a reason for a separate landscape

Authorization flexibility in SAP is a key component to its valueproposition

All critical data can be restricted!

Can require a culture change

Remediation project is generally required for live customers during

HCM implementation


21/34

Step 1 Review of HCM Authorizations in existing Roles

Review of P Authorization

Objects in existing RolesOr any Object in the HR Class!

Needs to be reviewed andlikely removed or restrictedfurther

If not required, update SU24 soyou dont accidentally provideaccess in the future!


22/34

Step 1 Review of P_ORGIN in existing Roles

P_ORGIN is commonly in existing Roles

Authorization controls access to HCM Master Data very sensitiveCan be automatically proposed when Production Planning Transactionsare added to Roles

Not likely required if there was no HCM data available in the system!

Consider activating P_ORGINCON in the HCM system instead of

P_ORGIN to increase future flexibility!


23/34

Step 1 Review of PLOG in existing Roles

PLOG is commonly in existing Roles

Authorization controls access to HCM Organizational StructureCan be automatically proposed when Production Planning, Controlling,or other Transactions are added to Roles

These might be required going forward as the structures are used formore than just HCM

Need to restrict the OTYPE field accordingExclude any used HCM Object Types definitely O, S, P, but check withyour HCM team for others!


24/34

Step 1 Review of P_ABAP in existing or new HCM Roles

P_ABAP could be in existing Roles, but will be in HCM Roles

Provides the ability to bypass HCM Master Data Authorization checksduring report execution

Useful to provide someone with the ability to run a telephone listwithout giving them access to underlying HCM data

Watch for this Authorization in Roles with REPID field set to wildcard orreport SAPDBPNP!

Recommend updating SU24 so that you dont accidentally provide this

access


25/34

Step 2 Sensitive Authorizations in existing and new Roles

Sensitive Authorizations can accidentally compromise data privacy

Display of Spool Output belonging to the Payroll ManagerDisplaying HCM Infotype data via SE16 or ABAP Query

Well provide some examples of what to look out for

Not a complete listjust getting you pointed in the right direction!


26/34

Step 2 remove S_DEVELOP from end-user Roles

S_DEVELOP enables maintenance of ABAP Workbench Objects...

Which is bad in non-Development SystemsDebug Replace (Activity 02 for Object Type DEBUG)

Enables Users to step around Authority-Checks

Debug Display (Activity 03 for Object Type DEBUG)

Enables Users to view data in Internal Tables before Authority-Checksdetermine access is not allowed

In general, no end-user should have any S_DEVELOP Authorization!


27/34


28/34

Step 2 restrict S_TABU_DIS in end-user Roles

S_TABU_DIS enables Users to display tables via SE16 or ABAP

QueryUse of SE16 and ABAP Query (i.e., SQ01-03) really should be limited toyour IT folks (at a minimum)

ABAP Queries can be assigned to Transactions for end-users

Displaying tables via these methods bypasses all HCM Authorizations

HCM data is generally stored in tables assigned to P Authorization

Groups

Some HCM tables are unclassified causing risk for the &NC& AuthorizationGroup

Need to restrict S_TABU_DIS from having access to Authorization Groupsthat start with P and &NC&

Existing unclassified Tables need to be assigned to an Authorization Group!


29/34

Step 2 remove S_SPO_ACT from end-user Roles

S_SPO_ACT enables Users to access Spool Requests belonging to

other UsersWould allow a User to view reports printed by my Payroll Manager

In general, this Authorization should be removed from all Users

In some cases, it may be reasonable to provide groups of Users with theability to display spools generated by a specific background user

Verify that SPOAUTH is not set to wildcard in Roles!


30/34


31/34

Data in Non-Productive Systems

Authorization restrictions are required in any system that contains

live Production dataThis could impact more than just the end-user community inDevelopment and Q/A environments!

Consider data scrambling to free up User Authorizations in the

environment

Scramble Names, SSN, Birthday, Addresses, Pay/Additional Pay, BenefitsInformation, EH&S data, etc.

Symmetry has tools and/or services to assist!


32/34

32

Implementations of HCM do not require separate

instancesReal-time data is essential to the daily operations ofbusiness

Symphony is an SAP HCM only firm with extensiveexperience in global and local implementations

Security should never be the reason to have aseparate HCM landscape

Security can be adapted to protect sensitive HCM data

Tools like ControlPanelGRC can be used to provideassurance that sensitive data is restricted toappropriate Users

Symmetry can assist with security architecture designand implementation, or risk assessment andremediation specifically for HCM

7 Key Points to Take Home


33/34

Download the presentation recording with audio from the

Symmetry Knowledge Center

www.sym-corp.com/knowledge-center
http://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slidesharehttp://www.sym-corp.com/knowledge-center?utm_source=slideshare&utm_medium=social&utm_campaign=slideshare


34/34

Heather Mickelson414-732-2738

[email protected]

Kellie Fitzpatrick704-556-2288

[email protected]

Scott Goolik414-732-2740

[email protected]

securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02

Documents

Transcript of securitystrategiesforhcmimplementationspowerpoint-100617081239-phpapp02