With SAP Integrated Business Planning On Demand, SAP takes care of many security-related topics as cloud provider. However, in order to stay secure, customers are still responsible for the mitigation of risks such as business or technical users having critical authorizations.
Here, the SAP EarlyWatch Alert report in SAP for Me comes into play as it gives you insights into security risks in the chapter “Security (SAP IBP OD)”. This chapter provides insights and alerts you on the following topics:
Assignment of Users to Business Role SAP_BR_ADMINISTRATOR – check for usage of this role in production, leading to segregation of duties (SoD) conflicts as it is intended only for initial system configurationUse of Read/Write Unrestricted – get alerts on business roles with unrestricted write, read and value help access, allowing users global data accessCritical Business Catalog Assignment – be warned about over-assignment of critical authorizations which should have limited use in productionCritical Authorization Combinations – get alerts for users assigned excess authorizations through critical combinations of business catalogsCommunication (Inbound/Outbound) – get alerts on customer-managed communication arrangements based on user/password authentication, where certificate-based authentication is more secureUpcoming Certificate Expiration – get early warnings for customer-managed certificates which will expire within the next 90 days
You can find more details on each of these chapters below or by directly accessing the SAP EarlyWatch Alert report* for your systems in SAP for Me.
* an authorized user is needed to access this application – refer to this SAP Support page on how to get access.
Assignment of Users to Business Role SAP_BR_ADMINISTRATOR
The role SAP_BR_ADMINISTRATOR is predefined by SAP and is intended only for the initial configuration of a system. Using this role in production is not recommended by SAP and may lead to compliance issues. This section checks the role’s usage and points to in-depth information on Identity Access Management. It provides a link to the procedure for creating a more restricted administration role, suitable for use in production.
Use of Read/Write Unrestricted
Using unrestricted fields in the maintenance of business roles allow users to have global data access. SAP best practices recommend to carefully review which users need to have restricted data access and maintain the access appropriately, e.g. ensuring employees only have access to data belonging to their sales organization. This chapter includes the number of business roles with unrestricted write, read or value help access, and describes the related SAP Fiori app Maintain Business Roles.
Use of Read/Write Unrestricted Table Example
Critical Business Catalog Assignment
Business catalogs contain a bundle of privileges needed for accessing an app or features that are then assigned to users via business roles. This section checks for selected critical business catalogs and their assignment to business roles and users and rates this according to the valuation rules from SAP Note 863362. In case any critical business catalogs are assigned, additional details are presented as sub-chapters.
Business Catalog Assignments Overview Table Example
Critical Authorization Combinations
Segregation of duties in SAP Integrated Business Planning (SAP IBP) is supported by the use of business catalogs and business roles. Creatinga a business role by combining catalogs may grant excess authorization to users and lead to a negative impact on your business processes. The section gives user counts where such critical combinations are found, with a link to information on assessing the associated risks.
Communication (Inbound/Outbound)
Certificate-based communication is recommended for technical users involved in inbound/outbound communication. It is usually easier to detect a compromised certificate than to detect a compromised password. This section lists customer-managed communication arrangements that are password-based, and points to recommendations for a certificate-based approach.
Upcoming Certificate Expiration
Certificates with an expiration date in the next 90 days are listed in this section, with alerts for certifcates where a short-term expiration under 30 days is found.
With SAP Integrated Business Planning On Demand, SAP takes care of many security-related topics as cloud provider. However, in order to stay secure, customers are still responsible for the mitigation of risks such as business or technical users having critical authorizations.Here, the SAP EarlyWatch Alert report in SAP for Me comes into play as it gives you insights into security risks in the chapter “Security (SAP IBP OD)”. This chapter provides insights and alerts you on the following topics:Assignment of Users to Business Role SAP_BR_ADMINISTRATOR – check for usage of this role in production, leading to segregation of duties (SoD) conflicts as it is intended only for initial system configurationUse of Read/Write Unrestricted – get alerts on business roles with unrestricted write, read and value help access, allowing users global data accessCritical Business Catalog Assignment – be warned about over-assignment of critical authorizations which should have limited use in productionCritical Authorization Combinations – get alerts for users assigned excess authorizations through critical combinations of business catalogsCommunication (Inbound/Outbound) – get alerts on customer-managed communication arrangements based on user/password authentication, where certificate-based authentication is more secureUpcoming Certificate Expiration – get early warnings for customer-managed certificates which will expire within the next 90 daysYou can find more details on each of these chapters below or by directly accessing the SAP EarlyWatch Alert report* for your systems in SAP for Me. * an authorized user is needed to access this application – refer to this SAP Support page on how to get access.Assignment of Users to Business Role SAP_BR_ADMINISTRATORThe role SAP_BR_ADMINISTRATOR is predefined by SAP and is intended only for the initial configuration of a system. Using this role in production is not recommended by SAP and may lead to compliance issues. This section checks the role’s usage and points to in-depth information on Identity Access Management. It provides a link to the procedure for creating a more restricted administration role, suitable for use in production.Use of Read/Write UnrestrictedUsing unrestricted fields in the maintenance of business roles allow users to have global data access. SAP best practices recommend to carefully review which users need to have restricted data access and maintain the access appropriately, e.g. ensuring employees only have access to data belonging to their sales organization. This chapter includes the number of business roles with unrestricted write, read or value help access, and describes the related SAP Fiori app Maintain Business Roles.Use of Read/Write Unrestricted Table Example Critical Business Catalog AssignmentBusiness catalogs contain a bundle of privileges needed for accessing an app or features that are then assigned to users via business roles. This section checks for selected critical business catalogs and their assignment to business roles and users and rates this according to the valuation rules from SAP Note 863362. In case any critical business catalogs are assigned, additional details are presented as sub-chapters.Business Catalog Assignments Overview Table Example Critical Authorization CombinationsSegregation of duties in SAP Integrated Business Planning (SAP IBP) is supported by the use of business catalogs and business roles. Creatinga a business role by combining catalogs may grant excess authorization to users and lead to a negative impact on your business processes. The section gives user counts where such critical combinations are found, with a link to information on assessing the associated risks.Communication (Inbound/Outbound)Certificate-based communication is recommended for technical users involved in inbound/outbound communication. It is usually easier to detect a compromised certificate than to detect a compromised password. This section lists customer-managed communication arrangements that are password-based, and points to recommendations for a certificate-based approach.Upcoming Certificate ExpirationCertificates with an expiration date in the next 90 days are listed in this section, with alerts for certifcates where a short-term expiration under 30 days is found. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
