The SAP role-based authorization model (RBAC) is approaching its limits as access rules increase in complexity. A “role-explosion” has been generated by one-off role derivations-adding uncertainty and overhead to role management. And it takes unsalable customizations to implement access controls beyond a user’s position, down to a field-value level.
The core component of SAP ERP (SAP ECC) and S/4HANA leverages static positions for access control. In a dynamic workplace, these positions have reached their limits because static positions do not exploit contextual attributes. Furthermore, static roles remain unchanged as users travel across the organization, shifting their scope of work. Unless continuously provisioned, static positions can get obsolete easily, leaving an organization exposed to potential danger.
Businesses need to sync data governance and business policies. The access management can be handled dynamically by expanding existing static roles with attribute-based controls. Furthermore, access considered risky (based only on the context) may be limited.
SAP Access Management: Key Challenges
Some of the crucial challenges are as follows:
Static Role-Based Policy
Role-Based Access Controls (RBAC) divide users into broad categories known as roles or permission lists. Restricted to these static categories, RBAC cannot use dynamic information to authorize access, such as project ID, company code, IP address, location, type of device, and more. RBAC alone does not provide the optimum safety standard for highly sensitive transactions and data.
Over time, SAP applications get crowded with roles and permission lists in thousands, a phenomenon known as role explosion. It takes constant diligence to maintain these lists, and keeping them updated can easily become one of the most time-consuming jobs. It may become a possible source of breaches of security as well.
Custom Role Development: Creating Friction
There are situations where custom development is needed to add constraints on access control based on complex attributes such as IP address, location, nationality, business unit, and affiliation to the project. These customizations, however, generate user friction to accommodate even minor variations between static rights and dynamic ones.
Some of the measures that organizations can implement to counter the above-described challenges are as follows:
Attribute-Based Access Controls
A data-centric security and compliance approach is the ideal way. A data-centered security model enables you to match your business needs with security policies and restrict sensitive data and transaction visibility. Your core SAP ERP data and transactions are a great starting point to add access controls based on attributes and tracking and analytics of user behavior, so you have more insight into who is accessing your data and potentially modifying it.
Transaction Policies and Granular Access
By using granular access controls to reinforce field and transaction-level protection, customers may reduce the amount of reasonable risk. By imposing limits on who can access an application, where, when, how they can have access to it, and what they can do with it, you can block malicious behavior in real-time and control privileges that are granted.
Extending SAP GRC Policies for Access Control
Expanding current access control policies for customers using SAP GRC and boost reporting capabilities is needed. For this, organizations need to leverage what they have already deployed secure themselves.
Data-Centric Policies on Security
If the context is suspicious, you need to limit access to confidential data and transactions. For example, such a context could be user attributes, data attributes, type of activity, IP address, location of the user, time of day, amount of money transacted, number of transactions, patterns in user activity, and segregation of duties.
Data Masking & Redaction
With available data security solutions, companies can choose to block, mask, or redirect access to sensitive data fields using a single policy. Data masking prevents exposure of confidential data; it allows users, with expressed intent, to view data. Thus, regulatory compliance management is strengthened by reducing unwanted exposure of PII and other sensitive data.