SAP

Authorization Concept
As loose as possible but as restrictive
as necessary
 SAP Authorization Concept

Critical
Non- Data
critical
Data

Critical &
non-
critical Tx

Enterprise goals without complicate

your staff’s day-to-day activities.
 Background and Approach about Authorization Concept

• No means a strictly technical job

• It is not just responsibility of basis support
• Much of the work has to be performed by project
team members and enterprises staff members
• Because the SAP system currently features over
61,000 tx. do not underestimate the “effort
required” to develop an authorization concept
 Authorization level approach

• At larger companies, specially global corporations,

more detailed approach is required.
• An authorization concept should always be tailored to
a specific company
• Company requirements are the relationship between
transactions and authorization objects
 Transactions and Authorization Objects

• Transactions: corresponds to a function call to

execute a SAP program. ~ 61000 TX.

• Authorization objects: Protect access to a

functional area or data area in the SAP system.

~ 900 Auth. Obj.

Transactions between Authorization Objects
 Defining enterprise structure (1st. Step)
Personnel Area
1000
Personnel
Subarea 1010
Personnel
Subarea 1020

Personnel Area
1100 Client

Personnel Operating
Subarea 1110 Concern 1041

Personnel Controlling
Subarea 1120 Area 1000

Credit Control Area 1000

Company
Code 1000
 Enterprise relevant structure (What units are to be protected?)

Division Storage Location

Dist. Channel

Company
Code
Production
Plant
Sales
Organization

Controlling
Area

Purchasing Groups Purchasing Groups

Purchasing Distribution
Organization Plant
Client
 Authorization concept (2nd. Step. Determining the risk
environment)

As loose as possible As restrictive as necessary

 Factors to determining the risk environment

• Enterprise: Risk that threaten your existence, wealth, finances,

profit situation by business unit/area, business process, or projects
• Statutory regulations -> Corporate Governance: Countries have
recently passed risk management laws to reduce risk of corporate
collapse, these regulations aim to implement risk-monitoring systems.
• Corporate Governance -> Internal guidelines Internal guidelines:
Internal auditing, External auditing, Implementation of new
system/processes/guidelines (continuous improvement to prevent risks ).
 The risk source (Processes, Areas, and so on)
• Enterprise processes that are not adequately secured can mean

a potential loss of data, inventories, and assets. Ex:

• Postings without document

• Inventory differences that are posted uncoordinated

• Uncoordinated changes to bill of materials

• Deliveries without accounting documents

• etc
 The risk categories
• Regulatory risk: Possible violation with underlying laws that

may result in fines, contractual penalties, legal proceedings

• Financial risk: Mistakes that can result in a financial loose

• Operational risk: Incorrectly or insufficiently performed

business process can result in delays in delivery, production, or

similar processes resulting in fines, contractual penalties or

unsatisfied customers
 The risk levels
• High risk: Task requiring extremely high protection. Are
conducted prior to execution of the business processes, and not
only after their results are known.
• Median risk: Task requiring median protection. The expected
damage amount is noticeable for the enterprise.
• Low risk: Task requiring low protection. Are posed by all
business processes that do not entail critical workflows or
results for the enterprise.
 The risk valuation

• To identify all major risks, given priority in their examination and

the assignment of appropriate controls.
• Risks are assigned to a business process to be reviewed with enterprise
staff member to specific criteria. Risk can be assigned by risk category and
risk level: Risk categories define the type of underlying risk & amount of
loss, while risk levels describe their degree of criticality.
• Determining likelihood of occurrence of risk enables you to define which
specification of the control.
• Risk Index: Ocurrence Likehood * amount of loss
 The risk valuation matrix

Risk Business Risk Category Risk Level Annual Amount of Annual Amount
proccess Likehood of loss (Occurrences x
occurrence Amount of loss)
A Purchasing Operational Median Occurrences $ $

C Purchasing Financial High Occurrences $ $

B Purchasing Regulatory High Occurrences $ $

risk
… … … … … … …

N Sales Operational Low Occurrences $+ $$+

… … … … … … …
 Control categories (3th. Step)

• Authomatic controls

• Configurable controls

• Functional separation – application security

• Access protection – application security

• Reporting controls

• Guidelines

• Instructions
 Control types (3th. Step)

• Preventive controls

To prevent or avoid faults from occurring before the process

has started.

• Detective controls

Discover existing errors within a review process.

 The IBM phased Model
1. Definition of
5. Creation of User 9. Definition of
Global authorization
Master Records Support Concept
(Internal and External guidelines)

guidelines
Project Setup

10. Preparations for

6. Test:
2. Definition of Go Live: Know-how
Documentation, and
Functions (Roles) Transfer and
Review
Training

3. Design High-level 7. Realization: Build

Concept: of Single Roles and
11. Go-live Support
Task/Function - Profiles (Derivation)
Matrix & Composite Roles

4. Design Detailed 8. Definition of

Concept: Composite Roles 12. Monitoring &
Organization Value and Realization Review
Matrix Template Roles

Authorization Administration User Administration

 Authorization Model Structure recomended
Derived Single Derived Single
… Composite Role
Role (A) Role (A)

Template Derived Single Derived Single

Single Role … Composite Role
Role (B) Role (B)
TA

Derived Single Derived Single

… Composite Role
Role (C) Role (C)

Organizational Value Sets