In my four-part blog series, I will illustrate the risk of extensive access rights to SAP systems. You will find out what risks exist, how to analyze the risks and what actions to be taken.
Part 1 of the series: "Operations done by super users"
1. How to avoid manipulations done by super users
2. How to analyse the risk of super users in SAP with SQL
3. Do it yourself: Analytics of SAP super users in Excel
4. Advanced Analytics: What you definitely should know about SAP super users
SAP administration rights
Posting with SAP administration rights should actually be prohibited by itself. But often this is convenient for certain users. Once I was frightened by an audit, where millions of postings were done by users with SAP administration rights. If you believe or not, there are things like that... and it is not that uncommon. My tip: Check your company for opened barn doors. There is a considerable risk that users with SAP administration rights can easily circumvent the internal control system. The four-eyes principle, approvals and segregation of duties, e.g. posting and paying payments can be circumvented. It is even possible to commit several segregation of duties so that entire business processes can only be carried out by a single person, for example, from the vendor master data system to a purchase order to the accounting contral and payment. Like this fake suppliers could be installed and money from the company could be transfered to one of these suppliers.
When assigning authorizations in SAP systems, the minimum principle should apply. This means, every user should only receive the access rights he needs to accomplish his work. An estimation of whether access rights are actually minimally assigned is often opaque and complex in practice. But with simple analytics one can at least investigate that extensive SAP administration rights are not used in the productive system. By analyzing postings by users with SAP administration rights, the following questions can be reflected:
- Are there any postings made by users with SAP administration rights?
- How often are administration rights used?
- Do users of the departments have administrative rights?
- By asking your user administrators, you can find out, if a SAP authorization system exists
Why are super users posting in SAP?
In general, super users in SAP should be avoided. This is nevertheless the case for the following reasons:
- There is no decent authorization concept and users are given SAP administration rights so that no one complains.
- Executives retain comprehensive authorizations in the SAP system.
- Automatic batch jobs that require an SAP user account for processing have extensive SAP administration rights. Do not be too compliant when it is claimed that there is no possibility for technical reasons!
How to avoid postings by super users in SAP?
The SAP administration rights should be reserved for only one emergency user. In addition, these administrative rights should not be used for daily business transactions. There should be a clear policy in your organization. Nonetheless you should regularly check for postings done by super users in your SAP system.
In the next blog post, you will learn how to automatically analyze whether there is a problem with your SAP administration rights and how extensive this problem is in your company.
zapliance has implemented this audit question, so that you can analyze, who of your super users did what within your system. This is a cross process indicator. In my last series I have introduced a wide range of cross process indicators. If you have missed the series, you can download all informations about the cross process indicators or have a look at the cross process blog posts.