Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Granular permission

0 Kudos
240

Dear all

we are on the way to apply SoD , we read on granular permission , we wonder if it will help us to make segregation of duties between system administrator and security administrator , also we want to know it's advantages and disadvantages

Thanks in advance

1 ACCEPTED SOLUTION

Colleen
Product and Topic Expert
Product and Topic Expert
0 Kudos
101

The biggest challenge on this is no different to business challenge: the team structure and roles and responsibilities. Do you currently have a dedicated security team or are the security administrators also the system administrators?


If you just mean SAP systems, then you can start to segregate admin functions by

1. Building more granular roles and split out the security access (split to system admin display, system admin maintenance which could be smaller roles), user administrator, role administrator, security display). You might even split user admin out to be end users maintenance versus system users (SUPER user group)

2. Identify which users are allowed which access

3. Consider maintenance access to be via Firefighter so it can be logged



The advantage of all of this is you are remediating and mitigating access risk. You may also be adhering to compliance requirements and policies but you still have an organisational change, training, security build work (if the access is not split out, etc) You also need to review the ruleset to ensure the system admin/technical access, etc is sufficiently defined for your organisation - again just like a business end user.

But something to keep in mind: System Admins - sometimes we focus on restricting their application layer access only to discover they have full admin rights to OS/DB.

4 REPLIES 4

Colleen
Product and Topic Expert
Product and Topic Expert
0 Kudos
102

The biggest challenge on this is no different to business challenge: the team structure and roles and responsibilities. Do you currently have a dedicated security team or are the security administrators also the system administrators?


If you just mean SAP systems, then you can start to segregate admin functions by

1. Building more granular roles and split out the security access (split to system admin display, system admin maintenance which could be smaller roles), user administrator, role administrator, security display). You might even split user admin out to be end users maintenance versus system users (SUPER user group)

2. Identify which users are allowed which access

3. Consider maintenance access to be via Firefighter so it can be logged



The advantage of all of this is you are remediating and mitigating access risk. You may also be adhering to compliance requirements and policies but you still have an organisational change, training, security build work (if the access is not split out, etc) You also need to review the ruleset to ensure the system admin/technical access, etc is sufficiently defined for your organisation - again just like a business end user.

But something to keep in mind: System Admins - sometimes we focus on restricting their application layer access only to discover they have full admin rights to OS/DB.

0 Kudos
101

Thanks Colleen for your reply and your explanation

we (security team) target to apply segregation of duties (between system admins and security admins) on SYBASE Data Base.

Also i have inquiries about applying SoD

1- is it worth to apply SoD using Granular permission

2- is any other way to apply SoD

3- best practice to apply SoD


Thanks in Adavnce

Colleen
Product and Topic Expert
Product and Topic Expert
0 Kudos
101

HI Mohamed


Your Questions:

1. Is it worth it? I can't answer that for your. This is a risk based question and will depend on the size of your organisation and compliance requirements. Remediation through separation of duties is one option but your business may decide a detect control to review user logs, etc is more manageable

2. I'm not across technical aspects of SYBASE to comment

3. Again can't comment on SYBASE but in an SAP application environment, I do typically split security administration out from system.



To reiterate: it comes down to the risk definition and what your company is willing to allow.

0 Kudos
101

Again , Thanks for your comment