Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SoD ruleset for BW

Former Member
0 Kudos
888

Hi folks,

Despite being a reporting environment, I wonder if any colleagues has a ruleset for SoD in BW for even the reports can reveal information sometimes confidential (or should be confidential) and / or restricted.

I have seen here in the forum, some colleagues with the same question, however, dating from 2010 or 2013.

Could it be there is any update on this issue? Or any colleagues would own a SoD ruleset for BW that can be shared?

Regards.

AR.

1 ACCEPTED SOLUTION

Former Member
0 Kudos
205

Hi Andre,

I do not have a BW ruleset that evaluates critical reports, and I'm not sure that you will have luck finding a pre-configured ruleset because reports are very specific to each company.  Although, it could be developed if you know which reports and "gateways" (authorizations) allow a user to reach the report:  You could have your technical SAP security team open a trace on a user's account who is able to view these reports, and then you could review the trace log to see which authorizations were required to reach the report - then build new ruleset functions and risks from this information.  These risks would be "Critical Action" risks (Sensitive Access), and are single-sided SOD risks (there's not a combination of functions, there's a single function = accessing the sensitive reports).  There are several Critical Action risks within the standard-delivered SAP ruleset for ECC that you could reference as a model for how to build new Critical Action risks for this purpose.

Aside from BW access relating to reports, you can evaluate your BW system for all of the same Basis-related risks that are being evaluated for ECC.  Both systems have similar ABAP foundations, and all of the system-maintenance abilities are the same.  Ideally, you would already have your ECC system connector included in a GRC Logical Group "SAP_BAS_LG" or something similar, which is where your Basis ruleset is uploaded - and any system connectors that are assigned to this LG will be evaluated against this same ruleset.  Therefore, you would simply need to include the BW system connector within this GRC Logical Group; generate the rules; and the you will be able to run risk analysis against BW just like ECC.  At least in this case you will be able to see SOD issues and Critical Actions that your BW technical users have - and you can reduce the risk of one of these users being able to blow up the system.  For example, a user having SCC4 and SM30 with Create/Change ability in BW production can be a very bad thing.  All of these Basis SODs are already configured in the standard-delivered ruleset.

Hopefully this helps,

Ken

7 REPLIES 7

Former Member
0 Kudos
206

Hi Andre,

I do not have a BW ruleset that evaluates critical reports, and I'm not sure that you will have luck finding a pre-configured ruleset because reports are very specific to each company.  Although, it could be developed if you know which reports and "gateways" (authorizations) allow a user to reach the report:  You could have your technical SAP security team open a trace on a user's account who is able to view these reports, and then you could review the trace log to see which authorizations were required to reach the report - then build new ruleset functions and risks from this information.  These risks would be "Critical Action" risks (Sensitive Access), and are single-sided SOD risks (there's not a combination of functions, there's a single function = accessing the sensitive reports).  There are several Critical Action risks within the standard-delivered SAP ruleset for ECC that you could reference as a model for how to build new Critical Action risks for this purpose.

Aside from BW access relating to reports, you can evaluate your BW system for all of the same Basis-related risks that are being evaluated for ECC.  Both systems have similar ABAP foundations, and all of the system-maintenance abilities are the same.  Ideally, you would already have your ECC system connector included in a GRC Logical Group "SAP_BAS_LG" or something similar, which is where your Basis ruleset is uploaded - and any system connectors that are assigned to this LG will be evaluated against this same ruleset.  Therefore, you would simply need to include the BW system connector within this GRC Logical Group; generate the rules; and the you will be able to run risk analysis against BW just like ECC.  At least in this case you will be able to see SOD issues and Critical Actions that your BW technical users have - and you can reduce the risk of one of these users being able to blow up the system.  For example, a user having SCC4 and SM30 with Create/Change ability in BW production can be a very bad thing.  All of these Basis SODs are already configured in the standard-delivered ruleset.

Hopefully this helps,

Ken

0 Kudos
205

Hi Ken,

Your answer matches with my feelings and thoughts related to this topic and definitely help me a lot to establish the base argument within company.

Once more, thank you for your promptly answer and apologies for my late answer back to you.

Regards.


AR

Former Member
0 Kudos
205

Hi Andre,

Attached an analysis on the BW authorization objects. Use these files as starting point to quickly build your custom BW rule set

Best regards

TJ de Jong

0 Kudos
205

TJ de Jong,

Thank you for your valuable contribution.


Regards.


AR

0 Kudos
205

Thank you. I may build a (generic) BW rule set with the next 1-3 months.

btw please reward points if the answer(s) are satisfactory

0 Kudos
205

Ken,

I'm pretty "new" in this platform, so which is the way to reward the answers? Just liking them?

Regards.


AR

0 Kudos
205

You can mark the question as answered