Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ISAE 3000 for SAP S/4HANA Cloud Public Edition - Evaluation of the Authorization Role Concept

anandkapadia
Product and Topic Expert
Product and Topic Expert
‎2024 Apr 24 5:37 PM
1,160

This blog post is featured in the SAP S/4HANA Cloud Public Edition Identity Access Management - Your Knowledge Base.

Introduction

Authorization plays an essential role when we are talking about the Identity Access Management strategy of any ERP solution. Authorizing is the function of specifying access rights/privileges to resources. Authorizations allow what you can do on the system, once you have been authenticated.

In the context of SAP S/4HANA Cloud Public Edition, SAP divides the business functionality into semantically meaningful business catalogs, representing tasks or subprocesses within a business process. These business catalogs are the most finely grained units regarding structuring of work and authorization assignment.

Background

Business catalogs grant access to an app, a set of apps, or individual aspects of an app. Some business catalogs have restrictions. These restrictions give customers the option to further specify the way the user might interact with the app: they may, for example, grant write or read access. Business catalogs are grouped into collections called business roles.

A business role generally contains multiple business catalogs and corresponds to a set of authorizations required to perform the tasks of a particular job description, for example, a warehouse clerk. On the business role level, restriction values of the contained business catalogs are defined. A business catalog might be contained in different business roles and might have different restriction values assigned in these different business roles.

But now the question comes up, how does SAP ensure that the business catalogs - as the smallest building block from an IAM perspective - are not containing any inherent segregation of duties (SoD) conflicts and are fulfilling proper development processes?

For this, SAP regularly hires an external auditor to perform assurance procedures as a reasonable assurance engagement in accordance with the International Standard on Assurance Engagements (ISAE) 3000 Revised, "Assurance Engagements Other Than Audits or Reviews of Historical Financial Information” (ISAE 3000).

In this blog post, we will see the scope of the ISAE 3000 Assurance Report as well as the steps for requesting a copy of it.

Scope of the ISAE3000 Assurance Report

The scope of this report includes assurance procedures on the design and implementation as well as the effectiveness of the SAP S/4HANA Cloud Public Edition Authorization Concept of SAP regarding development, design, and implementation to avoid SoD conflicts.

In order to gain reasonable assurance evidence, the external auditor decided to assess all relevant processes that influence the quality and usage of the released business catalogs by SAP to customers. Some of these assurance procedures refer to the technical backend view on the Business Catalogs, called Business Catalog Roles. Please note that the technical backend cannot be accessed by SAP customers.

The assurance procedures included the assessment of the business catalog role concept structure covered following aspects (technical view):

  • Business catalog roles implemented naming conventions
  • Development process for business catalogs
  • Rule-compliant definition of SAP S/4HANA Cloud Public Edition business catalog roles
  • SoD-compliant definition of SAP S/4HANA Cloud Public Edition business catalog roles

Additionally, the external auditor inspected the SAP-internal testing and change management process with regards to the business catalog roles. Ultimately, the business catalog implementation by SAP (as it is delivered to customers) has been evaluated. This part of the assurance involved walkthroughs with the involved development teams through the newly released SAP Fiori applications to SAP S/4HANA Cloud Public Edition.

Requesting a Copy of the ISAE3000 Assurance Report

The use of this report is restricted. A copy of this report is available for all SAP S/4HANA Cloud Edition customers with productive systems. This report is also available for prospective customers under the signed non-disclosure agreement. The report may include a qualified opinion.

For requesting the report, kindly follow these steps:

Compliance.png

  • Select Find Compliance Documents

Find compliance documents.png

  • Filter the List of compliance documents. Search in the Offering Name for SAP S/4HANA Public Cloud

S4HC.png

  • Search and Click on Reasonable Assurance Report (ISAE3000) on the S/4HANA Cloud Edition Authorization Role Concept

ISAE300.png

  •  Scroll down and click on the button Request a copy of the SAP S/4HANA ISAE 3000 Assurance Report

request.png

 

Conclusion

For more Identity Access Management-related topics on SAP S/4HANA Cloud Public Edition, you can check out my blog post SAP S/4HANA Cloud Public Edition Identity Access Management - Your Knowledge Base.

Please feel free to provide your feedback in the comment sections. 

For more updates you can follow me via LinkedIn.

 

Popular Blog Posts