Let’s understand with a use case:
A global enterprise that uses SAP for its operations employed an executive who sensitive customer and financial information as part of his job. He was later promoted to a different position and was given new authorizations to carry out new tasks as part of his job duties. Unfortunately, while the new access was granted, no one looked at what he has or revoked the previous authorizations that are no longer relevant. As a result, this individual continued to retain both sets of authorizations.
He started utilizing these authorizations by creating numerous fake vendor accounts and subsequently approved payments to these non-existent vendors. Surprisingly, these actions went unnoticed within the company until an internal audit unearthed this irregularity.
Although this scenario may seem uncommon, many enterprises encounter similar situations. So, how to have a control on these kind of scenarios? Does SAP provide any tools/solutions to implement better controls?
Many compliance frameworks mandate period authorization reviews. Performing regular User Access Reviews holds importance in maintaining a secure and efficient system within an organization. Here are some of the advantages of conducting periodic User Access Reviews:
Advantages of conducting User Access Reviews
Additionally, in recent years, many regulations such as SOX/JSOX, ISMS and GDPR has mandated enterprises to perform User Access Reviews. However, executing these controls can be exceedingly time-consuming, potentially impeding core business activities.
This article puts a spotlight on User Access Reviews, offering insights into optimizing and streamlining this pivotal process for your organization's benefit.
Why are SAP User Access Reviews crucial?
Principally, User Access Reviews are primarily conducted for audit purposes. Mandates such as Sarbanes Oxley (SOX) and JSOX necessitate periodic User Access Reviews, commonly performed annually or semi-annually by listed organizations.
The crux of User Access Reviews lies in validating the relevance of SAP access that is provided to a user over a period of time at a later stage. For instance, if the user has requested access to ME21N (Create Purchase Orders) transaction code and it was approved few years back, does that access remain pertinent today, considering potential job function changes or role adjustments?
Consequently, User Access Reviews afford organizations the chance to reassess a user's access, ensuring its continued relevance amidst potential shifts in roles or job functions. An added benefit is correcting and ensuring that SAP authorizations are well managed.
Nonetheless, for many organizations, conducting a User Access Review solely to fulfil audit requirements, especially given the significant effort required from business users. However, there's a pressing need to shift the mindset surrounding User Access Reviews from a mere audit checkbox to an effective tool for managing access risks.
How can this mindset change be fostered?
To encourage a shift in thinking within organizations, it's crucial to emphasize the consequences of not performing the reviews. If the access control process is perceived as complex, the initial step is to simplify it and set up the right process of managing accesses and regular review procedures. This not only limits the authorizations, but also helps in identifying the users with unnecessary authorizations and further contributes insights for restructuring and streamlining the authorization processes. For instance, you can pinpoint users with access to critical permissions and remove those permissions when they are no longer necessary for their job duties.
Diagram that show the Mindset Shift in enterprises wrt Authorization Reviews
After simplifying the access control process and setting up regular reviews, the next step is to implement an automated system. Various solutions such as
SAP GRC Access Control User Access Review (UAR), or
ReviewNow streamline User Access Reviews by providing comprehensive information, aiding users in making informed decisions. Such tools can be configured to expedite the process and present technical SAP role language in user-friendly terms.
How to achieve better output?
How to achieve better output with User Access Reviews
- Role Design: Many organizations adapt to role design approaches that are complex to understand and manage. For example: Enabler roles. It is highly recommend to simplify the SAP role design to aid users in comprehending user access easily. A descriptive role design facilitates informed decisions by users during the review process.
- Role Methodology: Opt for a role methodology that reduces the number of role assignments, making the User Access Review less arduous for business users. Consider methodologies like task based and value based roles to streamline access.
- Rule-set Customization: Customized rule-sets empower business users to better understand the potential access risks, aiding informed decisions during the review.
- Split Reviews: Consider segregating reviews into User Access Reviews, Critical Authorization Reviews, Reviews for key business users and so on. This enhances the focus and efficiency of each review.
- Iterative Reviews: Divide large annual reviews into smaller, more manageable reviews across geographical regions, risk levels, user groups, or SAP modules. This minimizes certification fatigue among reviewers and enhances efficiency.
By implementing these strategies and emphasizing the value of User Access Reviews beyond mere audit compliance, organizations can effectively manage access risks while ensuring the process remains user-friendly and impactful.
Conclusion:
In conclusion, SAP User Access Reviews are critical to safeguard the organization from potential inside and outside attacks and adhere to compliance with regulations like SOX and JSOX. While these reviews offer benefits, a mindset shift is needed to view them not just as audit checkboxes but as tools for effective access risk management. The article suggests simplifying access processes, establishing systematic reviews, and emphasizing the consequences of neglect. Automation tools like SAP GRC Access Control User Access Review or ReviewNow can streamline and simplify the process. Practical strategies include role design simplification, efficient methodologies, rule-set customization, and iterative reviews. Implementing these recommendations ensures a user-friendly and impactful User Access Review process that aligns with business goals.