09-18-2008 11:47 PM
Hello,
1.Do we have document / template for SAP security blueprint?
2. What is meaning of AS-IS processes, with respect to security?
3.How do we go about documenting To-Be processes, with respect to security?
Thanks in advance.
VJ
09-19-2008 7:36 AM
Hi
1. Yes thankyou
2. As-Is means the current procesess. Your question can be interpreted in 2 ways.
i. your security design supports the business processes, e.g. transactions & restrictions used and allocation of those to users so they can run those business processes.
ii. Your current security processes e.g. your user & role creation process etc
3. The functional team will document the to-be processes. They (and you) can use these processes to identify inscope transactions, important restrictions (e.g. new doctypes being used) and creation of roles. There are lots of ways of documenting it, at the minimum you want to capture the new tx to role mapping, important restrictions per business process or functional area & to-be organisational structure.
09-19-2008 10:00 AM
>alex
>1. Yes thankyou
If you are talking of ASAP doc then I am sorry to say the ASAP security plan is very complex to follow and doc are not comprehensive.
There is nothing as in blue print. Requirements gathering and Testing of role (its and documentation) is not properly explained.
09-19-2008 10:38 AM
>
> >alex
> >1. Yes thankyou
>
> If you are talking of ASAP doc then I am sorry to say the ASAP security plan is very complex to follow and doc are not comprehensive.
> There is nothing as in blue print. Requirements gathering and Testing of role (its and documentation) is not properly explained.
I am not referring to ASAP, though from a security perspective, in my experience, ASAP is fine to follow & use if you spend the time required to get used to it.
I have seen many, many security blueprints which would benefit from using the various ASAP elements, despite it's weak points.
09-19-2008 1:25 PM
Hello Alex,
Thank you for answers.
Is there any place i can get a sample of document / template of security blueprint.
Thanks,
Vijay
09-19-2008 3:21 PM
I can't think of anywhere where blueprint docs are available. Blueprint docs usually take quite a while to put together & there is obvious reluctance of people to make available work which likely remains the property of their company/client.
Hussein did well to mention ASAP, you can download it and get some useful templates from there. More info here: https://websmp101.sap-ag.de/roadmaps
Have a think about stuff like the following:
Security Objectives
Security Approach
TX to Role Mappings
Restriction Requirements
Compliance Requirements (SOX, internal security standards)
Build Standards
Developer Security standards
User Management
Basically all the stuff you need to be able to build from your set of blueprint docs
Have fun & good luck
09-19-2008 3:25 PM
> I can't think of anywhere where blueprint docs are available. Blueprint docs usually take quite a while to put together & there is obvious reluctance of people to make available work which likely remains the property of their company/client.
Very well put Alex! Julius, Maybe a small text like this one could enter the sticky?