- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Granular permission
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Granular permission
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2018 10:09 AM
Dear all
we are on the way to apply SoD , we read on granular permission , we wonder if it will help us to make segregation of duties between system administrator and security administrator , also we want to know it's advantages and disadvantages
Thanks in advance
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2018 11:39 PM
The biggest challenge on this is no different to business challenge: the team structure and roles and responsibilities. Do you currently have a dedicated security team or are the security administrators also the system administrators?
If you just mean SAP systems, then you can start to segregate admin functions by
1. Building more granular roles and split out the security access (split to system admin display, system admin maintenance which could be smaller roles), user administrator, role administrator, security display). You might even split user admin out to be end users maintenance versus system users (SUPER user group)
2. Identify which users are allowed which access
3. Consider maintenance access to be via Firefighter so it can be logged
The advantage of all of this is you are remediating and mitigating access risk. You may also be adhering to compliance requirements and policies but you still have an organisational change, training, security build work (if the access is not split out, etc) You also need to review the ruleset to ensure the system admin/technical access, etc is sufficiently defined for your organisation - again just like a business end user.
But something to keep in mind: System Admins - sometimes we focus on restricting their application layer access only to discover they have full admin rights to OS/DB.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2018 11:39 PM
The biggest challenge on this is no different to business challenge: the team structure and roles and responsibilities. Do you currently have a dedicated security team or are the security administrators also the system administrators?
If you just mean SAP systems, then you can start to segregate admin functions by
1. Building more granular roles and split out the security access (split to system admin display, system admin maintenance which could be smaller roles), user administrator, role administrator, security display). You might even split user admin out to be end users maintenance versus system users (SUPER user group)
2. Identify which users are allowed which access
3. Consider maintenance access to be via Firefighter so it can be logged
The advantage of all of this is you are remediating and mitigating access risk. You may also be adhering to compliance requirements and policies but you still have an organisational change, training, security build work (if the access is not split out, etc) You also need to review the ruleset to ensure the system admin/technical access, etc is sufficiently defined for your organisation - again just like a business end user.
But something to keep in mind: System Admins - sometimes we focus on restricting their application layer access only to discover they have full admin rights to OS/DB.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2018 8:44 AM
Thanks Colleen for your reply and your explanation
we (security team) target to apply segregation of duties (between system admins and security admins) on SYBASE Data Base.
Also i have inquiries about applying SoD
1- is it worth to apply SoD using Granular permission
2- is any other way to apply SoD
3- best practice to apply SoD
Thanks in Adavnce
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2018 8:54 AM
HI Mohamed
Your Questions:
1. Is it worth it? I can't answer that for your. This is a risk based question and will depend on the size of your organisation and compliance requirements. Remediation through separation of duties is one option but your business may decide a detect control to review user logs, etc is more manageable
2. I'm not across technical aspects of SYBASE to comment
3. Again can't comment on SYBASE but in an SAP application environment, I do typically split security administration out from system.
To reiterate: it comes down to the risk definition and what your company is willing to allow.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2018 10:13 AM
