Skip to Content
avatar image
Former Member

Quick question about SAP Security analyst responsibilities

This question was posted on another site and I was asked by the moderator to cross-post it here:

On another discussion forum, the topic of the SAP Certification program came up. In the discussion thread, there was some debate about the subject areas tested on the exam for SAP security, so I am putting the question to you.

At your current workplace, which of the following, if any, are responsibilities/ expected competencies of your experienced SAP Security analysts:

Encryption

Single Sign-on configuration/ maintenance

Network topology (SAP router and web dispatcher)

Operating system (SAP gateway)

Database security

J2EE

To categorize the responses, it would be helpful to know if you consider yours is a relatively large SAP support organization or not.

Thanks in advance for your responses and comments.

Regards,

Gretchen Lindquist

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Best Answer
    Feb 09, 2012 at 12:28 PM

    Hi Gretchen,

    I think we can agree that even if we'd try to come up with a certification scheme that would try to make certification as a sole proof of security prowess more meaningful, we'd probably fail. What certification can do is check if there's a certain kind of knowledge available in the applicant, and that maybe therefore he has an overview of the broader area of SAP security.

    A good security consultant has a wide overview of general security concepts and how those need to be applied in an SAP landscape, and deeper knowledge in one or several areas of SAP security. And he/she'll know when he needs to bring in someone else for the pieces he doesn't have the required knowledge.

    In an SAP context, experience with clients of the same size/business area is certainly a plus. As is having done previous projects successfully, and having a way to prove that.

    That's probably all you can reasonably ask for.

    "SAP Security" means different things to different people (you didn't even mention authorizations, regulatory compliance, data protection in your post). If you'd be looking for a "full" SAP Security certification you'd have to add sub-certifications for all the topics.

    And even then, you still wouldn't know if the consultant was up to the task you have in mind. Exactly as having a medicine degree doesn't make sure you're good at brain surgery.

    So let's stop hitting on certification, because that's not leading us anywhere. It is a way of certifying that there is a certain basic knowledge, and that's a value for some, but not necessarily a good criteria to pick consultants.

    If you want to pick a consultant, you'd do the same thing you'd do if you had to pick a doctor: you ask friends, you look for references. Nowadays this includes SCN activity, social media, LinkedIn references and much more. You'd talk to the consultant, and maybe go through the task at hand with him to see if he 'gets it'.

    Kind regards,

    Frank.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi DB,

      That may be a good personal strategy to position yourself in a contract or even globally as a subject matter expert. If you are deep enough into the end-to-end MM, WM and PM implementations then you will know enough about FI etc to avoid TAX problems, consignment stock holding always involves some sort of infrastructure topics and you can hardly implement anything now-a-days without the SD side wanting to come through from mobile devices to verify stock levels or delivery schedules. You will be fine in the exam.

      If you are involved, knowledgeable and experienced enough in all aspects of MM, WM, PM security then you will really be fine to pass the exam, even if you have to take a few guesses on the name of the table for HR Org. Management integration... or take a blind guess that GRC is going to lower your ROI instead of waste your time regardless how you use it... etc...


      However if your employer or contracting agency or ego forced you into a little box then it might be tough to have enough breadth and depth of knowledge or experience to pass the professional exam, but that was the same in the old exam as well.

      If only interested in GRC and some PFCG things, then stick to the Associate exam. If you are deeper into the topics, including upgrades, integration, authentication options, some Java options, selected coding aspects... then go for the professional exam.

      Personally I recommend just getting on with your life strategy if that makes sense for you...  Don't let SAP exams get you down if they are easy... ;-)

      Cheers,

      Julius

  • Feb 09, 2012 at 09:46 AM

    Hi Gretchen,

    I am a consultant so have a slightly different perspective than an end user.

    A typical client security engagement for me will involve 3 or 4 out of those competency areas and on top of that: secure communications & secure application (what I know and love as roles & users, some of our friends will refer to that as secure coding). In general, security administrators at my clients focus on roles & users and their competencies are only in those area. That is the same for small (<500 users) and large organisations (>20k users)

    In my opinion this is one of the problems with our industry and in particular with individuals who consider themselves SAP Security professional. It is no secret that the wider security industry often views SAP Security practitioners as a bit limited in skills due to the lack of understanding of infosec basics.

    SAP security is not just roles & users, SoD's & SU53's. They are an important part of securing SAP but only a few of the components. As you have pointed out in the competency areas SAP Security is about the environment in which the SAP system resides and operates and our need is to ensure the C,I,A over those systems that support business processes.

    As an employer I expect a SAP Security professional to have understanding of all of those competencies (and a few more). In the same way that GRC is much more than a tool provided by SAP, SAP security is a holistic subject that by necessity covers multiple subject areas.

    Regarding expectations of a security analyst, I expect them to be able to understand the wider security environment around their system and to be comfortable talking about things like comms security, SSO, secure programming (the basics), OS, network topology and DB security (the basics). Most importantly they should know how they work together to form the security environment and where the dependencies or touch points are between them. It's not unreasonable for basis and technical teams to perform much of the work in these areas but that is not to say that "out of sight is out of mind".

    I don't hide my views on the inadequacy of the certification process in it's previous incarnations. SAP is doing great work to improve this which is a positive step. What is critical is that a demonstration of competency (e.g. certification) in SAP Security covers the whole subject (or as much as practical).

    If people want to break the topic down then that's great but resulting certifications should be pointed out as what they are e.g. Certification in role & user administration.

    I hope there is something in there to provoke thought & discussion!

    Regards

    Alex

    Edited for clarity by: Alex Ayers on Feb 9, 2012 9:49 AM

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Aw, Alex! Eloquent! Polite! A real gentleman! You covered most of what there is to say on the topic.

      I will put it much more blunty than you did: there's no such thing as a SAP-security specialist, restricting her/his activities to SU01. PFCG at the utmost. SU24 only in cases where the world is about to end.

      A SAP security expert (where I strongly feel, the "SAP"-bit doesn't really have a place here any longer) does - among many other things - in-SAP security.

      IT-landscapes in business processes no longer orbit around SAP as "the leading system", basically SAP ERP is more and more becoming "the backend" for applications put on portals, on sub-, daughter-, sister-, or otherwise related systems - most of the connections to SAP developed using RFC's, Java etc. This is the level where modern "security" happens: coding, interfaces, sub-systems, internet-connections, SSO, ... the SU01-bit already looking archaic!

      All of the above are reasons why I am seeing the SAP security certification for what it is: making money. Nothing wrong with that, mind you! But an attestation to a persons qualifications where the most sensitive systems, a company can have, are at stake? Hardly. Too narrow a scope. If given the choice to interview a SAP-certified person as opposed to a CISSP certified person, guess who's getting the interview? That's right: the CISSP person. She/he has a deep knowledge of all things security on many of the most important areas - if I want her/him to meet the challenge of SU01, one SAP course should do nicely, yes?

  • avatar image
    Former Member
    Jun 12, 2013 at 01:38 PM

    It is also good to have some functional knowledge so the security person can understand the transaction process flow. This will be helpful in understanding how to restrict the transaction and also help during the testing. One of the good book a security admin should read is Security and Audit Control Features by ISACA.

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 09, 2012 at 11:39 AM

    When we talk about SAP Security consultant then they are very much restricted to ADM940 and partial ADM950. Where as ADM960 is just theory to me till date. I did not found a single client who gives these responsibilities to SAP Security consultant. Where a network security consultant or DBA or Basis guys are much preferred. On the other hand SAP Security consultants are in much more need of knoledge of other components like BI, HR, PI, CRM, SRM, GRC (admin) etc. I can also add SolMan in the list as it is a must buy now 😉

    Now a days I have seen how customers are depending on these new technologies and their search for consultants knows all of them not only R/3 or ERP.

    Apart from these I think a basic understanding to business process in other domain should also be in certification program. For example, how the SO cycle is happening when I am giving access to VA01, VL01N etc.

    Regards,

    Arpan Paik

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 09, 2012 at 12:27 PM

    Hi,

    as a consultant I've seen various clients and it really depends on culture and structure of business. I've never seen organization where SAP analyst was responsible for DB and OS security. Unfortunately, I have to agree with others that usually SAP security analyst = guy who knows PFCG. I am not CISSP certified but I know roughly what is covered by CISSP. So my ideal security analyst is CISSP + SAP knowledge. It's really easy to learn SAP specific tools and apply them properly if you have good foundation. Sometimes it's really painful to see guys who for example do not have any clue how SSL certificate works but are responsible for security roles. I am not a fan of certification, especially certification provided by vendor, but value of security certification would significantly decrease if SAP removes some basic stuff from certification.

    Cheers

    Add comment
    10|10000 characters needed characters exceeded