The goal of the project was to establish a maintainable and documentable authorization and user administration as well as to implement security in the area of compliance.
Goals
The SAP authorization concept was to be rebuilt based on the functional specifications of the Role Reference Manager while complying with the legal compliance guidelines. In this context, single roles (at the functional/process level) and composite roles (at the job level) should be created.
In the SAP standard, it is not possible to check SoD violations automatically. Manually, it is a hardly manageable effort and, moreover, cannot be reliably checked. Therefore, hanseWasser
has been looking for a reliable partner who can set up these tasks as auto-mation and detect compliance violations already in the request process, before an authorization is assigned
Furthermore, all changes and adjustments should be documented in an audit-proof manner from the very beginning and also in the future.
Challenges
The editing of authorizations was largely done „on demand“ (please set up user X as user Y). Although the requests were controlled via the application administrators of the individual modules, a synchronization of the already existing authorizations did not take place. This meant that the existing authorizations represented a high risk of misuse and had to be tediously extracted by hand from Excel lists for checking by managers. The data was also not meaningful enough to check authorizations in an audit-proof manner.
The summary of the single roles to composite roles in the SAP standard was developed but not implemented afterwards, because it turned out that the assigned composite roles are not listed in the user master record, instead SAP splits the composite roles into single roles again, which are then displayed. Thus, the introduction of composite roles in the SAP standard did not result in an improved overview.
The decision was made quickly in favor of SIVIS. The functionality as well as the sophisticated design of the software were decisive for hanseWasser in choosing the tool. Design of the software were decisive for hanseWasser in choosing the tool
project content
Important criteria for the decision were mainly the topic of compliance (auditing of SAP authorizations on role and user level) and documentation options.
During the software introduction of the SIVIS Enterprise Security, the involvement of the departments was not necessary. For this purpose, the predefined roll and job templates with a comparison of the trace data from the system were completely sufficient for the roll construction. The departments were only involved when it came to eliminating existing vulnerabilities.
Single roles and composite roles were created. Each user was then assigned a composite role of their job. In the case of cross-divisional activities, all required composite roles were assigned.In addition, it was important to guarantee a smooth go-live so that users could continue to work undisturbed when the new roles went live and the authorization concept could be conveniently expanded afterwards to include missing authorizations.
achievements
Immediately after the implementation of the new authorization concept, the further maintenance of authorizations proved to be much simpler and more transparent. With the support of the SIVIS project team, consisting of consulting and development, all requirements could be processed and implemented in a timely manner. The cooperation worked very well and all necessary requirements that arose during the course of the project could be implemented with a good solution.
Despite the difficult pandemic conditions, a combination of remote sessions and on- site visits enabled the introduction and familiarization with the SIVIS software.
after implementation
Without the use of an automated tool, secure SAP authorizations cannot be audited. The conversion of historically grown SAP roles with security gaps to a clean authorization concept definitely means a high effort for the authorization administration. The processing of audit results should also not be underestimated. By using the SIVIS solution, this could be done without problems and greater effort. In addition, this reduced the complexity of the annual auditing to be performed. Thus, a high degree of certainty that SoD violations have either been eliminated or are known, mitigated and documented has been achieved.
Branch
- Wastewater disposal/ services
Number of employees
Founding year
User Info
- Number of users managed with SIVIS: 180
- Number of destination systems managed with SIVIS: 3
Customer
- Collection of waste water in the area of Bremen
- Treatment of waste water in the two operated waste water treatment plants
project data
- Number of consultant days until go-live: 34
- Number of days project manager until go-live: 4
- Used SIVIS modules: Compliance Manager, Compliance Reference Manager, Role Manager, Role Reference Manager, Identity Manager, Extension Manager
SIVIS Group
