270 likes | 444 Views
We present. APM Authorization and Profile Management. Necessity of a certified authorization concept. Legal requirements with regards to audit-proof, understandable and generally accepted auccounting principles in an electronic data processing enviroment
E N D
We present APM Authorization and Profile Management
Necessity of a certified authorization concept • Legal requirements with regards to audit-proof, understandableand generally accepted auccounting principles in an electronicdata processing enviroment • Prohibits the manipulation of accounting data • Protects against unauthorised interventions and ensures data-integrity of accounting data • Further legal requirements & in the interest of the corporation: • Protection of personal data • Protection of employees and enforces behavoir control • Risk free security and availability of a system with unlimited possibilities of users • Protection against economical crime, personal enrichment and industrial espionage by employees or other third parties
Recommendations for auditors • Critical system- and development authorizations should not be given to users in the productive operation • Define an emergency user / use APM / record activities • Restrictive assignment of user authorizations („minimal principle“) • No accumulation of authorizations • Prohibit process chain authorizations for users
The SAP Authorization Concept Using authorization checks, you can protect any functionality or object in the SAP-system. The authorization administration sets up authorizations, which can be assigned to single users in form of profiles or user-groups. The administrator of access authorities assigns authorizations for individual users who may execute certain functionalities or who access an object. During an authorization check, the system compares the data which the authorization administration provides with an authorization profile. If it matches, the task will be executed. An authorization check is initiated by the ABAP/4-command AUTHORITY-CHECK.
Profile- responsible Data owner Workers council Revision Audit Tax office Authorization concept Data security engineer Authorization administrators User administrators IT support team Userservice Hotline Infrastructure support team Project team for SAP implementation minimal effort - maximum system security No interuption for users Operator User People involved in the authorization concept
User master record Authorization single profile Name and Password Authorization collective profile Peripherals, ie. printers Job profile Activity / Allocation Address incl. department Other parameters SAP - User master record
User master record Activity group Authorization- single profile Authorizationsingle profile Authorizationcollective profile Competence Authorizations Authorization object Authorization name Authorizations Authorizationsingle profile Authorizations Authorizations Authorizations Authorizationsingle profile Authorizations SAP-Authorization-Concept
Alternative strategies for the set-up Numerical example: Source: KPMGEuroforum 98 external Tool • Qualified for mapping more than 20 workstations • Interuption of administrator from routine work and from improving of quality SAP-Profile Generator • (Transaction related Top-Down Method) • Qualified for mapping of less than 20 workstations • High administration and audit effort / reduced security levels by maximum • authorizations per transaction code manual administration • (Copying of conventional examples or new setup) • Qualified for mapping of less than 10 workstations • very high implementation, administration and audit effort
FI SD MM CO PP AM QM BC SAP Profile Generator HR SAP Authori- zations SAP Branch Solutions SAP Audit Customer Solutions SAP Revision APM - The authorization administration in SAP R/3 APM in SAP R/3 Complete integration into SAP standard
Ensure an „audit secure“ concept and administration of authorization profiiles through risk and process analysis Support customers in the re-generation and administration of authorizations in an standard SAP authorization enviroment APM - The key elements
High qualified and sure usage of ABAP/4 FI SD MM CO PP APM in SAP R/3 AM QM BC SAP Profile Generator HR SAP Authori- zations SAP Branches SAP Audit Customer Solutions SAP Revision APM - The history and were it begun Experience through many years of successful execution of various SAP projects. From the field ... for the field experience with setting up authorization concepts for many customers.
FI SD MM CO PP APM in SAP R/3 AM QM BC SAP Profile Generator HR SAP Authori- zations SAP Branches SAP Audit Customer Solutions SAP Revision APM - The solution Create minimum authorizations, and use all flexibility to extended them in the future! No theoretical top-down concept, This is a pragmatic and proven approach!
APM Admin APM Revision APM Basis APM Info APM - The functionalities • APM Revision • Risk analyses • Process analyses • Security after the SAP-Verification-Primer • 3-step Security Level Concept („emergency user“) • Periodical on target-performance assessments • System log analysis • Individual categorization of of risk potential for different types of usage • APM Admin • Generate profiles from traces • Generate profiles by copy and adaption of SAP-Profiles (example profiles, standard profiles, also SAP-Profile Generator-Profiles • Easy administration of profiles • Easy extention of profiles • Easy global profile changes • Use of integrated risk analysis when creating profiles • APM Basis • Batch-Job-Monitor • Batch-Input-Monitor • Directory Viewer • System log analysis • Evaluation of system parameters • APM Info • Documentation • Evaluations
APM Admin APM Revision Effective organization of authorization administration APM Basis APM Info Ease of flexibility, speed and security No theoretical top-down concept. This is a pragmatic and proven approach APM - The functionalities
Implementation Re-generation of authorization concepts Administration existing or new concept Conversion of an existing authorization- concept Migration APM - The range of use
APM - Risk and ProcessVersions The auditors and taxauthorities demand: Strict observation of generallyaccepted accountingprinciples No manipulation of accounting-data (FI,MM) No accumulation of authorizations /process-chain-authorizations /„Priciple of confidentiality“ APM helps to fulfill the requirements
APM – Risk and Process Versions The workers council demands: No control of employees No analysis of personal data transparent authorizations for not “sending employees to Coventry“ No behaviour control of employees APM helps the workers council
APM - Risk and Process Versions The data security engineer demands: APM No unauthoriseduse of personaldata offers a solution
APM - Risk and Process Versions Who ever demands security in your company: ie. industrial espionageor SAP basis security APM supports all security requirements
APM - The advantages User-friendly Audit security by defining and creation of individual risk and process analysis Consideration of all authorization checks under SAP standard, with branch-solutions, with add-ons and with customer developments High level security by tracing the workflowfor the assignment of minimumauthorizations, whichcan be extended quickly and easily,whenever required
Save costs Save time APM Authorization and Profile Management Quick installation by SAP-KTW- import ... and off it goes Minimum need for co-ordination with audit User friendly easy to learn no user training necessary assignment of minimum authorizations: more security for the SAP System Works also for branch solutions, add-ons, customer developments. Minimum effort - high system security One time investment APM - Use the advantages
Integrated multi-level unblocking • and approval procedure: • user proposal • authorizations and profiles incl. Profile Change Management • forms, workflow, electronic signature • Integration of the SAP • Profile Generator: • transaction related • reference defaults in • the SAP Profile Generator • on target performance • comparison APM • Further Highlights: • flexible default global changes using • Change Customizing • enjoy APM: Interface layout with easy-to- use (from SAP-Rel. 4.6) • profile comparison with delta analysis • Link to the system and • central authorization • administration • central authorization • administration with ALE- • assignement scenario (from SAP- Rel. 4.5) APM goes on
The differences SAP-Profil Generator APM SAP Profil Generator meets APM High-level security by tracing - assigment of authorizations after the minimum principles (Bottom-Up) Easy administration, structuring, setting up new and extending existing authorizations User friendly Security at revision using extensive risk and process versions as well as documentation Creating authorizations based on the maximum principles (all authorizations behind a transaction will be submitted (Top-Down) Profile Generator profiles can only be modified or administrated with PG and only via the Activity Group No consideration of own developments and partly not for branch solutions
APM - The customers Alfred Ritter GmbH & co. KG, Brauerei Beck & Co., DaimlerChrysler Aerospace AG, Dürkopp Adler AG, Dynamit Nobel GmbH, IKB Deutsche Industriebank AG, Kaeser Kompressoren GmbH, Krupp Edelstahlprofile GmbH, M.C.M Klosterfrau, Molkerei Alois Müller GmbH & Co., Neue Osnabrücker Zeitung GmbH & Co. KG, OTTO Verwaltungsgesellschaft mbH, Ravensburger Spieleverlag GmbH, Schwarz-Pharma AG, Siemens AG, Stadtwerke Bochum, Thyssen Handelsunion AG, Toyota Deutschland GmbH... An subset of our customer reference list (We are happy to name a reference customer near you!
Authorization workshops & Consulting The SAP-Authorization-Concept You want to know more? Die realtime is not ‘only‘ a leading SAP product company ... The highly qualified realtime team also develops secure and high quality SAP authorization concepts. Please contact us!
Get your testinstallation now... realtimeNorth America Inc. Tampa, Florida USA World Trade Center 1101 Channelside Drive Tampa, Florida 33602 Phone: 813-283-0070 Fax: 813-283-0071 Email: info@realtimenorthamerica.com Web: realtimenorthamerica.com
FI SD MM CO PP AM QM APM in SAP R/3 BC SAP Profile Generator HR SAP Authori- zations SAP Branch Solutions SAP Audit Customer Solutions SAP Revision Literature and contacts SAP-course AC900 or CA900 external and internal audit Booking via SAP - Info courses via www.sap-g.de/germany/discsap/revis SAP-Fact-Sheet technical system securityOrder via SAP-OSS Book SAP-R/3 Security and Verification released at Ottokar Schreiber Verlagavailable via book trade SAP-Verfication-Primer R/3 FI und MM Order via SAP under 5001 4633 download via www.sap-ag.de/germany/discsap/revis SAP-R/3-Security-Primer edition I to III download via sapnet.sap-ag.de/securityguide SAP-Data-Protection-Primer for SAP-R/3 - Order at SAP under 5002 4598 download via www.sap-ag.de/germany/discsap/revis Information about Audit-Information-System download via www.sap-ag.de/germany/discsap/revis SAP-OSS-hints in goup BC-SEC