Case study – Retail industry
Client
- Poland's leading producer of pork, pig farming, which also has its own distribution of meat and cold cuts.
- It has more than a dozen locations and more than 500 SAP users.
- The company is listed on the Warsaw Stock Exchange.
Challenge
- Improving the security of business processes by identifying the risks of redundant permissions, and then eliminating them in the permissions of SAP users.
- Building new authorizations in the SAP system in a manner consistent with the best security practices, free from the risks of segregation of duties and redundant critical access.
- Adjustment of entitlements to the scope of duties of employees on individual positions.
- Reconstruction of authorizations for IT administrators and consultants who need broad access to system support from a technical perspective, but should be limited from the perspective of business operations.
Realized approach
- It started with the diagnosis of the current status of authorizations for SAP users - a risk analysis and an analysis of the use of transactions by users were carried out with the use of the implemented smartGRC tool.
- Possible directions for repair were identified and after an in-depth analysis it was concluded that building the roles from scratch was the best solution. Rules for building new roles have been defined.
- A catalog of roles for the areas of finance and controlling has been developed, containing approximately 180 new roles. The new roles catalog was discussed with key users and business representatives. All suggestions made were analyzed, an important criterion was the assumption that the new roles should be free from the risks of segregation of duties.
- New roles for consultants and IT administrators were built, replacing the previously assigned broad profiles and permissions with redundant business accesses.
- An emergency access granting procedure has been developed.
- A series of short training sessions and exercises in the system for people involved in granting permissions was conducted.
Effect
- The scope of users permissions has been adjusted to the actually performed duties in the SAP system.
- The implemented roles made it possible to manage authorizations with much greater freedom and flexibility, while at the same time increasing the level of security of operations.
- The total number of segregation of duties risks for financial and controlling users has been reduced by 69%.
- Some of the risks in the area of finance have been completely eliminated, and in several cases the reduction exceeded 90%.
- The number of risks in the IT area was reduced by 67%.
- Rebuilding roles for the financial, controlling and IT areas eliminated over 1,200 risks.