SAP access audit – the key to security and compliance
Update 09/29 SAP access audit – the key to security and compliance Why are authorizations so important? In SAP, every access begins with authorization: user → role → permissions → transactions/applications/authorization objects. It determines who can create a document, change data, approve a payment, or open an accounting period. If the authorization system is designed […]
Access review in SAP without chaos – smartReview case study
Did your last SAP authorization audit drag on for weeks? Did Excel files and endless emails prolong the process even further? See how you can review SAP accesses up to four times faster! In many organizations, periodic review of authorizations is a formal obligation related to audit requirements, GDPR, or SOX. However, on a large […]
How not to overdo authorizations? – Least Privilege Principle in SAP
In the world of ERP systems like SAP, user authorizations are a critical factor for both security and smooth business operations. Yet surprisingly often, users end up with far more access than they actually need. Sometimes “just in case,” sometimes “because it was quicker.” And sometimes simply because no one bothered to verify it. There […]
5 mistakes in approaching emergency access
The GRC Ninja channel has released another episode focusing on emergency access and privileged management in ERP/IT systems. GRC SAP security experts Filip Nowak and Andrzej Partyka, based on their experience, defined the 5 most common mistakes made when configuring and managing emergency and privileged access to SAP.
Merry Christmas and happy New Year
Merry Christmas and happy New Year
Mitigating controls – is this a cure for “all evil” in redundant authorizations in SAP?
Part #5/5: Summary and conclusions The fifth and the last part of the article summarizes the topic. In this section, we will gather all the information and answer the questions: Why the topic of access risk and SoD control is important? and Why it is worth dealing with in? We will suggest a correct sequence of […]
Mitigating controls – is this a cure for “all evil” in excessive authorizations risks in SAP?
Part #2/5 – When is it worth creating and when should mitigating controls be avoided? In the previous part of our series part link, we concluded that managers responsible for business operations must decide when and in what situations the system access risk should be remediated by access removal, and when it should remediated by assigning compensating controls. Mitigating controls are a […]
Mitigating controls – is this a cure for “all evil” in excessive authorizations risks in SAP?
Mitigating controls are control mechanisms implemented in business processes, for the purpose of limiting the access risk coming from the user excessive authorizations granted in ERP systems. These are activities, in most cases, outside the ERP system (SAP) and conducted in a manual manner, usually based on SAP reports or other statements generated from the IT systems. Mitigating controls are a common management response to the access risk coming from conflicting authority assigned to users in SAP. Removing user access rights or modifying access via role change management process is a difficult, time-consuming and very often under appreciate response to the problem.