INTRODUCTION OF A COMPANY-WIDE INTERFACE DEPARTMENT
In order for your SAP system landscape to function permanently, it requires error-free installation and regular support. You can rely on these services:
A secure SAP system does not only include a good role concept. It is also necessary to check whether a user should (still) have a specific role. Regular verification of role assignment is called recertification. In this blog post, I'd like to introduce you to the need for recertifications and our own tool, EasyReCert. The need for recertification - scenarios: Example 1: The "apprentice problem" Imagine the following scenario: A new employee (e.g. apprenticeship or trainee) will go through various departments as part of his or her training and will work on various projects. Of course, an SAP User will be made available to your employee right at the beginning, which is equipped with appropriate roles. As each project and department passes, the employee repeatedly needs new permissions to meet the requirements. After the employee has successfully completed his or her induction and is now in a permanent position, he or she still has permissions that are not necessary to perform his or her duties. This violates the principle of "last privilede" and represents a potential security risk for your company. Example 2: The change of department The change of department is one scenario that probably occurs in every company. If a change of department does not automatically involve a complete reallocation of roles and the employee simply takes his old permissions with him, critical combinations of permissions can occur very quickly. For example, an employee who has permissions in accounts payable and accounts receivable violates the SoD ("Segregation of Duties") principle and poses a potential security risk to your company. Recertification as part of a revision: The two examples above show that a regular review of role allocation identifies potential security risks for your business and can be addressed.
SPAM/SAINT - the update tools integrated in ABAP
In order to escape the checks carried out by the iris scanners and ultimately his own arrest, a doctor illegally reuses his eyes and acts under a new identity. With the help of the new eyes he finally succeeds in entering the secured area of the "Precogs" and he can begin his investigation. Through this "biohacking" he not only deceives the biometric security systems - he compromises the highest police control system. All stories!? "Great stories!" think now. But: No one will ever fall for a simple trim. And anyway: Biometric security systems and eye transplantation? It's not for nothing a science fiction movie! What does this have to do with RFC security? All right, I can understand your doubts. But how do you like the following story, for example? RFC Security and the Art of Identity Change Germany, everywhere, 2017: Johannes Voigt has been a medium-sized company employee for several years. He is considered a reliable and conscientious developer from the IT department. In fact, he is increasingly unfairly treated. He decides that he no longer wants to carry his frustration with him.
Let me show you how EasyReCert can simplify this process. Automatic representation of employees & role assignment Each user of the application automatically receives the employees assigned to him. In the first step, the user verifies the assignment of the employees assigned to him. In the second step, the user is shown the roles of his employees. It is now possible to mark the assignment of the role as correct or incorrect. Understandable explanation of the roles Often roles have no talking names and for the decider it is not clear which specific permissions are behind a role. The tool offers the possibility to provide a description for each role, which is available by pop-in. Looking up which role has which permissions and which is meant for which is completely omitted. Flags & Criticality The tool offers in its options the possibility to set flags for critical roles and highlight them in particular. At a glance, the decision-makers see that one of their employees has a critical role and can examine it carefully. Since roles are classified differently in each company, you are completely free to decide which roles you want to consider critical. Roll Whitelist Do you want to exclude certain roles from the audit? Or do you want to test only critical roles? The tool offers you a whitelist function for this. This whitelist allows you to include roles that you do not want to check in the recertification process. So you completely decide which roles the tool should take into account. Logging of the results The results of the tests are logged via the application log and can be viewed both by SAP standard means and directly by the tool. It is also possible to export the audit logs or add optional comments to the logs later.
For administrators, a useful product - "Shortcut for SAP Systems" - is available in the SAP basis area.
This can be used, for example, for advertising purposes, as a know-how presentation or as a further source of income.
For each user there are not only one but up to three generated password hashes.