Thursday, November 15, 2007

User Roles in SAP R/3

I’ve been reviewing a number of projects with SAP R/3 in a company I work for and found what seems to be a very big mistake in user rights planning and implementation. I raised this many times but still have no response from our ‘SAP gurus’, probably because their main task is to finish project and move on or maybe because they’re not experienced enough. I don’t know and it’s not my headache, but I think that the problem I’m going to explain is obvious.

The thing is that each project produces a number of roles, and authorizations (piece of privileges) are spread over these roles. During a test phase these roles are tested either by user without additional roles or by user with roles from the same project. I haven’t seen anybody testing roles from one project together with roles from different project. Unfortunately, SAP has weird system of authorizations – there are authorizations to access Objects, to perform Actions (transactions, programs) etc. So, to perform an action upon an object through specified transaction you have to have authorization for Action and for Object. To deny this action it’s enough not to have privileges for Action or for Object.

When a user has a number of roles, authorizations in these roles are added together, and in the end it’s possible for user to gain more capabilities than she should have. Maybe it is hard to understand, but it is really possible in SAP if you have, for example, authorization for Object in one role and authorization for Action in another.

We may significantly reduce the probability of such ‘authorization summation’ by adding each authorization into role manually but it’s very time-consuming. It’s much more easer to build role from menu or use other automated role-generation tools. If we were too lazy to create roles manually we could test all combination of roles to fix ‘authorization summation’ issue. But it would be very difficult!

Well, I see the only solution in this case – make one role for one user. I know this is not what SAP recommends (I attended "CA940: SAP R/3 Application Security Concept"), but in complicated environment where there are thousands of users and thousands of roles from different projects, to my mind, it is the only solution. This strategy can withstand the following common issues:

  • authorization summation – you need to test only one role for one user;
  • some employees do more than specified in their job description, and in this case you just add authorizations into one role for that user. To my mind, it’s more secure than add whole additional role never being tested in combination with others that user already has;
  • you get more flexibility: if roles in project were developed in connection with organizational structure they wouldn’t fit when organization's structure changes. In "one role–one user" situation – just add new authorizations for users that changed their positions.

The only bad thing here – it is more difficult to quickly finish new projects…

No comments: