Use Of Abac To Streamline Sap Sod Exception Process

By Author: Appsian
Total Articles: 115
Comment this article

Use of ABAC to Streamline SAP SoD Exception Process

For ensuring streamlined business operations, business processes need to be secure, compliant, and reliable. In SAP, a central concept in making this possible is Segregation of Duties (SoD).

SoD Exception Scenarios

A user would also have to be given responsibilities and privileges that pose a conflict of interest. It may be that an employee is part of a small department or that others are stopped from being involved by security clearance. Whatever the cause, in a business process, this user requires the ability to handle several steps, and an exception is made.

Here's where things can get complicated. Your normal preventive controls are no longer successful if an SoD exception is made. This is a major shortcoming of static, role-based access controls of SAP.

You must now compile access logs, root out false-positives, and, eventually, submit them for analysis and sign-off to the required control holders. Detective controls create space for human error and raise the dwelling time before red flags are caught, in addition to the ...
... extra overhead of manual checks and approvals.

Current SAP SoD Control Limitations

Preventive controls are a non-starter, lacking the logical ability to decipher possible violations from real violations. Preventive SAP access controls decide permissions based on two things: 1) the role of a user and 2) the permissions associated with the role. Although this works in the vast majority of situations, implementing SoD requires controls with more granularity.

Actual SoD Violation

SoD's entire aim is to eliminate conflicts of interest in the business processes. Conflicting transactions, however, do not inherently constitute a conflict of interest unless the subject matter is the same. For instance, a user performs the transactions to create and authorize several purchase orders. Looking at the transactions themselves, the potential for infringement is present in this operation. Looking further into the PO info, you can see that the same PO was never created and accepted by the user, so no breach was made.

SAP will show you 1) the user and function, and 2) the transactions performed, but the 3rd component is missing: the values at the field-level in the PO itself. This lack of insight into attributes outside positions and permissions is what, when exceptions have been made, renders preventive controls a non-starter and clutters SoD audit logs with false positives.

SoD Policy Enforcement with Attribute-Based Access Controls

Attribute-Based Access Controls (ABAC) use "attributes" in authorization decisions. These characteristics may be anything from user information such as position, department, nationality, or even the level of safety clearance of a user. In addition, access context can be taken into account, such as IP address, location, time, device, and transaction history. And most notably, in authorization logic, data attributes can now be used for SoD. This means that SAP field-level values can be used to assess if a transaction should be blocked or authorized, and these information can be further used in reporting activities.

The combination of role-based access controls (RBAC) from SAP with attribute-based access controls (ABAC) solution allows for granular control and visibility, offering a broad range of business benefits.

RBAC + ABAC Hybrid Approach: A New Solution

In SoD exception cases, the RBAC + ABAC hybrid solution opens the possibility to implement preventive controls. Through doing so, you will give users the versatility that an exemption offers while also avoiding the occurrence of any real violations.

Together this hybrid solution (RBAC + ABAC) allows for a dynamic SoD model that avoids breaches while also enabling the flexibility of assigning conflicting roles and strengthens role-based policy to counter over-provisioning.

Appsian One of the leading ERP data security,compliance,implementation solutions provider that gives organizations to complete control and visibility over their ERP data.