How To Streamline The Sap Exemption Process Using Attribute-based Access Controls?

By Author: appsian
Total Articles: 115
Comment this article

What happens when an SAP SOD exception is needed?
Often, positions and rights that present a conflict of interest involve a user. Whatever be the reason, in business processes, this user needs the ability to handle multiple steps — as an exception.
Things can be tricky. If an exception happens, the healthy preventive controls will no longer function—one of SAP's most significant weaknesses in static, role-based access controls.

Moving From Preventive to Detective Approach

It would help if you now collected access logs and false filter positives and finally sent them to the appropriate owner for review and sign-off. Besides the additional overhead of manual checks and approvals, detective controls build space for human error and maximize dwelling time until red flags are spotted.

Why Is SAP SOD Control Limited?

Without the ability to distinguish possible violations from real violations, proactive tests are a non-starter. The (preventive) SAP access controls assess authorizations based on two things: user role and task-dependent permissions (think transactions). Although ...
... this works in the vast majority of situations, implementing SAP SOD requires more granular controls.

Let’s consider what an actual SAP SOD violation entails.
SAP SOD's main aim is to eliminate conflicts of interest in business processes. For example, a user creates and approves multiple purchase orders. Looking at transactions, this can appear as a breach. Looking deeper into the PO details, the user may never have created and adopted the same PO, so there was no violation.

SAP can show you user roles and transactions, but the 3rd component is missing: field-level values in the PO itself. This lack of visibility in attributes outside functions and permissions makes preventive controls a non-starter and clutters with false-positive SAP SOD audit logs when exceptions are produced.

The solution to this problem? Enforcing SAP SOD attribute-based access controls.

Attribute-based access controls (ABAC) require ‘attributes’ to be used in authorization decisions. These attributes will come from user information like role, department, nationality, or even the security clearance level of a user. History of access such as IP address, location, time, device, and the transaction can be considered. For SAP SOD, data attributes can now be included in the authorization logic. This means that SAP field-level values can be used to determine whether to block or allow a transaction, and these details can be used in reporting activities.

In the example above, data attributes can be used to determine when a user conducted the first transaction and make the inference that the second transaction will result in a violation.
Combining role-based access controls (RBAC) from SAP with attribute-based access control (ABAC) solutions enables granular control and visibility that provides wide-ranging business benefits.

Flexibility in SAP SOD Exception Situations – RBAC + ABAC Hybrid
The RBAC+ABAC hybrid solution opens up the possibility of implementing preventive controls in exceptional SAP SOD scenarios. By doing so, you can offer users excellent flexibility, preventing any actual violations.

This hybrid approach (RBAC+ABAC) allows for a dynamic SAP SOD model that avoids violations while allowing the flexibility of assigning contradictory roles (if necessary) and strengthens role-based policy to prevent over-provisioning.

RBAC+ABAC Hybrid Solutions From Appsian
Appsian equips SAP GRC Access Control with an additional authorization layer that correlates user, data, and transaction attributes with identified SAP SOD conflicts to block conflicting transactions at runtime.

Let’s get in touch to help you learn more about how a hybrid access control approach can strengthen your organization.

Appsian One of the leading ERP data security,compliance,implementation solutions provider that gives organizations to complete control and visibility over their ERP data.