A Right Approach for Building SAP HANA Privilege Based Roles Designing, configuring, and implementing SAP Security is a complex and resource-intensive task. Hence, companies should identify the right approach before building authorizations. This is also important when it comes to SAP HANA privilege-based roles. I have personally experienced and helped a few organizations with the design of the role definition approach. From this experience, I can say that identifying the proper security requirements during the system build helps in avoiding the need for redesigning at a later stage. Before we move on, please note that the SAP HANA platform has its own role model, which is more complex than the SAP NetWeaver ABAP authorization model. SAP HANA has: Analytic Privileges that will restrict user authorization on data System Privileges that will control the authorization on administrative tasks Object Privileges that allows various authorizations such as SELECT, DELETE, EXECUTE, etc., on database objects Package Privileges are used for providing read/write authorization on repositories Application Privileges are used for managing HANA applications, mostly XS Engine based These privileges can be assigned to the users directly from the HANA Studio, or Web IDE if the administrator has a USER ADMIN privilege assigned to him. However, before designing the authorization approach, I would also like to highlight a few points that should be considered: – Assigning privileges directly is not a recommended approach as: It increases the maintenance activity Makes the authorization management weird, and you will have no clue of who has what Unnecessary access has to be provided to the administrators due to the GRANT authorization limitation. Issues with ownership as objects are owned by the creator and not by the repository owner. So, What Is The Recommended Approach? Simplify The mantra for any successful role design is to simplify. Always keep the authorization structure easy. This makes the maintenance hassle-free and provides complete visibility of the authorizations at any given point in time. Always Create the Roles as Repository (Design-Time) Objects You might ask me here why SAP has provided the option of creating the roles as Catalog objects. Let me explain this – every role that we are assigning to the users should be a part of the HANA Catalog. Unless the run-time version is available, you can’t assign it to the users. When a role is created as a run-time object, the owner of the role is the ‘Creator’ who can decide which user should have authorization to it. Further, when the creator is dropped, the role will be deleted and the assignments will be revoked automatically. Hence, it is recommended to create the role as a design-time object. When a design-time role is activated, the run-time version is automatically created with the owner as “_SYS_REPO” – the global activation guy who owns the HANA repository. The role creation and assignment activities are de-coupled with this approach and the user with “GRANT_ACTIVATED_ROLE” and “REVOKE_ACTIVATED_ROLE” privileges can take care of the assignment/revoking of roles without being an owner of the actual role. Keeping this in mind, the industry and SMEs/experts always recommend assigning the privileges through the roles that are created as database artifacts i.e. repository or design-time roles that will have the .hdbrole extension. Have a Proper Role Naming Convention A proper role naming convention will help you classify the roles correctly and also easily segregate and identify the criticality while assigning them to the users. The roles should be intuitive not only for the ease of security experts but also to enable business approvers and reviewers to know the role kind and type quickly before taking a go or no-go decision. Here is an example: Read more: https://togglenow.com/blog/sap-hana-privilege-based-roles/ #SAPSoDAnalysis #SegregationofDutiesinSAP #SAPSecurityandCompliance #SoDViolationsinSAP #sapsegregationofdutiesmatrix #SAPRiskAssessment #sapsodanalysistool #sapsodconflicts #sapsegregationofduties #SAPGovernanceSolutions #SoDRiskManagementinSAP #sapsodmatrix #sapsodanalyzer

Why Security Optimization is so important? Security Optimization as a Service Portfolio is the right solution to prevent a full downtime and costly security incidents by analyzing high-risk violations and taking security measures proactively. By using Security Optimization Service, you can avoid business interruptions and ensure that the security aspect of SAP solutions is managed properly, reducing risk. As a result of this service, you will be able to concentrate on your daily business requirements instead of spending time handling the complexities of security maintenance. The advantages are: Decrease the risk of a system intrusion Ensure the confidentiality of your business data Ensure the authenticity of your users Substantially reduce the risk of costly downtime due to wrong user interaction Where to start? The EarlyWatch Alert (EWA) report is the most comprehensive snapshot of your SAP systems. The Security section gives you a detailed analysis, more accurate information to keep your SAP systems protected along with the root cause analysis of various findings. Refer to the SAP note # 863362 to know more about the security checks in the EWA report. Incase if the EWA report generation is not yet configured, refer to SAP note # 2282944 (EarlyWatch Alert: Solution Manager 7.2 how to set up/configure EWA reports or add email recipients) that details the steps to configure. Is EarlyWatch (EWA) report itself is enough? Certainly not. While EWA gives you a snapshot of your system, Solution Manager has lot many features that could help you to safeguard your SAP system. Experts recommend implementing additional tools like the Security Optimization Service, System Recommendations configuration in Solution Manager, or Change Diagnostics and Configuration Validation, also called as E2E Change Analysis and Change Reporting and Configuration Validation in Solution Manager. These tools can be configured easily that adds an additional layer of security. Great. Will this be sufficient for me to keep my system secure? May be not. No solution can give you 100% gurantee. Monitoring the systems against the Security baseline is much important and is a contineous activity. In addition to utilizing the standard Security baselines by SAP, experts recommend to use additional applications such as SAP GRC Process Control, Risk Management etc., ToggleNow boasts an easy-to-use reporting application called GAMS360. It provides 100+ baseline reports for review, so it's easy to spot problems as they arise. Further, the system trigger alerts for immediate review by the system owners/controllers. Can these tools help me to protect my SAP systems completely? Are these tools capable enough to detect and stop all sorts of risks associated with my SAP systems? There are a variety of ways to protect your SAP systems. As mentioned, no single tool/product can make your SAP system free from risks. Incase if you have an authorization setup built a decade ago, uou may also need to consider an SAP Security Engagement which will provide you with an expert-guided analysis and approach for your SAP landscape. ToggleNow enables its customers to leverage their business processes and streamline their security measures as part of the SAP Digital Transformation program. One that will help you to discover the ASIS and derive a TOBE Roadmap. Second, that will identify the various processes where automation can be implemented quickly. We take the EarlyWatch report as the baseline and also run various scripts to extract the current status of the system. This will be our starting point to offer detailed services mainly around Security Optimization. Combining the results of the initial discovery, the security policy of the company, and the subject matter expertise, we define the SAP Security Baseline and make the necessary tweaks in the application, and the tools selected. What else is required? Well, there is no big list. We additionally recommend our customers to “Stay clean” and “Stay in-compliant” which is possible with the use of the right GRC solutions. In case if you have SAP GRC in place, it is of utmost importance to Upgrade the SAP GRC version to the latest and utilizes all the features such as User Access Review, SoD Review, Firefighter ID review, and so on. Read more: https://togglenow.com/blog/security-optimization-importance/ #SAPAuthorizationredesign #SAPAuthorizationReview #SAPAuthorizationDesign #SAPRoleDesign #SAPsecurityroledesign #SAPsecurityaudit #AuditManagement #SAPAuditServices #SAPAuditManagement #SAPSODAnalysis tool #SAPSODAnalyzer

Are You Aware That BOTs Can Manage Your SAP GRC User Access Reviews(UAR)? AI driven automation in GRC. The User Access Review functionality is built into SAP GRC Access Control and it's great for smaller companies with only a couple of thousands of users. What if you need to perform this for 40,000+ people? Managing multiple managers and completing the activity within time is a tricky task. Periodic follow-ups and working on weekly reports is not only a time-consuming activity but also a cumbersome one. #ToggleNow developed an automated BOT that will send periodic reminders when a request is not closed within the specific SLA, and rules to automatically handle tasks such as escalating it to the next level manager, auto reviewing the request, and updating the status, and so on are implemented with BOTs. If we could reduce the UAR timelines from months to weeks, that would be a tremendous help. Isn't it? AI driven automation in GRC will help you to streamline business processes and reduce costs. We can build one for you too! ToggleNow – The GRC automation experts ToggleNow Software Solutions Pvt Ltd, Santosh Nasine, Kritika Kadam, Sindhu Sowmitri Raghu Boddu Meet Raghu Boddu an expert in SAP Security and Governance, Risk, and Compliance (GRC). With over 20+ years of experience in the field, Raghu has a deep understanding of the nuances and complexities of SAP systems and how to keep them secure. Raghu has worked with various clients across different industries, helping them implement effective security and GRC strategies to protect their sensitive data and meet regulatory compliance requirements. Raghu is a respected thought leader in the SAP security and GRC community, regularly sharing insights and best practices through presentations and publications. Whether you're looking to improve the security of your SAP system or ensure compliance with relevant regulations, Raghu can provide the guidance and expertise you need to succeed. Read more: https://togglenow.com/automation-stories/ai-driven-automation-in-grc/ #SAPRiskAnalyzersolution #SAPRiskmanagement #sapgrcriskmanagement #sapenterpriseriskmanagement #SAPRiskAnalyzersolution #grcaccesscontrol #sapgrcaccesscontrol #SAPSODANALYZER #SAPSODANALYSISTOOL #SAPSODANALYSIS

Deeper analysis on the use of critical transaction codes using Firefighter! Is your Firefighter Controller reviewing every activity in detail? Does he/she review the most critical business transaction codes? Firefighter controller log review is the same challenge for one of our clients. The FFID logs will be regularly reviewed, but they want to segregate the FFID usage from the most critical transaction code usage for detailed analysis. They have identified around 100 transaction codes as part of this exercise, and any use of these transaction codes by the FFID must be subjected to additional review after reviewing by the FF Controller. Due to the lack of routing conditions, the standard process ID – Firefighter Log Report Review Workflow (SAP_GRAC_FIREFIGHT_LOG_REPORT) doesn’t meet this requirement and needs additional customization. Is there a way to automate firefighter controller log review? Yes, of course. This is what we delivered: In order to maintain the custom transaction codes, we created a custom table and a TMG. As a result, our customer does not have to modify the Decision table every time. A BRF+ DB lookup has been created. Custom BRF+ decision tables have been created to return the value. Created two different MSMP paths with appropriate stages Defined MSMP routing conditions according to business needs The review and approval process is now fully automated, and if the user has executed any critical transaction codes, the Log review request is assigned to the “Internal Review Board (IRB)” after the controller review. Are there any additional automations that can be performed with the FF Log Review? Additionally, an enhancement can be provided to identify if the user has entered any critical transaction codes on the Reason code screen. ToggleNow also implemented BOT-based automation to review logs. Get in touch with our SMEs today! Visit our automation stories to know various automations that are delivered by ToggleNow team. Read more: https://togglenow.com/automation-stories/deeper-analysis-on-the-use-of-critical-transaction-codes-using-firefighter/ #SAPRiskAnalyzersolution #SAPRiskmanagement #sapgrcriskmanagement #sapenterpriseriskmanagement #SAPRiskAnalyzersolution #grcaccesscontrol #sapgrcaccesscontrol #SAPSODANALYZER #SAPSODANALYSISTOOL #SAPSODANALYSIS

Unexpected SAP Licensing Audits? It’s a common struggle – did you know that 8 out of 10 organizations lack the necessary expertise or tools to properly evaluate their SAP Licenses? This often results in exorbitant licensing costs penalties. If you're making substantial investments in SAP licenses, consider exploring our Optimus solution. This solution conducts audits and optimizations of your SAP licenses, resulting in significant cost savings. Optimus specializes in evaluating Named User Licensing (Human Access) and Indirect Licensing (Digital Access). Our solution has assisted numerous enterprises in achieving compliance with SAP Licensing guidelines, ensuring a more efficient and cost-effective licensing structure. Ensure compliance while maximizing savings! Supports all Licensing Models Optimus is your solution across all SAP platforms – ECC, S4 HANA, or HANA Cloud. It comprehensively audits and optimizes all licensing types, including Named user (Human Access), Indirect usage (Digital Access), and FUE-based licensing models Identifies ideal SAP license type Optimus swiftly identifies the perfect SAP license type for your users based on what they are performing in the SAP system. Its precise analysis ensures the ideal licensing category. Streamline your SAP licensing with Optimus’s expert guidance. Ensuring License Compliance Aligning with SAP’s terms prevents license audits, ensuring compliance and penalties. By adhering to SAP’s regulations, Optimus ensures a smooth, compliant licensing environment by consolidating rules in line with SAP terms. Consolidates data across all SAP systems Optimus consolidates information seamlessly across all SAP systems, providing a unified and comprehensive data view. This integration ensures streamlined operations and informed decision- making, leveraging data coherence across the SAP landscape. Why Optimus No two contracts are same! Unlike other generic tools providing standardized reports, Optimus understands the uniqueness of each contract. By translating your contracts into optimization rules, it ensures precise and accurate results, avoiding guesswork for truly optimized outcomes. 3 Level scan Optimus conducts a thorough 3-level scan – what’s assigned, what’s utilized, and what activities are performed within SAP systems. This approach ensures precise categorization, eliminating guesswork from license assignments, and aligning accurately with user actions. Stay Audit-Ready with Optimus! Gain full control over SAP licenses and be thoroughly prepared for SAP Licensing audits with comprehensive inputs and insights provided by Optimus. Reduce SAP License Costs! SAP’s intricate and costly licensing necessitates a reliable solution to safeguard investments, as licenses consume 60% of total IT budgets. Optimus SAP License Management Tool provides 100% automation across the SAP Landscape, ensuring unparalleled savings and mitigating compliance risks Read more: https://togglenow.com/solutions/optimus/ #SAPRiskAnalyzersolution #SAPRiskmanagement #sapgrcriskmanagement #sapenterpriseriskmanagement #SAPRiskAnalyzersolution #grcaccesscontrol #sapgrcaccesscontrol #SAPSODANALYZER #SAPSODANALYSISTOOL #SAPSODANALYSIS