A Right Approach for Building SAP HANA Privilege Based Roles Designing, configuring, and implementing SAP Security is a complex and resource-intensive task. Hence, companies should identify the right approach before building authorizations. This is also important when it comes to SAP HANA privilege-based roles. I have personally experienced and helped a few organizations with the design of the role definition approach. From this experience, I can say that identifying the proper security requirements during the system build helps in avoiding the need for redesigning at a later stage. Before we move on, please note that the SAP HANA platform has its own role model, which is more complex than the SAP NetWeaver ABAP authorization model. SAP HANA has: Analytic Privileges that will restrict user authorization on data System Privileges that will control the authorization on administrative tasks Object Privileges that allows various authorizations such as SELECT, DELETE, EXECUTE, etc., on database objects Package Privileges are used for providing read/write authorization on repositories Application Privileges are used for managing HANA applications, mostly XS Engine based These privileges can be assigned to the users directly from the HANA Studio, or Web IDE if the administrator has a USER ADMIN privilege assigned to him. However, before designing the authorization approach, I would also like to highlight a few points that should be considered: – Assigning privileges directly is not a recommended approach as: It increases the maintenance activity Makes the authorization management weird, and you will have no clue of who has what Unnecessary access has to be provided to the administrators due to the GRANT authorization limitation. Issues with ownership as objects are owned by the creator and not by the repository owner. So, What Is The Recommended Approach? Simplify The mantra for any successful role design is to simplify. Always keep the authorization structure easy. This makes the maintenance hassle-free and provides complete visibility of the authorizations at any given point in time. Always Create the Roles as Repository (Design-Time) Objects You might ask me here why SAP has provided the option of creating the roles as Catalog objects. Let me explain this – every role that we are assigning to the users should be a part of the HANA Catalog. Unless the run-time version is available, you can’t assign it to the users. When a role is created as a run-time object, the owner of the role is the ‘Creator’ who can decide which user should have authorization to it. Further, when the creator is dropped, the role will be deleted and the assignments will be revoked automatically. Hence, it is recommended to create the role as a design-time object. When a design-time role is activated, the run-time version is automatically created with the owner as “_SYS_REPO” – the global activation guy who owns the HANA repository. The role creation and assignment activities are de-coupled with this approach and the user with “GRANT_ACTIVATED_ROLE” and “REVOKE_ACTIVATED_ROLE” privileges can take care of the assignment/revoking of roles without being an owner of the actual role. Keeping this in mind, the industry and SMEs/experts always recommend assigning the privileges through the roles that are created as database artifacts i.e. repository or design-time roles that will have the .hdbrole extension. Have a Proper Role Naming Convention A proper role naming convention will help you classify the roles correctly and also easily segregate and identify the criticality while assigning them to the users. The roles should be intuitive not only for the ease of security experts but also to enable business approvers and reviewers to know the role kind and type quickly before taking a go or no-go decision. Here is an example: Read more: https://togglenow.com/blog/sap-hana-privilege-based-roles/ #SAPSoDAnalysis #SegregationofDutiesinSAP #SAPSecurityandCompliance #SoDViolationsinSAP #sapsegregationofdutiesmatrix #SAPRiskAssessment #sapsodanalysistool #sapsodconflicts #sapsegregationofduties #SAPGovernanceSolutions #SoDRiskManagementinSAP #sapsodmatrix #sapsodanalyzer

Ensuring Regulatory Compliance: Expert Tips for Aligning Your SAP System with MCA Requirements It’s been almost a year since the Ministry of Corporate Affairs (MCA) , India introduced a new set of guidelines to companies on April 1, 2023, aiming to bring transparency and restrict or reduce data manipulation of books within the company. This prompted SAP clients to initiate new processes such as enabling audit trails and change logs. However, many customers are still unsure about what they need to do. A survey conducted by ToggleNow between September 2023 and March 2024 found that 7 out of 10 customers attempted to implement the rules, but they might not have completed all the necessary steps. Here’s how companies are dealing with the situation: What the Requirement says? Enable audit trail of every transaction. How are companies handling it today? Companies are enabling the SM19/SM20 audit logs. What is the Challenge? Enabling SM19/SM20 audit logs will not only occupy lot of space, but also impacts the system performance. Requirement: Creating an edit log of each change made in books of account along with the date when such changes were made. How are companies handling it today? This is a standard feature of SAP where the change logs are captured in the following tables: CDHDR: Change document header table CDPOS: Change document item table SCDO: Change document object table SCDO2: Change document object table (newer version) TCURR: Exchange rates table (used for currency conversion) T000: Clients table (tracks changes to client-specific data) T001W: Plant parameters table (tracks changes to plant-related data) T001L: Storage locations table (tracks changes to storage location data) Challenge: While this is a standard feature, users in SAP can still delete these logs, which need to be secured. Many of the clients haven’t implemented additional security features to protect the edit/change logs. Know more In conclusion, the management of audit logs such as SM19/SM20 presents challenges, as enabling them may consume significant storage space and affect system performance. Despite being a standard feature, users in SAP can still delete these logs, highlighting the necessity for enhanced security measures. Many clients have not implemented additional safeguards, leaving the system vulnerable to unauthorized alterations. Furthermore, users with administrative privileges can easily disable or erase audit trails, while wider authorizations enable the posting of backdated entries. Debug authorizations are often overlooked, granting users access to SE16 with debug capabilities, compromising data integrity. Moreover, changes made through RFMs and in debug mode lack timestamp records, necessitating stricter controls. The deletion of change and edit logs underscores the imperative for robust authorization controls. To mitigate risks, RFMs and RFCs must be secured to prevent unauthorized access and alterations. Absolutely! Evaluating your SAP system to ensure compliance with the Ministry of Corporate Affairs (MCA) requirements is crucial for maintaining transparency and data integrity within your organization. Our team of experts specializes in SAP systems and regulatory compliance, and we’re here to assist you every step of the way. Here’s how ToggleNow can help: 1. Comprehensive Assessment: Our team will conduct a thorough assessment of your current SAP system to identify any gaps or areas that need improvement to meet MCA requirements. 2. Customized Solutions: Based on the assessment findings, we’ll tailor solutions specifically for your organization to ensure compliance with MCA guidelines while optimizing system performance and security. 3. Implementation Support: Our team will provide hands-on support during the implementation phase such as authorization adjustments, guiding you through the process of configuring your SAP system for additional changes to align with MCA requirements effectively. Read more: https://togglenow.com/blog/expert-tips-for-aligning-your-sap-system-with-mca-requirements/ #sap role design best practices #sap security role design best practices #sap security role design document #role design in sap security #sap role redesign #sap role design #sap security role redesigning #redesign of sap authorizations

Navigating the Future of GRC and Access Governance in SAP Ecosystems A New Era of Security and Access Governance Governance, Risk, and Compliance (GRC) and Access Governance are undergoing major changes due to digital growth and stricter regulations. As organizations connect more data and systems, they’re shifting from isolated security practices to proactive, integrated compliance processes. Raghu Boddu, founder of ToggleNow and a seasoned leader in SAP GRC, has observed these shifts closely. “Fifteen years ago, most companies didn’t treat security as a separate function—it was part of Basis administration,” Raghu explains. “Today, security is essential, and organizations know it’s crucial for protecting data, compliance, and brand reputation.” New Market Realities and Demand for Integrated GRC Solutions SAP has long been at the forefront of GRC, offering tools to help both finance and IT teams tackle compliance challenges. Solutions like SAP Access Control and Identity Access Governance (IAG) provide the flexibility to manage today’s security needs while adapting to future ones. As businesses adopt hybrid and multi-cloud systems, managing security across different platforms has become more complex. This is where SAP’s Business Technology Platform (BTP) shines. BTP connects SAP and non-SAP applications seamlessly, creating a secure, compliant ecosystem. “BTP and SAP Identity Services have changed the game for multi-cloud environments,” says Raghu. “Today, integration is nearly seamless thanks to SAP’s open APIs and connectors. This has allowed companies to manage security across hybrid systems without needing extensive customization.” Regional Insights: GRC Maturity and Market Growth The GRC and Identity Access Management (IAM) markets vary widely across regions, shaped by local regulations and market maturity. In the U.S., SoX compliance has driven strict GRC standards for years. Many American companies have developed sophisticated GRC processes, particularly around data security and financial compliance. Meanwhile, regions like India are rapidly catching up. “The growth potential in India is huge,” Raghu shares. “Over the last five years, Indian businesses have started treating GRC as essential, not optional.” In both the U.S. and other markets, companies are increasingly adopting automation and hybrid identity solutions to handle complex regulations. This shift reflects a global move toward integrated compliance, with GRC becoming a core business priority rather than a “tick-the-box” function. As Raghu adds, “It’s inspiring to see GRC prioritized as part of strategy, not just an audit requirement.” The Future of GRC: AI-Driven Compliance and Embedded Solutions a) AI and Automation in GRC Automation and AI are quickly transforming GRC from a reactive function into a proactive one, identifying risks before they become problems. With AI-driven GRC, systems can automatically analyze data to help companies detect potential compliance issues and manage risk more intelligently. SAP’s GRC tools with AI simplify compliance processes and improve decision-making, allowing teams to focus on strategic priorities. Raghu highlights the potential of AI in GRC: “AI has incredible potential in the GRC space. It’s about giving businesses more power to manage risk with accuracy, while reducing manual efforts and errors.” b) Embedding Compliance into Daily Processes Looking forward, GRC will be embedded directly within applications and workflows, constantly monitoring for risks and responding to threats as they arise. Raghu envisions this future: “In the next five years, GRC as a standalone system may fade. Instead, it will be part of daily workflows, where applications flag risks and suggest controls in real time. AI will automate many compliance tasks, cutting down manual efforts.” He adds, “Imagine GRC as a tool that proactively flags a potential access issue based on historical patterns—like a security recommendation engine. This proactive risk management approach is where AI will make the most impact.” About Raghu Boddu and ToggleNow: Innovating in GRC and SAP Integration Raghu Boddu, founder of ToggleNow, has over two decades of experience in SAP GRC and has witnessed the industry’s evolution firsthand. He started ToggleNow to address complex GRC challenges, helping companies make compliance efficient and accessible. With solutions that streamline risk management and improve security, ToggleNow has become a trusted partner for organizations operating in SAP environments. Read more: https://togglenow.com/blog/navigating-the-future-of-grc-and-access-governance-in-sap-ecosystems/ #sap role design best practices #sap security role design best practices #sap security role design document #role design in sap security #sap role redesign #sap role design #sap security role redesigning #redesign of sap authorizations

Understanding SAP Identity Access Governance (IAG) SAP IAG serves as a comprehensive framework within the SAP ecosystem, designed to manage user access, control risks, and ensure compliance with regulatory standards. Its primary focus lies in governing user access across various SAP applications that are hosted on-premise and cloud along with other non-sap systems such as Azure ID, and platforms. Key Components of SAP IAG SAP IAG offers 5 key services as outlined in the below figure: 1. Access Analysis Service Similar to SAP GRC, SAP IAG also has powerful capabilities to assess and mitigate access risks associated with user permissions. It conducts thorough analysis, identifying potential risks and vulnerabilities within the access structure. A clear definition of risks are displayed for each of the users enabling the Business Owners to take better decisions on managing the risks for each of the user. 2. Privileged Access Management (PAM) Service PAM Service is similar to GRC Access Control Emergency Access Management aka Firefighter, a specialized solution designed to manage critical access by controlling, monitoring, and securing the SAP systems from unauthorized changes using privileged accounts. It focuses on a more controlled assignment and management of accesses which has business impact. PAM ensure compliance with regulatory standards, thereby fortifying the overall security posture of an enterprise. 3. Role Designer Service Role Designer service in SAP Identity Access Governance (IAG) is a pivotal tool facilitating the creation and management of user roles within an organization’s access governance framework. It enables administrators to design, customize, and maintain role structures, aligning access with specific job functions or departments. Leveraging SAP Role Designer, businesses can streamline access provisioning by defining business roles, assigning parameters. 4. Access Request Service The Access Request service feature enables users to request access rights based on predefined roles for various applications integrated to SAP IAG. It streamlines the process, ensuring quick and accurate provisioning while maintaining control. Access Request supports predefined workflows and can provision to various on-premise, and cloud applications such as SAP BTP, SAP SAC etc., For a list of systems that are supported, Click here 5. Access Certification Periodic access reviews are crucial for compliance. SAP IAG automates access certification processes, allowing designated individuals to review and confirm user access rights periodically. How Access Governance can be enhanced with SAP IAG? Streamlined Access Requests and Approvals SAP IAG simplifies the access request process by providing a user-friendly interface. Users can easily request specific access rights aligned with their job responsibilities. These requests are then routed through customizable approval workflows, ensuring compliance with defined policies before granting access. Risk Mitigation through Access Analysis With its robust risk analysis capabilities, SAP IAG identifies and evaluates potential risks associated with user access. It conducts in-depth assessments, highlighting access combinations that might pose security threats or regulatory non-compliance. This proactive approach enables organizations to mitigate risks effectively. SAP IAG offers refinement options such as Simple Refinement, and Advanced Refinement in addition to the regular Mitigation options. Further, the SAP IAG Ruleset is delivered with risks related to APO, BASIS, HR, R3, SRM, S4HANA On-premise, S4HANA Cloud, ARIBA, SuccessFactors, Fieldglass, and IBP. For more details on the supported systems, refer to SAP Note – 2782388 – IAG – How to load default standard ruleset? Automated Access Reviews and Certifications Manual access reviews are time-consuming and prone to errors. SAP IAG automates these processes, scheduling periodic access reviews and certifications. This automation ensures that user access remains aligned with current job roles and business needs, reducing the risk of unauthorized access. Role-Based Access Control (RBAC) SAP IAG facilitates Role-Based Access Control, a method of managing access based on job roles, referred to as Business Roles in IAG. It streamlines access provisioning by assigning roles that are pre-analyzed, and all the relevant mapping is done. This approach simplifies access management while reducing the risk of excessive access rights. Read more: https://togglenow.com/blog/sap-iag-for-enhanced-access-governance/ #sap role design best practices #sap security role design best practices #sap security role design document #role design in sap security #sap role redesign #sap role design #sap sod analysis tool #sap sod analyser

Why Security Optimization is so important? Security Optimization as a Service Portfolio is the right solution to prevent a full downtime and costly security incidents by analyzing high-risk violations and taking security measures proactively. By using Security Optimization Service, you can avoid business interruptions and ensure that the security aspect of SAP solutions is managed properly, reducing risk. As a result of this service, you will be able to concentrate on your daily business requirements instead of spending time handling the complexities of security maintenance. The advantages are: Decrease the risk of a system intrusion Ensure the confidentiality of your business data Ensure the authenticity of your users Substantially reduce the risk of costly downtime due to wrong user interaction Where to start? The EarlyWatch Alert (EWA) report is the most comprehensive snapshot of your SAP systems. The Security section gives you a detailed analysis, more accurate information to keep your SAP systems protected along with the root cause analysis of various findings. Refer to the SAP note # 863362 to know more about the security checks in the EWA report. Incase if the EWA report generation is not yet configured, refer to SAP note # 2282944 (EarlyWatch Alert: Solution Manager 7.2 how to set up/configure EWA reports or add email recipients) that details the steps to configure. Is EarlyWatch (EWA) report itself is enough? Certainly not. While EWA gives you a snapshot of your system, Solution Manager has lot many features that could help you to safeguard your SAP system. Experts recommend implementing additional tools like the Security Optimization Service, System Recommendations configuration in Solution Manager, or Change Diagnostics and Configuration Validation, also called as E2E Change Analysis and Change Reporting and Configuration Validation in Solution Manager. These tools can be configured easily that adds an additional layer of security. Great. Will this be sufficient for me to keep my system secure? May be not. No solution can give you 100% gurantee. Monitoring the systems against the Security baseline is much important and is a contineous activity. In addition to utilizing the standard Security baselines by SAP, experts recommend to use additional applications such as SAP GRC Process Control, Risk Management etc., ToggleNow boasts an easy-to-use reporting application called GAMS360. It provides 100+ baseline reports for review, so it's easy to spot problems as they arise. Further, the system trigger alerts for immediate review by the system owners/controllers. Can these tools help me to protect my SAP systems completely? Are these tools capable enough to detect and stop all sorts of risks associated with my SAP systems? There are a variety of ways to protect your SAP systems. As mentioned, no single tool/product can make your SAP system free from risks. Incase if you have an authorization setup built a decade ago, uou may also need to consider an SAP Security Engagement which will provide you with an expert-guided analysis and approach for your SAP landscape. ToggleNow enables its customers to leverage their business processes and streamline their security measures as part of the SAP Digital Transformation program. One that will help you to discover the ASIS and derive a TOBE Roadmap. Second, that will identify the various processes where automation can be implemented quickly. We take the EarlyWatch report as the baseline and also run various scripts to extract the current status of the system. This will be our starting point to offer detailed services mainly around Security Optimization. Combining the results of the initial discovery, the security policy of the company, and the subject matter expertise, we define the SAP Security Baseline and make the necessary tweaks in the application, and the tools selected. What else is required? Well, there is no big list. We additionally recommend our customers to “Stay clean” and “Stay in-compliant” which is possible with the use of the right GRC solutions. In case if you have SAP GRC in place, it is of utmost importance to Upgrade the SAP GRC version to the latest and utilizes all the features such as User Access Review, SoD Review, Firefighter ID review, and so on. Read more: https://togglenow.com/blog/security-optimization-importance/ #SAPAuthorizationredesign #SAPAuthorizationReview #SAPAuthorizationDesign #SAPRoleDesign #SAPsecurityroledesign #SAPsecurityaudit #AuditManagement #SAPAuditServices #SAPAuditManagement #SAPSODAnalysis tool #SAPSODAnalyzer

Are You Aware That BOTs Can Manage Your SAP GRC User Access Reviews(UAR)? AI driven automation in GRC. The User Access Review functionality is built into SAP GRC Access Control and it's great for smaller companies with only a couple of thousands of users. What if you need to perform this for 40,000+ people? Managing multiple managers and completing the activity within time is a tricky task. Periodic follow-ups and working on weekly reports is not only a time-consuming activity but also a cumbersome one. #ToggleNow developed an automated BOT that will send periodic reminders when a request is not closed within the specific SLA, and rules to automatically handle tasks such as escalating it to the next level manager, auto reviewing the request, and updating the status, and so on are implemented with BOTs. If we could reduce the UAR timelines from months to weeks, that would be a tremendous help. Isn't it? AI driven automation in GRC will help you to streamline business processes and reduce costs. We can build one for you too! ToggleNow – The GRC automation experts ToggleNow Software Solutions Pvt Ltd, Santosh Nasine, Kritika Kadam, Sindhu Sowmitri Raghu Boddu Meet Raghu Boddu an expert in SAP Security and Governance, Risk, and Compliance (GRC). With over 20+ years of experience in the field, Raghu has a deep understanding of the nuances and complexities of SAP systems and how to keep them secure. Raghu has worked with various clients across different industries, helping them implement effective security and GRC strategies to protect their sensitive data and meet regulatory compliance requirements. Raghu is a respected thought leader in the SAP security and GRC community, regularly sharing insights and best practices through presentations and publications. Whether you're looking to improve the security of your SAP system or ensure compliance with relevant regulations, Raghu can provide the guidance and expertise you need to succeed. Read more: https://togglenow.com/automation-stories/ai-driven-automation-in-grc/ #SAPRiskAnalyzersolution #SAPRiskmanagement #sapgrcriskmanagement #sapenterpriseriskmanagement #SAPRiskAnalyzersolution #grcaccesscontrol #sapgrcaccesscontrol #SAPSODANALYZER #SAPSODANALYSISTOOL #SAPSODANALYSIS

Deeper analysis on the use of critical transaction codes using Firefighter! Is your Firefighter Controller reviewing every activity in detail? Does he/she review the most critical business transaction codes? Firefighter controller log review is the same challenge for one of our clients. The FFID logs will be regularly reviewed, but they want to segregate the FFID usage from the most critical transaction code usage for detailed analysis. They have identified around 100 transaction codes as part of this exercise, and any use of these transaction codes by the FFID must be subjected to additional review after reviewing by the FF Controller. Due to the lack of routing conditions, the standard process ID – Firefighter Log Report Review Workflow (SAP_GRAC_FIREFIGHT_LOG_REPORT) doesn’t meet this requirement and needs additional customization. Is there a way to automate firefighter controller log review? Yes, of course. This is what we delivered: In order to maintain the custom transaction codes, we created a custom table and a TMG. As a result, our customer does not have to modify the Decision table every time. A BRF+ DB lookup has been created. Custom BRF+ decision tables have been created to return the value. Created two different MSMP paths with appropriate stages Defined MSMP routing conditions according to business needs The review and approval process is now fully automated, and if the user has executed any critical transaction codes, the Log review request is assigned to the “Internal Review Board (IRB)” after the controller review. Are there any additional automations that can be performed with the FF Log Review? Additionally, an enhancement can be provided to identify if the user has entered any critical transaction codes on the Reason code screen. ToggleNow also implemented BOT-based automation to review logs. Get in touch with our SMEs today! Visit our automation stories to know various automations that are delivered by ToggleNow team. Read more: https://togglenow.com/automation-stories/deeper-analysis-on-the-use-of-critical-transaction-codes-using-firefighter/ #SAPRiskAnalyzersolution #SAPRiskmanagement #sapgrcriskmanagement #sapenterpriseriskmanagement #SAPRiskAnalyzersolution #grcaccesscontrol #sapgrcaccesscontrol #SAPSODANALYZER #SAPSODANALYSISTOOL #SAPSODANALYSIS

Unexpected SAP Licensing Audits? It’s a common struggle – did you know that 8 out of 10 organizations lack the necessary expertise or tools to properly evaluate their SAP Licenses? This often results in exorbitant licensing costs penalties. If you're making substantial investments in SAP licenses, consider exploring our Optimus solution. This solution conducts audits and optimizations of your SAP licenses, resulting in significant cost savings. Optimus specializes in evaluating Named User Licensing (Human Access) and Indirect Licensing (Digital Access). Our solution has assisted numerous enterprises in achieving compliance with SAP Licensing guidelines, ensuring a more efficient and cost-effective licensing structure. Ensure compliance while maximizing savings! Supports all Licensing Models Optimus is your solution across all SAP platforms – ECC, S4 HANA, or HANA Cloud. It comprehensively audits and optimizes all licensing types, including Named user (Human Access), Indirect usage (Digital Access), and FUE-based licensing models Identifies ideal SAP license type Optimus swiftly identifies the perfect SAP license type for your users based on what they are performing in the SAP system. Its precise analysis ensures the ideal licensing category. Streamline your SAP licensing with Optimus’s expert guidance. Ensuring License Compliance Aligning with SAP’s terms prevents license audits, ensuring compliance and penalties. By adhering to SAP’s regulations, Optimus ensures a smooth, compliant licensing environment by consolidating rules in line with SAP terms. Consolidates data across all SAP systems Optimus consolidates information seamlessly across all SAP systems, providing a unified and comprehensive data view. This integration ensures streamlined operations and informed decision- making, leveraging data coherence across the SAP landscape. Why Optimus No two contracts are same! Unlike other generic tools providing standardized reports, Optimus understands the uniqueness of each contract. By translating your contracts into optimization rules, it ensures precise and accurate results, avoiding guesswork for truly optimized outcomes. 3 Level scan Optimus conducts a thorough 3-level scan – what’s assigned, what’s utilized, and what activities are performed within SAP systems. This approach ensures precise categorization, eliminating guesswork from license assignments, and aligning accurately with user actions. Stay Audit-Ready with Optimus! Gain full control over SAP licenses and be thoroughly prepared for SAP Licensing audits with comprehensive inputs and insights provided by Optimus. Reduce SAP License Costs! SAP’s intricate and costly licensing necessitates a reliable solution to safeguard investments, as licenses consume 60% of total IT budgets. Optimus SAP License Management Tool provides 100% automation across the SAP Landscape, ensuring unparalleled savings and mitigating compliance risks Read more: https://togglenow.com/solutions/optimus/ #SAPRiskAnalyzersolution #SAPRiskmanagement #sapgrcriskmanagement #sapenterpriseriskmanagement #SAPRiskAnalyzersolution #grcaccesscontrol #sapgrcaccesscontrol #SAPSODANALYZER #SAPSODANALYSISTOOL #SAPSODANALYSIS