8 · Protiviti
4. Role and User Access Risk Analysis
At this stage, SAP Access Control, or another SAP security
monitoring solution, should be leveraged to perform
periodic role and user analyses to determine if the newly
designed SAP roles are in compliance with SoD policies.
This is done by simulating and monitoring changes
aecting SAP security design, and providing timely
feedback to BPOs in case potential conicts arise. Risk
analyses should be run on a periodic basis, especially
after unit and integration testing, which is when the SAP
system design will be updated to accommodate process
improvements. It is important to note that the dened
SAP ruleset in SAP Access Control also may change
during the course of the SAP project, given that new SAP
transactions may be added to “to-be” processes or new
custom transactions may be developed.
To ensure an SAP environment is “clean” or “conict-
free” post-go-live, a sound SAP security provisioning
process must be designed and implemented. This
includes procedures that require SAP security teams to
perform a risk simulation in SAP Access Control prior to
granting user access or modifying a role. This simulation
will determine if role or user changes are posing SoD or
excessive access security risks. In addition, continuous
monitoring procedures must be established and followed
as the project go-live date approaches. Detective SAP
security monitoring processes also should be established,
including generating periodic SoD violation reports
reviewed by BPOs and role owners to validate security
changes. For SAP upgrade or security redesign projects,
post-go-live activities may also include additional change
management processes to assign and manage new roles
and, over time, to discontinue the use of legacy roles.
For Users of SAP S/4HANA Systems
The SAP Access Control functionality will have to be expanded
across the S/4HANA landscape to address the access risks
arising with the introduction of new security layers. Changes
may need to be made at both the system architecture level
(configuring additional connectors) and the Access Control tool
functionality level (workflow changes) if users are provided
access to Fiori and the HANA database.
5. Security Testing and Go-Live Preparation
SAP security Unit Testing (UT) and User Acceptance
Testing (UAT) are critical steps to ensure users experience
minimal access issues prior to go-live. SAP security
testing includes executing all SAP transactions within
a role to conrm that the role has required transactions
and authorization objects to complete the process
(e.g., display, update and post a nancial transaction).
These steps should be performed in conjunction with
project functional testing (during SAP implementations
or upgrades) or before assigning the new roles in the
production environment (during security redesign
projects). Security testing also should include formal SoD
and sensitive access reviews to conrm the newly created
or updated SAP roles are as SoD conict-free as possible,
and that access to key functions (e.g., update vendor
master, update chart of accounts) is properly restricted.
Involving SAP security teams in early stages of the
functional testing phase allows the discovery of
potential security issues before it is too late — or
costly — to modify roles. It is also very important for
the nal UAT process to create test users in the Quality
Assurance environment with the SAP roles to be