Today’s blog post for the “Do it yourself” evaluation of the SAP super user operations shows you the basics for the analytics, how to evaluate the results with Excel and the interpretation of the results.
Part 3 of the series: “Operations done by super users”
1. How to avoid manipulations done by super users
2. How to analyse the risk of super users in SAP with SQL
3. Do it yourself: Analytics of SAP super users in Excel
4. Advanced Analytics: What you definitely should know about SAP super users
What are the basics of extensive SAP authorizations?
Distinct recommendations for the allocation of SAP_ALL and SAP_NEW are defined in the Audit Guideline SAP ERP 6.0 of the DSAG Working Group Revision and Risk Management as constituted on May 2015 (Sorry it is written in german). The following is stated in the corresponding document (own translation):
SAP_ALL:
The SAP_ALL profile is not allowed in the production system. SAP recommends that you only assign this profile to your emergency user. (Source: DSAG Audit Guideline SAP ERP 6.0 p. 42)
SAP_NEW:
The profile SAP_NEW is not allowed in the production system. SAP recommends to cancel the SAP_NEW_ * profiles after an upgrade and distribute the required partial permissions as well as to delete SAP_NEW. (Source: DSAG Audit Guideline SAP ERP 6.0 p. 43)
Why are operations done by super users so critical?
The authorizations SAP_ALL and SAP_NEW are collective profiles with extensive authorizations within the SAP system. A user with SAP_ALL can execute ALL tasks in a SAP system without exception. This includes the deactivation of security-relevant system settings or internal SAP controls. The effects should be clear: track elimination of manipulations. The same applies for the SAP_NEW profile, which also makes it possible to perform unauthorized operations and should therefore be deleted completely after each release change.
With the help of these profiles, it is thus possible to eliminate the principle of non-changeability according to German §239 HGB, which is why the DSAG, in the case of the SAP_ALL profile, exclusively refers to the assignment for an emergency user.
How can the operations be evaluated and assessed?
zapliance offers you the possibility to carry out the analytics of operations done by super users. Using an Excel export at the profile level (which are formed on the basis of a pseudonymous user), you can analyse which user has made use of those rights and how extensively he has done it. For this purpose, we will use a pivot table. The dimensions for the investigation are the users, the document types and the transaction codes used, whereby the number of documents is added up. Part of the analysis looks as follows:
How to evaluate the results?
If you see a similar picture, you definitely got a structural problem with your SAP authorizations. A quick look at the Excel file tells me that both USER_10 and USER_18 are dialog users. I will show you the type of different users and another possible evaluation in the next blog article.
On one hand, you should ask yourself why USER_10 has received such extensive authorization rights in SAP and this way could carry out so many different postings with various transactions and document types. Is the account abused for batch inputs at this point? On the other hand, USER_18 only made 4 bookings and also has SAP_ALL rights. In order to prevent the risk of manipulating any business data, only rights for a specific area of tasks should be assigned so that the employee can fulfill his tasks within the company. In concrete terms, for USER_10 it should be analysed for which business transactions the user is used and restrict the authorizations accordingly.
If you want to carry out the evaluation for your data, you have the possibility to download the template and fill it with your data. The analytics is then updated based on your data.