Access control challenges in SAP testing

hey #SAPConsultants 👋 "Think about the capabilities of GRC Access Control – Emergency Access Management (GRC AC EAM). Are you familiar with the process for enabling “Firefighter Access” in your S/4HANA production system? Here we have a unique choreography between 2 SAP systems. The S/4HANA system and GRC interact in a way where one system totally trusts the other system to “come to its rescue”. One system sends in a firefighter. . .or multiple firefighters. These are individuals who are given temporary access to perform a specific emergency function or business process. They perform these functions while being granted “elevated permissions” via specially designated “firefighter” user IDs. Can this arrangement be abused? It most certainly can! Companies can become relaxed and begin to perform “normal” business processes through a firefighter arrangement because they do not take the time to properly configure the needed Role/Authorization/User architecture that SHOULD be in place to support the business processes. A properly designed EAM/FireFighter process is critical to enabling proper governance and implementing and enforcing guardrails around the need for elevated access. Fundamental tenets of a well governed process for elevated access include a presumption of limited use. Elevated access should only be granted under specific criteria and in limited circumstances, moreover the elevated access roles/ID’s should be designed with least privilege access in mind and be purpose built for the intended use. Many organizations tend to take the easy route and build or assign roles with widespread access to a FireFighter ID. This adds additional risk as users may have access to extremely powerful transactions or access that they may not understand. A user may execute far more transactions than intended during the session resulting in much larger logs which makes it harder for reviewers to appropriately monitor the activities performed during a FireFighter session. In other words, a support user for a procurement process should not need access to maintain security roles. " read more here: a blog post by Barry Snow - SecurityBridge in collaboration with Jonathon Pasquale - Altum Strategy Group https://lnkd.in/dCNbRWXx #SAPCyberSecurity

What’s So Bad About Giving Out SAP_ALL in Development? In many SAP projects, someone inevitably says, “It’s just a dev system, just give them SAP_ALL.” It’s a common practice, but is it really harmless? The Justifications I Hear: • “It’s only development, no real data is there.” • “It speeds up troubleshooting and testing.” • “Restricting access slows down the project.” But here’s the problem: bad habits in development create security risks that carry over into production. Why It’s a Bad Idea: 1️⃣ Unchecked Access Becomes the Norm – Once SAP_ALL is freely handed out in development, it often creeps into test and even production environments through copied user roles or requests for “temporary” elevated access. 2️⃣ Sensitive Data Still Exists – Many dev systems contain copied production data. If not properly masked, they include personal, financial, or confidential business information, exposed to anyone with SAP_ALL. 3️⃣ Malicious or Accidental Damage – SAP_ALL grants unrestricted access, including the ability to delete tables, change configurations, and create backdoor users. Whether intentional or accidental, mistakes in development can cause major project setbacks. 4️⃣ Transport Risks – If users with SAP_ALL introduce security misconfigurations in development (e.g., critical authorization objects in roles), these can easily be transported into production without realizing the impact. 5️⃣ Audit and Compliance Issues – Even in non-production environments, excessive access violates security best practices and regulatory standards. Auditors won’t accept “It’s just dev” as an excuse if security controls are consistently ignored. The Better Approach: ✔ Use Business-Appropriate Roles – Assign access based on actual job functions rather than taking the easy route. ✔ Use Firefighter/Temporary Elevation for Troubleshooting – Controlled emergency access (with logging) prevents blanket SAP_ALL assignments. ✔ Mask or Anonymize Data in Dev Systems – Minimize the impact of unauthorized access. ✔ Apply the Same Security Mindset Across All Environments – Security should be embedded in the process, not bypassed for convenience.

The Segregation of Duties Matrix continued... ⬇ The SoD matrix provides a financial risk rating of access entitlements that are assigned to a user. SoD Controls should be designed to mitigate access control violation risks. The SoD Matrix enables auditors to test the SoD Control design effectiveness, based on the risk level identified in the matrix. To ensure that the SoD matrix is accurate and complete, the auditor must obtain a complete snapshot of all user access points within the enterprise application to ensure that the SoD control design includes a level of granularity in the enterprise security model that grants user access as per the job role assignment for all the users. The application mapping is the rule-set by which sensitive transactions are tested in the relevant systems. For example, vendor-update rights may be executed through a series of menus within a given application. The presence of these menus assigned to specific users should be mapped, walked-through, and documented for the company to accurately test for a particular conflict. The challenge is that in most modern applications there is more than one way to execute the same transaction. For example, there may be more than one way to pay a vendor in an application, but typically, the company isn´t aware of all of them and usually doesn´t restrict access to or control these other methods to execute a vendor payment. The risk-based SoD process requires a company to discover all the potential methods for executing a transaction to understand the full potential for fraud, not just the limited view of the known methods. Mapping all the ways a user could potentially execute a transaction is critical to accurately depicting SoD. #segregationofduties #accessgovernance #riskmanagement #accesscontrols