Rbac-abac Hybrid Approach To Improve Sap Field-level Security

By Author: Appsian
Total Articles: 115
Comment this article

RBAC-ABAC Hybrid Approach to Improve SAP Field-Level Security

Role-based access controls (RBAC) are now being deployed by companies that use ERP systems. These controls balance data access rights with resources for job functions and offer a system of data governance. But with a large remote workforce in the current scenario, businesses need to implement a more robust and dynamic access control strategy.

Attribute-Based Access Controls

An organization can integrate additional contexts such as geo-location, time of day, IP address, etc. with attribute-based access controls (ABAC). An instance of that is the SAP ABAC. This ensures that the resources are accessed only by approved users, and it simultaneously prevents users from having more access than they need.

Such granular, data-centered access privileges help organizations ensure that users do not have access to sensitive ERP data, minimizing the possible adverse effects of hacker intrusion into the corporate network.

RBAC+ABAC Hybrid Approach to Data Security

Let us now see how a combination of RBAC and ABAC can ...
... ensure security at the field level.

Consider an MNC with branches in many countries. Now, let's assume that the corporation has a policy that allows every 'Accounts Manager' worldwide to access the basic details of vendor payments. Still, only an 'Accounts Manager' who is a US citizen and works in a US region can access specific data (payments made to US-based vendors, for example). In this case, several of the fields will need to be shielded from users who do not meet the citizenship and location requirements.

Note that here, apart from the user's role (Accounts Manager), the citizenship of the user and his status must also be considered before any vendor payment data can be shown.

In traditional implementation under RBAC, what does a company do to fix this issue?

A company typically following the old RBAC model would create roles for different countries for the 'Accounts Manager' and then another set of roles for the citizenship of the customer. Note that the 'Location' attribute of the user cannot be supported at the time of access.

A role-based approach cannot be scaled-up and becomes cumbersome to manage in a broad user-population sector, despite the absence of 'Location' support. Besides, if policy modifications allow for permitted exceptions, all the things created to address the policy must be changed.

Now, to simplify implementation, let's consider implementing an approach that includes both RBAC and ABAC (for example, SAP ABAC).

In this hybrid approach, we will create one position for the 'Accounts Manager.' For all Accounts Managers worldwide, this will be common across the business. The user's individual attributes are other attributes such as Company Codes, Offices, and Citizenship. And 'Location' can be seen as a dynamic attribute.

These user attributes can be made available for determining access controls and maintaining field-level protection in attribute-based access control.

Ideally, the behavior of Views/Fields should be determined based on the runtime attributes of the users attempting to access the transactions.

There are three levels of attributes that will decide the behavior of screen objects when we consider developing a field-level protection solution for controlling data access:

1) Identity- e.g., Roles, Citizenship, Skill level

2) Context- e.g., Location, Type of device

3) Content- e.g., Employee data

In this model, the paradigm shift is that the behavior of the business object Fields/Views is not controlled by roles alone but by three sets of attributes, allowing us a much more complex and more granular control of data from business objects. This is a more scalable solution, and dynamic changes can be supported.

Despite all of the above characteristics, there is still scope for a data breach, as demonstrated by the recent increase in phishing attacks across organizations. It is, therefore, vital for businesses to invest in additional data security platforms to provide comprehensive data protection.

Appsian One of the leading ERP data security,compliance,implementation solutions provider that gives organizations to complete control and visibility over their ERP data.