123ArticleOnline Logo
Welcome to 123ArticleOnline.com!
ALL >> Hardware-Software >> View Article

Use Of Abac To Streamline Sap Sod Exception Process

Profile Picture
By Author: Appsian
Total Articles: 32
Comment this article
Facebook ShareTwitter ShareGoogle+ ShareTwitter Share

Use of ABAC to Streamline SAP SoD Exception Process

For ensuring streamlined business operations, business processes need to be secure, compliant, and reliable. In SAP, a central concept in making this possible is Segregation of Duties (SoD).

SoD Exception Scenarios

A user would also have to be given responsibilities and privileges that pose a conflict of interest. It may be that an employee is part of a small department or that others are stopped from being involved by security clearance.
Whatever the cause, in a business process, this user requires the ability to handle several steps, and an exception is made.

Here's where things can get complicated. Your normal preventive controls are no longer successful if an SoD exception is made. This is a major shortcoming of static, role-based access controls of SAP.

You must now compile access logs, root out false-positives, and, eventually, submit them for analysis and sign-off to the required control holders. Detective controls create space for human error and raise the dwelling time before red flags are caught, in addition to the extra overhead of manual checks and approvals.

Current SAP SoD Control Limitations

Preventive controls are a non-starter, lacking the logical ability to decipher possible violations from real violations. Preventive SAP access controls decide permissions based on two things: 1) the role of a user and 2) the permissions associated with the role. Although this works in the vast majority of situations, implementing SoD requires controls with more granularity.

Actual SoD Violation

SoD's entire aim is to eliminate conflicts of interest in the business processes. Conflicting transactions, however, do not inherently constitute a conflict of interest unless the subject matter is the same. For instance, a user performs the transactions to create and authorize several purchase orders. Looking at the transactions themselves, the potential for infringement is present in this operation. Looking further into the PO info, you can see that the same PO was never created and accepted by the user, so no breach was made.

SAP will show you 1) the user and function, and 2) the transactions performed, but the 3rd component is missing: the values at the field-level in the PO itself. This lack of insight into attributes outside positions and permissions is what, when exceptions have been made, renders preventive controls a non-starter and clutters SoD audit logs with false positives.

SoD Policy Enforcement with Attribute-Based Access Controls

Attribute-Based Access Controls (ABAC) use "attributes" in authorization decisions. These characteristics may be anything from user information such as position, department, nationality, or even the level of safety clearance of a user. In addition, access context can be taken into account, such as IP address, location, time, device, and transaction history. And most notably, in authorization logic, data attributes can now be used for SoD. This means that SAP field-level values can be used to assess if a transaction should be blocked or authorized, and these information can be further used in reporting activities.

The combination of role-based access controls (RBAC) from SAP with attribute-based access controls (ABAC) solution allows for granular control and visibility, offering a broad range of business benefits.

RBAC + ABAC Hybrid Approach: A New Solution

In SoD exception cases, the RBAC + ABAC hybrid solution opens the possibility to implement preventive controls. Through doing so, you will give users the versatility that an exemption offers while also avoiding the occurrence of any real violations.


Together this hybrid solution (RBAC + ABAC) allows for a dynamic SoD model that avoids breaches while also enabling the flexibility of assigning conflicting roles and strengthens role-based policy to counter over-provisioning.

More About the Author

Appsian One of the leading ERP data security,compliance,implementation solutions provider that gives organizations to complete control and visibility over their ERP data.

Total Views: 299Word Count: 583See All articles From Author

Add Comment

Hardware/Software Articles

1. Chrome Extensions Or Cloud Based Linkedin Automation Tools: Which Is The Best Option For Lead Genera
Author: Marya Lizabeth

2. A Complete Guide On Appointment Scheduling
Author: maulik shah

3. How Do Graph Databases Work?
Author: Eldon Broady

4. Are Cloud-based Linkedin Automation Tools Beneficial For Linkedin Lead Generation?
Author: Marya Lizabeth

5. How To Choose The Best Commercial Hvac Contractors In Dale City
Author: drhvacinc

6. 5 Reasons Why B2b Lead Generation Software Can Improve Your Sales
Author: Marya Lizabeth

7. Top 10 Companies Mastering Customer Success
Author: Jyothi Tulasi

8. What Are Some Innovation In Food Delivery Services
Author: Allencalvy

9. How Is Qaops Different From Devops In Software Testing
Author: Michael

10. 4 Ways Marketing Automation Tools Can Reduce Costs For Small Businesses
Author: Marya lizabeth

11. 4 Key Elements Of Education Portal Development Services
Author: Maulik Shah

12. The Advantages & Disadvantages Of Node.js Development Services!
Author: Devstree

13. Id Verification Explained
Author: Eldon Broady

14. Business Verification To Protect Your Business
Author: Eldon Broady

15. Web Application Development Training In Karimnagar
Author: SVAPPS KARIMNAGAR

Login To Account
Login Email:
Password:
Forgot Password?
New User?
Sign Up Newsletter
Email Address: