123ArticleOnline Logo
Welcome to 123ArticleOnline.com!
ALL >> Service >> View Article

How To Streamline The Sap Exemption Process Using Attribute-based Access Controls?

Profile Picture
By Author: appsian
Total Articles: 115
Comment this article
Facebook ShareTwitter ShareGoogle+ ShareTwitter Share

What happens when an SAP SOD exception is needed?
Often, positions and rights that present a conflict of interest involve a user. Whatever be the reason, in business processes, this user needs the ability to handle multiple steps — as an exception.
Things can be tricky. If an exception happens, the healthy preventive controls will no longer function—one of SAP's most significant weaknesses in static, role-based access controls.

Moving From Preventive to Detective Approach

It would help if you now collected access logs and false filter positives and finally sent them to the appropriate owner for review and sign-off. Besides the additional overhead of manual checks and approvals, detective controls build space for human error and maximize dwelling time until red flags are spotted.

Why Is SAP SOD Control Limited?

Without the ability to distinguish possible violations from real violations, proactive tests are a non-starter. The (preventive) SAP access controls assess authorizations based on two things: user role and task-dependent permissions (think transactions). Although ...
... this works in the vast majority of situations, implementing SAP SOD requires more granular controls.

Let’s consider what an actual SAP SOD violation entails.
SAP SOD's main aim is to eliminate conflicts of interest in business processes. For example, a user creates and approves multiple purchase orders. Looking at transactions, this can appear as a breach. Looking deeper into the PO details, the user may never have created and adopted the same PO, so there was no violation.

SAP can show you user roles and transactions, but the 3rd component is missing: field-level values in the PO itself. This lack of visibility in attributes outside functions and permissions makes preventive controls a non-starter and clutters with false-positive SAP SOD audit logs when exceptions are produced.

The solution to this problem? Enforcing SAP SOD attribute-based access controls.

Attribute-based access controls (ABAC) require ‘attributes’ to be used in authorization decisions. These attributes will come from user information like role, department, nationality, or even the security clearance level of a user. History of access such as IP address, location, time, device, and the transaction can be considered. For SAP SOD, data attributes can now be included in the authorization logic. This means that SAP field-level values can be used to determine whether to block or allow a transaction, and these details can be used in reporting activities.

In the example above, data attributes can be used to determine when a user conducted the first transaction and make the inference that the second transaction will result in a violation.
Combining role-based access controls (RBAC) from SAP with attribute-based access control (ABAC) solutions enables granular control and visibility that provides wide-ranging business benefits.

Flexibility in SAP SOD Exception Situations – RBAC + ABAC Hybrid
The RBAC+ABAC hybrid solution opens up the possibility of implementing preventive controls in exceptional SAP SOD scenarios. By doing so, you can offer users excellent flexibility, preventing any actual violations.

This hybrid approach (RBAC+ABAC) allows for a dynamic SAP SOD model that avoids violations while allowing the flexibility of assigning contradictory roles (if necessary) and strengthens role-based policy to prevent over-provisioning.

RBAC+ABAC Hybrid Solutions From Appsian
Appsian equips SAP GRC Access Control with an additional authorization layer that correlates user, data, and transaction attributes with identified SAP SOD conflicts to block conflicting transactions at runtime.

Let’s get in touch to help you learn more about how a hybrid access control approach can strengthen your organization.

More About the Author

Appsian One of the leading ERP data security,compliance,implementation solutions provider that gives organizations to complete control and visibility over their ERP data.

Total Views: 312Word Count: 565See All articles From Author

Add Comment

Service Articles

1. Electrical Repair Services In Jaipur – Trusted Electricians For Safe, Reliable & Professional Solutions
Author: egrahmantree

2. Professional Television Maintenance Service Kakinada For Reliable Tv Performance
Author: Lakshmiprasannaeectronics

3. Professional Lg Tv Repair Kakinada & Samsung Tv Repair Kakinada – Trusted Smart Tv Repair Services
Author: Lakshmiprasannaeectronics

4. Smart Tv Repair Kakinada – Trusted Television Repair Service Kakinada For All Leading Brands
Author: Lakshmiprasannaeectronics

5. Best Facility Management Companies In Dubai – Why Facilico Is The Trusted Choice
Author: Facilico

6. Professional Carpet Cleaners: Why Expert Carpet Care Matters For Every Home
Author: Bond Cleaning Mornington Peninsula

7. Premium Metal Backlight Signage Boards & 3d Acrylic Signage Boards For Modern Business Branding
Author: ledsignboardz

8. Professional Ms Fabrication Welding Work Hyderabad & Acp Cladding Work Hyderabad
Author: ledsignboardz

9. Parking Signage & Building Hoarding Signage In Hyderabad – Professional Signage Solutions For Every Business
Author: ledsignboardz

10. Gold Platinum Metal Signage, Metal Backlight Signage Boards – Premium Branding Solutions For Modern Businesses
Author: ledneonsigncompany

11. 最令人惊叹的: 虚拟主机
Author: 8U Cloud

12. The Importance Of The Best Commercial Mechanical Services
Author: Con-Air Mechanical L.L.C

13. Why Choose Queanbeyan Motels When Attending Canberra Events?
Author: Hamilton's Queanbeyan Motel

14. Apple Service Center In Raipur: Trusted Solutions For Iphone Not Charging Properly
Author: Apple Service Center in Raipur

15. Tested Methods To Restore A Broken Quickbooks Portable File
Author: QBES TechHub

Login To Account
Login Email:
Password:
Forgot Password?
New User?
Sign Up Newsletter
Email Address: