Ask the Expert

Common SAP security practices

Is there any common practice for setting up a group to handle SAP security? What sorts of separation of responsibilities do auditors usually ask for?

    Requires Free Membership to View

Also, what profiles do Basis administrators usually have? SAP-ALL, or a profile with fewer privileges?

Really depends. Lots of factors weigh into how SAP security is designed, implemented, and administered. Usually, it comes down to: size of company, number of users, number of implementations, and corporate culture. But, typically companies will have a SAP security arm that assists configuration/process teams in designing and maintaining roles. This group will be responsible for designing preventative and detective application controls; and enforcing security policy. Auditors should carry the responsibility for auditing implemented controls (segregation of duties, use request privileges). HelpDesk should perform security administration, following business approvals.

With SAP_ALL access.. Simply put: "less is more." It is better to have fewer folks with this access than more. I feel that SAP Security and SAP BASIS should not have SAP_ALL (for their own good) in production. However, I have never won that argument.

This was first published in January 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: