Q
Problem solve Get help with specific problems with your technologies, process and projects.

Common SAP security practices

Is there any common practice for setting up a group to handle SAP security? What sorts of separation of responsibilities do auditors usually ask for? Also, what profiles do Basis administrators usually have? SAP-ALL, or a profile with fewer privileges?

Is there any common practice for setting up a group to handle SAP security? What sorts of separation of responsibilities do auditors usually ask for?

Also, what profiles do Basis administrators usually have? SAP-ALL, or a profile with fewer privileges?


Really depends. Lots of factors weigh into how SAP security is designed, implemented, and administered. Usually, it comes down to: size of company, number of users, number of implementations, and corporate culture. But, typically companies will have a SAP security arm that assists configuration/process teams in designing and maintaining roles. This group will be responsible for designing preventative and detective application controls; and enforcing security policy. Auditors should carry the responsibility for auditing implemented controls (segregation of duties, use request privileges). HelpDesk should perform security administration, following business approvals.

With SAP_ALL access.. Simply put: "less is more." It is better to have fewer folks with this access than more. I feel that SAP Security and SAP BASIS should not have SAP_ALL (for their own good) in production. However, I have never won that argument.


Dig Deeper on SAP security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchERP

SearchOracle

SearchDataManagement

SearchAWS

SearchBusinessAnalytics

SearchContentManagement

SearchHRSoftware

Close