Choose your language


Category: Thought Leadership

Thought Leadership

Building More Effective Access Control Through Business-Centric GRC

Building More Effective Access Control Through Business-Centric GRC

If your SAP roles and rule sets are sound, your access control solution is set up for success

This article is based on a Tech Insights brief by Craig powers, Research Analyst at SAPinsider. The Brief takes a deeper look into what is needed to set an organisation up for success when it comes to access control.

Read a summary of Craig’s findings below or download the full SAPInsider Tech Insights Brief.

SAPInsider’s Tech Insights Brief highlights:
  • Business-centric access control engages business users in the access risk management process to help align access better with business needs.
  • SAP role clean-up and GRC rule set customisation are vital foundational elements to a successful access control solution.
  • Companies can significantly reduce access risk and access over-allocation through greater business involvement in access control.

Companies utilise access control solutions to identify risk within their user base. These solutions and processes are often technical and driven from audit and IT perspectives with very little input from business users who might find the technical GRC language hard to decipher. That’s where the idea of business-centric GRC comes into play for access control—providing the business with easier to understand, less technical language so that they can better interpret the data.

Understanding risk = greater ownership

If business users understand the access risks presented to them, they are more likely to ultimately take ownership of it. And when the business users take ownership of access risk, they can be held accountable.

 However, creating business-centric access control is difficult to do internally. More often than not it requires a solution that speaks to business users, such as Soterion’s Access Risk Manager, which features user-friendly interfaces and business process flows for easy risk remediation and effective access control management. 

Building a solid access control foundation

While it may take the right business-centric GRC solution to get business users invested in access control, it’s a mistake to view the software as a silver bullet.  
First, correcting the SAP role design within SAP must be done to optimise any technology investment. Once the organisation has implemented a good SAP role design, they must then ensure their GRC rule set is customised to align with their unique access and risk requirements.   

If your SAP roles and rule sets are sound, your access control solution is set up for success. The question then becomes: How do you measure success in access control? One way to do this is by gauging how well business users carry out access risk management activities.

The problem is that often business users need to perform certain GRC functions, but they understand very little about GRC itself. They complete the tasks to tick an audit box rather than to address a specific need within the organisation. This is why having business user engagement is so important.


Top 4 access control requirements and strategies

There are a few reasons organisations use an access control solution.

  1. Firstly, they need to ensure that their SAP systems are secure, often driven by internal and external audits. These audits seek to monitor if people are         assigned appropriate access and determine fraud risk associated with improper access.
  2. Companies are also concerned about improving efficiencies of their SAP user provisioning processes and making it easier to manage authorisations. The goal is to get business users to perform compliance tasks and access risk management activities much more efficiently.
  3. Complying with regulations is also a top priority for implementing access control processes and solutions, especially when it comes to data privacy. There is a significant amount of sensitive personal data in SAP. Understanding where that data resides and who has access to it is important—especially when complying with data privacy regulations
  4. Finally, companies see the need to move access risk responsibility away from IT departments to business users. This shift means moving beyond using GRC solutions solely as back-end tools and becoming more business-centric in managing access risk.

To accomplish these objectives, companies should look to streamline provisioning processes and utilise automation to improve efficiencies. One example is to make use of Business Roles.

This is a collection of SAP access from a number of SAP systems. When a Business Role is assigned to an SAP user, all the required access from the various SAP systems (including DEV and QAS) for that user is assigned. This reduces the effort and time taken to assign appropriate access.

Benefits of business-centric access control

There is such a tendency to over-allocate access in SAP. This is either due to SAP users inheriting roles as they move internally, or a user being assigned an SAP role that has 50 transaction codes where the user only needs to use one transaction code (SAP authorisation creep).

 A business-centric GRC solution will ensure compliance tasks such as a User Access review are more effective, and can result in much of the over-allocated access being removed resulting in an SAP authorisation solution that is well-aligned to what the users are doing in the SAP system. This remediation effort will reduce the effort required to carry out any future user access reviews i.e. with a well-aligned solution, the business users will have far fewer user–role relationships to review which can have a significant cost saving to the organisation.

Soterion has seen organisations reduce access risk by as much as 80%, significantly minimising the potential for fraud. One way business-centric access control reduces risk is that business users make informed decisions as to whether their users need specific SAP access or whether it poses too significant a risk to the organisation. This informed decision-making process results in only assigning only appropriate access to the users, which reduces the potential for fraud in the organisation.

What does this mean for you?

Here are three key takeaways to consider when planning your business-centric GRC and access control strategy:

  1. Properly defining your SAP roles and GRC rule sets are essential. 
    If your SAP roles and GRC rule sets aren’t adequately set up and customised to your organisation, it becomes difficult to assign appropriate access. If that’s the case, it doesn’t matter how great your GRC solution is because it won’t correctly assess risk without accurate role and rule set data.
  2. Make access control accessible to business users.
    While many companies rely on IT to carry out access control through GRC software, the business users must carry out proper access risk management processes. Provide business users with user-friendly interfaces and easy-to-understand (read: non-technical) language around necessary risk management. They will be more engaged and more likely to limit access risk effectively.

  3. Go beyond audits when measuring GRC effectiveness. 
    It’s tempting to rely on audits to do the heavy lifting when it comes to measuring the effectiveness of your GRC and access control programs and technologies. However, that’s more of a measurement of the result, not the process. Companies can get ahead of audits by looking at how well business users are performing their access risk management duties along the way.


How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on [email protected]. Let us help you take your GRC to the next level.


Thought Leadership

The Cost of an Incorrect GRC Solution to your Organisation

By Dudley Cartwright,
CEO of Soterion

Are you making this $144,000 mistake with your access control solution?

When it comes to SAP access control solutions, sticking with what you have might seem like a smart decision. The cost and time associated with researching, selecting and getting business approval for a new solution can seem like more effort than it’s worth.

But if your access control solution isn’t a good fit for your company, it could be costing you more than you realise – both financially and otherwise.

It’s not that you chose the wrong solution

There are many different access control solutions in the market that can assist companies with their SAP Security and compliance activities. Each of these tools has its strengths and weaknesses, making finding exactly the right solution challenging.

As a result, many organisations implement an inappropriate access control solution – often because their System Integrator (SI) convinced them it was the right solution. But in fact, the SI was chasing the large implementation revenue often associated with the larger and more complex GRC solutions such as SAP GRC.

A side note here: SAP GRC is a great product for those organisations that have the necessary internal expertise and GRC maturity. However, those organisations that do not have the necessary internal expertise and/or maturity to derive any value from the solution, generally experience a high degree of under-utilisation and/or business resistance.

When organisations complain to their SI that they are not getting value from their GRC investment, the SI will often propose offering more consulting or selling more solutions or modules that will ‘fix’ what is broken.

The challenge though is that if the access control solution is not a right fit for your organisation, possibly due to its complexity, nothing is going to change this. No amount of additional consulting, training or add-on solutions will reduce the complexity of the solution.

Sticking with what you know makes sense

There are many reasons why organisations stick with their current solutions, even if it’s not working for them.

  • The cost of switching seems high
  • The effort associated with switching seems high
  • They believe that all access control solutions have similar functionality and that switching will not bring about any significant change in value
  • They are under pressure from certain departments to stick with the current solution

The last reason is perhaps the most challenging to overcome. Some organisations find it difficult to put the business case together to switch from one solution to another. This is often due to the finance or procurement teams digging their heels in purely from a financial perspective who say, ‘we have already spent X dollars on solution Y – make it work’.

The $144,000 mistake

The costs and associated effort of finding and switching to a new access control solution may seem high, but the cost of not switching can be even higher. Especially when you’re using an inappropriate access control solution.

Let’s look at one simple example – user access reviews.

Organisations across the globe are constantly being put under more pressure by auditors and regulators to perform compliance tasks such as User Access Reviews. US companies have been doing this since the advent of Sarbanes-Oxley. UK companies will see added pressure to introduce such activities as soon as UK SOX kicks in (if they are not doing these types of activities already).

A user access review requires reviewers (often line managers) to review all their user’s SAP access on a bi-annually or annual basis to determine if that access is still relevant for the SAP user’s job function for the next period. It can take the reviewers many hours to perform the review if they are using an inappropriate access control solution.

On top of this challenge, the reviewer may have many users reporting to them, and the SAP role design and naming convention could make it difficult to determine what access is contained in each SAP role.

If the organisation is using an inappropriate access control solution for their User Access Review process, these tasks become very challenging for the reviewers, wasting many hours on an activity that if not done well adds very little value to the organisation.

This all adds up. If you aggregate the wasted man-hours for each reviewer, multiply that by each review set per year, and multiply that by the number of years, it doesn’t take long for this cost to overtake the cost of switching access control solutions.

And, this doesn’t factor in the cost of being more exposed to fraud due to an ineffective GRC capability, as well as the opportunity cost of those reviewers not performing their normal job function during the review period.

Ineffective solutions cost you more than just dollars

The formula above is just one cost associated with not switching solutions. Because it’s a quantifiable cost, it does make you sit up and take notice. But there are other, more intangible, costs associated with not switching your access control solutions.

Increased risk

Access control and GRC solutions are business tools to manage and mitigate risk. Sticking with an inappropriate or complex access control solution often leads to resistance or pushback from the business users, and IT end up performing access risk management activities on behalf of the business.

Access risk is business risk, not IT risk

It is the business users who are best positioned to determine if a specific user should have certain access and whether that risk is acceptable to the organisation. IT do not have the expertise or business knowledge to make such a decision.

Even when business users are given control of access risk management, if they’re using an inappropriate or overly-complex access control solution, you often find that these activities are being done with minimal intent or understanding. Business users carry out these activities to tick an audit box with very little consideration of the actual risk to the organisation.

Both of the above scenarios are terrible for the organisation. The C-Suite will incorrectly believe they have a sound access risk management program in place, but in reality, it is very ineffective.

Wasted hours on manual tasks to compensate for an inappropriate access control solution

Where a company is burdened with an access control solution that is not a good fit, we often see them extract reports from their GRC solution and then manipulate those reports externally to be ‘fit-for-business’, wasting hundreds of support hours.

This wastage is never attributed to the access control solution itself.

Using solutions that provide companies with ‘out-the-box’ valuable reports and recommendations will not only reduce the number of support hours but will also increase the speed at which SAP users are assigned their SAP access (SAP access change requests and the Joiner-Mover-Leaver (J-M-L) process). This will ensure that users are assigned their access more timeously and thus more productive i.e. reducing business downtime.

Time to switch?

When evaluating your current access control solution, look at the business value it is adding to the organisation.

When evaluating a replacement, determine whether the solution will help you achieve your objectives instead of focussing on the software cost that you paid for your existing solution. The cost of change will be minute compared to the savings a company will make through effective access control and risk management.

Soterion is a leading provider of business-centric GRC solutions for companies running SAP. Improve your organisations risk awareness and ability to manage access risk by empowering the business users with business-centric GRC.

Thought Leadership

Can Pablo Escobar teach us something about Risk Management?

Written by Dudley Cartwright
CEO of Soterion

Pablo Escobar is one of the most infamous narco-terrorists of our time. His name is synonymous with illegal drugs, brutal murders, and a remarkable talent for avoiding capture. He is perhaps less well known as an access risk management professional.

But the truth is, mitigating risk was one of Pablo Escobar’s greatest achievements, and the way he operated provides us with some great principles that we can apply to SAP security and access risk management.

Now, I’m in no way glorifying Escobar’s antics, but the fact is that he ran a multi-billion dollar a year industry that had many moving parts – all without the help of the kind of sophisticated technology many of us have access to today. That’s no small feat.

While I’m not suggesting you go out and commit crime, there are some important lessons you can take from Escobar to help manage risk, enhance SAP security and improve access risk management in your organisation.

The three lines of defence for SAP security

Escobar’s greatest fear was to be caught and extradited to the US. So how is it possible that he was the most wanted person in the world for a 10 –15 year period, everyone knew the city where he resided, yet some of the most powerful government agencies could not catch him?

The answer is Escobar was brilliant at managing risk. He not only had a very clear idea what his risks were, but he implemented a strategy better than any organisation today to mitigate those risks.

Escobar appreciated and perfected the three lines of defence. In business or otherwise, you have three lines of defence when it comes to SAP security:

  • First line: Operational / Business users
  • Second line: Risk / Compliance departments
  • Third line: Audit / Assurance departments

Your first line of defence should be your strongest

Escobar implemented an exceptionally effective first line of defence.

In his city of Medellin, he was almost untouchable. He realised the importance of having many eyes and ears on the ground, so there were all walks of life that fed him information when there was any risk. From street kids to grandmothers vending food at street corners, the moment something looked suspicious, Escobar was informed.

If a Westerner arrived at Medellin Airport, it was assumed he was a DEA agent and they would be followed and monitored. When the Columbian army made their move on Escobar, a street vendor noticed many army trucks leaving the barracks and thought that could only be for one reason – and subsequently alerted Escobar.

It could be argued that Escobar’s second line of defence was bribing the police and the army. His third line of defence was possibly his army of assassins. However, it was Escobar’s first line of defence that was his most effective in that it got him out of trouble the most often.

For organisations, this is also true: Your first line of defence should always be your strongest.

An organisation’s first line of defence are usually the employees (super / key users) that have been in the organisation for 15 – 20 years. They understand their area of the business and business processes better than anyone else.

Unfortunately, in most organisations this is typically the weakest line of defence. That’s not because those employees don’t know the risks in their area, it’s because the organisation has not implemented the correct processes and solutions to empower those users to participate in the risk management activities.

Empower your first line of defence with business-centric solutions

If you have employees who have been with your organisation either for many years and/or have an in-depth knowledge of their area of the business as well as a clear understanding of the risks – you are in a good position.

But just having these people available is not enough.

You need to empower them with the right solutions and processes to manage access risk and strengthen SAP security.

All too often organisations end up implementing complex solutions that are too technical for the business users, which result in the solutions being under-utilised or redundant. At best, these technical solutions end up being used as ‘back-end’ solutions by the IT or technical team.

When this happens, you lose your first line of defence.

Be more like Escobar (minus the drugs and deaths)

Escobar implemented a system and process where people on the ground could effectively act as the first line of defence. These first liners were educated on what was deemed a risk for Escobar. When identifying a risk, there was a clear process in which the first liners could use to feed this information through to the relevant people in the organisation. Escobar empowered his first liners to raise the alarm if they noticed anything that posed a risk.

While you may not have the weapons that Escobar had, you do have a powerful weapon in risk management at your disposal – loyal and experienced operational and business users.

By enhancing business buy-in and improving your first line of defence, your organisation will become more risk aware and will be able to identify and respond more rapidly to security threats.

To give your organisation the best chance of fighting risk, you need to equip your users with the right weapons – and one of your best weapons today is a business-friendly GRC solution. By giving your people tools that they not only understand but are also not afraid to use, you empower them to effectively manage your organisation’s risk.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on [email protected]. Let us help you take your GRC to the next level.

Thought Leadership

The Hidden Benefits of Customising Your Organisation’s SAP Access Risk Rule Set

At Soterion, a study was recently conducted to find out how many organisations have customised their SAP access risk rule set.

We were surprised to find out that more than half of the companies we surveyed haven’t customised their rule sets and are using the vendor’s out-the-box standard rule set. Interestingly, SAP access risk rule set customisation is a common recommendation by many of the Big 4 audit firms.

SAP access risk rule sets typically contain risks for the following categories:

  • Segregation of Duties (SOD)
  • Critical Transactions
  • Data Privacy

There are a number of benefits to customising these rule sets – and yes, some of these are obvious. But for many organisations, the advanatges of customising your SAP access risk rule set aren’t immediately apparent.

Here are some reasons to customise your SAP access risk rule sets that you might already know about (and some you might not have considered).

Benefit 1: Reduce the cost and effort of managing irrelevant risks

The out-the-box rule set has been defined for all industries and chances are these are not all going to be applicable to your unique business. Every access risk in the rule set requires some level of effort (which has a cost implication) to manage. By removing risks that are not applicable to your business, you will reduce the effort and cost to manage those risks.

Benefit 2: Get better coverage of all your processes

The out-the-box rule sets generally cover the main business processes such as Procure to Pay, Order to Cash, Finance, Materials Management, and Hire to Retire. But some of the not-so-common business processes such as IS Health, Media, Insurance, and Global Trade Services are not included in many of the out-the-box rule sets. By adding these risks to the rule set, your organisation has better coverage of all your processes.

The more common scenario with regard to updating the rule set is adding any custom functionality. As out-the-box rule sets do not contain any custom (Z tcodes) transactions, it is important to add these to the rule set. For example, if the organisation has created a custom version of VA01 (e.g. ZVA01) if this performs a similar function to VA01 and allows the users to create Sales Orders, it should be added to the rule set.

Benefit 3: Get more business buy-in for GRC activities

As detailed above, when using an out-the-box rule set, many of the risks are not relevant to your organisation. What often happens is business users lose confidence in GRC activities because they don’t agree with the risk that they are being asked to monitor.

For those organisations who struggle to get the necessary business buy-in and participation from their business users in GRC activities, a rule set customisation exercise has significant benefits to addressing this challenge in a number of ways:

Monitoring relevant and applicable risks:
monitoring risks that the business believe in will enhance their participation and buy-in. This will raise the organisation’s risk awareness.

Building understanding of business impact: A big challenge for many organisations is that business users do not understand the SOD access risks, resulting in actions being taken without understanding the consequences or impact on the business. Rule set projects are usually workshop based where business users and functional consultants discuss each risk. This is a useful educational exercise where each SOD risk is explained in detail and how fraud can potentially be committed with the conflicting combination of access. Once business users understand the SOD risk, they will have a better understanding of the impact of this on the organisation, and thus be able to make a more informed decision as to whether users should have that access or not.

Defining a Standard Operating Procedure (SOP): As it is unlikely that the organisation can operate without any risk violations, there will be a number of end users who will have access risks. When a user requests additional access that is in conflict with access they already have, it’s unclear whether it can be approved. As a result, these types of requests often sit in the reviewer’s inbox for a number of days.

It’s important to define a policy for risk levels i.e. what is the rule for a simulation for each risk level? Part of the rule set customisation is to define these rules (SOP).

An example here is:

– If risk = Critical – access cannot be assigned

– If risk = High – access can be assigned but with Mitigating Control

– If Risk = Medium – access can be assigned without Mitigating Control

By defining these types of guidelines, your business users are able to make quicker decisions on whether the additional access requested can be approved. This reduces the time that SAP access change requests sit in a manager’s inbox waiting to be approved, which ultimately reduces the business downtime (end-user waiting for requested access).

Whether you need assistance with customising your out-the-box SAP access risk rule set or advice on where to start, Soterion’s team of SAP experts can assist with your unique requirements and help you implement more effective GRC. Email us at [email protected] to get started

Thought Leadership

Business-Centric GRC for SAP Customers – how to get the most out of your investment

Investing in Governance, Risk and Compliance (GRC) is one of the most important business investments you can make. Modern businesses need effective yet efficient risk and compliance management solutions to support growth and sustain operations. Unfortunately, the vast majority of SAP customers that have implemented a GRC solution are not seeing the value they should from their investment.

While this can be influenced by a number of factors, it often comes down to one key reason: lack of business uptake. At Soterion, we have specifically developed a solution that simplifies GRC for SAP customers. However, the principles discussed in this article are just as relevant to users of other ERP solutions as they are those using SAP.

GRC for SAP customers: The link between uptake and ROI

Typically, an organisation’s GRC effectiveness is measured by how well business users perform their access risk management activities.

However, by their nature, GRC solutions are very complex and technical. They have been developed to analyse transaction codes, authorisation objects, and fields available in an SAP user’s ‘user-buffer’. Many of these solutions were developed from a technical audit perspective with very little consideration for their use by business users.

It’s a well-known rule of business that when it comes to technology, the more complex the solution, the less uptake you can expect from users.

Business users are at full capacity performing their daily jobs, and therefore asking them to perform onerous or cumbersome compliance tasks with complex solutions often leads to resistance. Users will typically keep pushing these activities back onto IT, which means that your GRC solution will become a back-end solution used by the SAP security and GRC teams, with minimal involvement from the rest of the business.

Putting business users at the heart of GRC

Business-centric GRC puts the business user at the centre of the process. It is all about enhancing business accountability of access risk through a business-first approach to all SAP security and GRC activities.

By enhancing business accountability of risk, an organisation will become more risk-aware and more effective in its risk management activities. One of the best ways to illustrate this is with the audit principle covering the three lines of defence.

The first line of defence is your business or operational users, the second line of defence is your risk and compliance departments, and the third line of defence is the audit and assurance departments.

Your first line of defence should always be your strongest. These are people who have been in your organisation for 15 – 20 years and understand your business better than anyone else.

Unfortunately, in most organisations, this is typically the weakest line of defence. That is not because those employees don’t know the risks in their area, it is because the organisation has not implemented the correct processes and systems to empower those users to participate in risk management activities.

Practical solutions and processes are key to performance

To facilitate business buy-in, it’s crucial that organisations running SAP use a GRC solution that is business-centric.

Business-centric GRC solutions convert technical language into business-friendly terms, allowing business users to not only understand the risks in their area of responsibility but also facilitate quicker decision making. And faster, more informed decision making reduces the business downtime of an SAP user waiting for long periods for SAP access requests.

It’s also important that your access risk management processes are practical enough that business users can execute appropriate controls.

Take, for example, the User Access Review process. This is where business users review their users’ SAP access to determine whether this access is still relevant for their job function. The process typically takes the reviewers many hours to perform the review. Additional challenges can also present along the way, such as non-descriptive SAP role names making it difficult for the reviewers to know exactly what access or functionality the role users are entitled to.

The process can be so time-consuming that in many cases, organisations discover the effort does not justify the value of the exercise.

Soterion is a leader in business-centric GRC for SAP customers. Each and every feature has been developed from the perspective of the business user.  Our GRC solution enables the User Access Review to be performed by business process, thus eliminating any deficiencies in the SAP role naming convention. Business users can perform a more effective review that has a better business outcome. Using a business-centric GRC solution like this means a review typically takes less time, resulting in a significant cost saving for the organisation.

Get your users on board with business-centric GRC solutions

An organisation cannot manage their access risk effectively without business involvement. However, getting your business users on board and accountable for managing risk without the right tools and processes in place is an uphill battle.

Enhancing business accountability of access risk, with the use of a business-centric GRC solution, will improve the organisation’s overall risk awareness as well as their ability to manage their risk.

Soterion is a leader in business-centric GRC for SAP customers. If you don’t feel like you’re getting the most out of your GRC investment, get in touch to discuss how we can help.

Thought Leadership

Three Benefits of Regular SAP Access Risk Assessments

For those organisations who do not have an access control / GRC solution, there are considerable benefits in performing regular SAP access risk assessments.

Soterion Dashboard

The appropriateness of an SAP authorisation solution degrades over time, primarily due to SAP authorisation creep. Authorisation Creep is where users inherit more access over a given period than the access removed from them as they move to different job positions internally. This also happens when they require a single transaction code but are assigned a role with many transaction codes.

Technical mistakes in the role-build process can also cause the SAP authorisation solution to provide users with wider access than required. A very basic example here is where S_TCODE is maintained in a role with S_ALR*.
It is important to note that not all S_ALR* are Display Transactions.

Another common mistake is where display roles are created with update transaction codes in them, and the ACTVT values are maintained to Display only (03, 08 etc). These roles work well in isolation, but as soon as they are assigned to users who also have other update roles, the combination of the S_TCODE value from the Display role, and the update ACTVT fields in the user’s other roles, results in the user having far wider access than intended.

It is not only unfair on the SAP security team, but also impractical, for them to pick up on these types of issues. The complexity of SAP authorisations not only means that these types of mistakes are relatively common, but the sheer volume of data makes it very difficult to identify these issues. It is like finding a needle in a haystack.

For many organisations, their external audit is the only time in the year where an access risk assessment is performed on their SAP system. These organisation have very little visibility into their SAP access risk exposure for the majority of the year, placing them at unnecessary risk.

Soterion SAP Access Change Request Simulation

With a number of vendors who have developed a cloud offering, performing an access risk assessment is simple and easy. The data extraction can typically be done in less than an hour, which is the only effort required by the company. The vendor will perform the assessment and send the company their access risk results.

Performing more regular access risk assessments can be a more failsafe way to ensure the SAP authorisation solution has not provided in-appropriate access to the users during the course of the year.

Below are three benefits of performing regular SAP access risk assessments:

  1. Reduce SAP access risk: By performing SAP access risk assessments, you will be able to identify any role(s) that is providing users with in-appropriate access. Often it is only a handful of roles that have been incorrectly maintained that are responsible for the majority of the access risks. In many cases, these roles can be addressed with minimal effort. They are the ‘low hanging fruit’, and with minimal effort can have a significant reduction in the total access risk count.
  2. Better prepared for audits: Performing an access risk assessment prior to your external audit can allow you the opportunity to identify ‘quick wins’ which can be addressed prior to the audit. There is no organisation that wants an unfavourable audit report, so reducing any findings prior to audit can be quite attractive. In addition, there could be a cost-saving to being better prepared for audit. If an authorisation solution is providing users with such wide access that the audit firm believes that substantive audit procedures are required, not only will there be additional audit cost to carry this out, but there will be additional effort required by key employees to prepare for the audit.
  3. Enhanced business-accountability of access risk: Although access risk is business risk, the business users are unlikely to take accountability without some form of visibility i.e. you cannot be accountable for something you are not aware of. Without regular access risk assessments, the business users are unlikely to know who has access to specific SAP functions. By performing regular assessments, IT is providing the business with the necessary visibility for them to understand the access risks that exist in the SAP system. This in turn will allow IT to shift responsibility to the business. Visibility enhances accountability.

Consider how your data will be handled by the vendor performing the access risk assessment, ensure that the vendor is both ISO27001 and SOC certified. Vendors providing such services need to illustrate that they will handle client data that is in accordance with your organisation’s internal requirements as well as any regulatory requirements.

Soterion SAP Access Risk Assessment


Soterion can be used to perform an SAP access risk assessments on the organisation’s SAP environment by, either using the Soterion standard rule set, or the customer is able to import or customise their own rule set. Soterion’s SAP access risk assessment includes:

  • SAP Access Risk Assessment:An access risk assessment is performed at User, Composite Role and Single Role level. Access risks reports are based on what access has been assigned (potential) and displays this in relation to the actual transaction usage. Soterion’s Get Clean module supports risk remediation consulting projects.
  • Basis Review: This assessment reports on the SAP basis configuration settings against a set of industry best-practices.


Soterion Access Risk Assessment Process


Viewing the Results of the Soterion Access Risk Assessment


Soterion SOD Risk Detail – Business Friendly Reporting

One of the key advantages of a Soterion access risk assessment is that the results are displayed in the Soterion web application. This allows quicker analysis of the results and more effective remediation. Soterion will highlight the risks with the highest contribution, as well as flag the users and roles who are responsible for the majority of the access risk violations.

Soterion’s business-centric reporting capability will also illustrate each risk with supporting business process flow diagrams, thereby providing more context to the access risk and converting the technical GRC language into a business-friendly language to ensure better decision-making.

If your organisation is interested in having ad hoc assessments, please contact us – [email protected]

Thought Leadership

SAP User Access Review – Why is it Important to Get This Right?

By Dudley Cartwright,
CEO of Soterion

When looking at all the components (activities) that make up a Governance, Risk and Compliance (GRC) solution, the majority are backend type activities performed by GRC or SAP security administrators.

However, there are some GRC activities that have a huge touch point with business users i.e. they are the primary users of that functionality, namely:

  • SAP access risk simulations (approval / rejection done by line managers)
  • User Access Review

Organisations have been asking their business users to review SAP access change requests for quite some time now. However, even with regulations such as SOX / JSOX being in existence for almost 20 years, the requirement to perform a User Access Review is a more recent requirement for many organisations.

Why is it becoming so important?

The primary driver behind a User Access Review is usually for audit reasons. Many audit regulations such a Sarbanes Oxley (SOX) Act and JSOX require listed organisations to perform a User Access Review on a periodic basis, usually annually.

Before we go any further, let’s remind ourselves of the purposes of the User Access Review:

During the course of a specific year, SAP access change requests will be simulated using an access control solution. Line Managers / Business users will be required to review these proposed changes, with approved requests being applied in SAP.

The function of the User Access Review is to review whether that SAP access is still valid at a later point in time. For example, if a person requests access to Create Purchase Orders (ME21N), if approved, the appropriate role will be assigned to the user. If this assignment was done on 1 January 2020, who is to say that the access is still relevant for that user on 1 Jan 2021.

The User Access Review therefore provides the organisation with an opportunity to re-look at the user’saccess to confirm whether it is still relevant and applicable (as the user may have moved to a different job functions, or their role may have changed since the role assignment was done). One of the great advantages of a User Access Review is that is limits SAP authorisation creep.

The downside for many organisations is that a User Access Review is done merely to appease audit, and the value of the activity is questionable, especially when you consider the amount of effort required by the business users to carry out a User Access Review.

There is a need to shift the mindset of the business users from it being an audit tick box exercise to a valuable activity in remediating access risk. The reasons for doing this should not be to appease audit, but rather as a valuable access risk management activity.

However, to support this shift in thinking, organisations need to consider several process changes to support the business. It is important for organisations to understand the challenges facing the business users who perform the SAP User Access Review. If the business users find the User Access Review process onerous and/or challenging, they will push back on the process and treat it as a tick-box exercise. The result: The organisation will extract minimal value for the User Access Review.

How do You Facilitate This Shift in Thinking?

Besides garnering senior management support for the User Access Review, it is critical that a number of technical aspects are considered to make the process easier and simpler for the business users. Here are a few considerations:

Role Design
Role Design

1.Role Design

Does the organisation’s SAP role design make it difficult for the business users to know what access users have i.e. are SAP roles non-descriptive? Are SAP roles large and contain many transaction codes?

To make the User Access Review process as simple as possible for the business users, ensure that the SAP role design lends itself to making the process easy. Functional role designs typically have more descriptive role names, making it easier for business users to understand what is contained in the SAP roles being reviewed. This will allow the business users to make more informed decisions as to whether the access is appropriate or not for the user.

Updating the role design to be descriptive may in fact require a complete role redesign. As organisation’s move to S4HANA, this could be a great opportunity to re-look at the organisation’s security framework and consider a role redesign that is more business friendly and made simpler, thereby reducing the effort required in a User Access Review.

2. Role Methodology

Unfortunately debating SAP role methodologies is like debating religion and politics. People become familiar with a role methodology and do not fully appreciate any other methodology. Most SAP security administrators understand a derived role methodology and have a limited understanding of a task and value (functional / enabler) role methodology.

A task and value role methodology is where you split your transactional access from your Organisational level access. This results in far fewer roles needing to be created – which also means users are assigned fewer roles. Choosing a role methodology that has fewer role assignments will reduce the effort required by the business users to carry out a User Access Review.

3. Rule Set Customisation and Business Education of Access Risk

Rule Set Customization and Business Education of Access Risk

Business users performing a User Access Review are likely to pay more attention to those SAP roles assigned to their users that contribute to access risk violations. If the organisation has performed a rule set customisation project, they are likely to have defined a more appropriate and refined rule set.

The access risk rule set project serves as a great tool for educating the business users on the access risks applicable to their area. By having a better understanding of each of the access risks in the rule set, the business users can make more informed decisions during the User Access Review as to whether and risk bearing access for a particular user is acceptable or not.

4. Use a Tool to Facilitate the User Access Review Process.

Performing a User Access Review in a spreadsheet often proves challenging. Although the reviewer can see the roles assigned to the users, spreadsheets often do not include usage and risk information. This results in roles being removed from a user that contain transaction codes that are being used by that user i.e. he / she requires that access to carry out their job function. This causes business disruption, and most of the removed access gets assigned back to these users immediately after the User Access Review.

By using a commercial solution for the User Access Review, the business users can make more informed decisions due to having User-Transaction usage and access risk information.

A huge benefit of using a tool at facilitate the User Access Review is that it can be configured to speed up the process. As an example, a User Access Review can be created to only include roles that contribute to access risk, thus reducing the number of role assignments that need to be reviewed. Another example is to create a User Access Review that flags roles previously ‘approved’ so that the focus can be on new assignments since the last review.To get the reviewers to perform a User Access Review well, it is important for the solution to convert the technical SAP role language into a language the business users can understand.

5. Split Reviews

Split Reviews

If you make use of SAP Composite or Business Roles, consider splitting the review into a User Access Review and a Role Content Review.
–  Role Content Review: A role owner reviews the content of the SAP Composite or Business Role.
–  User Access Review: A line manager reviews the role assignments at the SAP Composite or Business Role level. They do not review the underlying SAP single roles – but simply whether the Composite or Business Role is appropriate for the user.

6. Iterative Reviews

Instead of having one large annual User Access Review, where all users access is reviewed, see whether it is possible to split this into smaller iterative reviews in the year. This can be split by:
–  Geography: User Access Review done by region.
–  Risk Level: User Access Review done by risk level.
–  SAP module: Users Access Review done by SAP module.

It is important to keep in mind the challenge of certification fatigue. This is where the reviewers complain about the time and effort required to carry out a User Access Review.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Soterion’s Periodic Review Manager allows the review to be done at the business process level, making it easier and quicker for the business users to carry out their access risk management activities. This allows the business to make more informed decisions and reduces the time it takes to complete the User Access Review, saving the organisation time and money.

Feel free to email us on [email protected]. Let us help you take your GRC to the next level.

Related Tag: Sap Access Controls

Thought Leadership

Adding Value to SAP Customers Around the Globe

We are passionate about developing SAP access risk management solutions that add real value to an organisation. For the past 10 years we have been successful in reducing SAP access risk in combination with enhancing business accountability of risk through ‘easy-to-use’ business centric Governance, Risk and Compliance (GRC) software.

Co-founded by Johan van Noordwyk and Dudley Cartwright, Soterion’s software solution empowers SAP customers to achieve SAP authorisation compliance with great ease, regardless of their internal GRC capability and expertise.

Reflecting back

“While working in the SAP Security space, it came to our attention that many organisations were having challenges with their SAP access risk and compliance,” recalls Soterion co-founder Dudley Cartwright. “There were a number of tools for dealing with this problem, but many were either too expensive or not user-friendly.” As a result, Soterion was born to provide an effective GRC solution for companies running SAP.

How our GRC software adds value

“It brings us great joy to see our software in action and bringing the intended value to the client,” says Dudley.

Energy company Aker Solutions implemented SAP between 2004 to 2006. The company then implemented SAP GRC, but struggled to derive value due to the software’s complexity, leading to under-utilisation.

Petter Natås, Aker Solutions Director, Finance Process Improvement & Systems, Norway, explained: “We had offers from our service provider to get on top of SAP GRC. One of the main concerns was the long implementation period. They estimated one and a half years to get it into place, so the costs were high.”

Aker Solutions switched to Soterion’s GRC software and reduced access risk by 85%, the company explained in a recent case study. Through implementing Soterion for SAP, Aker achieved improved efficiency, better effectiveness, as well as regulatory compliance.

Another client, KOMATSU Australia, who manufactures and sells construction and mining equipment, forest machines and industrial machinery, reported its SAP access risk results in a spreadsheet.

After implementing Soterion for SAP, KOMATSU was able to view its access risk more easily, and in real-time, in a user-friendly web application.

Saint Gobain Construction Products (South Africa) implemented SAP in 2001 and faced typical SAP security challenges of over-allocation of access and / or in-appropriate access resulting in internal audit findings. After evaluating various SAP access risk (GRC) systems, the company implemented Soterion for SAP.

The result: Saint-Gobain’s audits were successful. Management were provided with a better understanding of the company’s business risks as well as having improved access control, visibility, and improved management buy-in.

Over the years our GRC software has also received numerous positive reviews in reports and from analysts. In a recent report covering SAP Governance, Risk and Compliance (GRC) by KuppingerCole Analysts, an international independent analyst organisation, noted that we are able to offer a range of deployment options not available from several other vendors.

The report notes that because Soterion is not an ABAP application locked into the SAP ecosystem, it is able to run as an independent application interfacing to the SAP ecosystem.

The report also notes that one of our specific strengths is our well-thought-out user interface and mapping capabilities.

Interested to find out more about Soterion’s Access Risk Manager and our other modules? Email us on [email protected]. Let us help you take your GRC to the next level.

Thought Leadership

Enhancing Business Accountability of Access Risks

 By Dudley Cartwright, CEO of Soterion.

This article explains what we at Soterion believe is needed for effective Governance, Risks and Compliance (GRC). What do we mean by effective GRC?

Many companies make the mistake of thinking that the GRC or access control tool alone is the silver bullet to solve all their SAP security challenges. And because of this, many organisations have an access control solution which it is not adding much value. In essence, these companies have GRC, but it is not effective.

 When measuring your organisation’s GRC effectiveness, it is important to measure this in relation to the organisation’s business objectives. The most common of these are:

  • Having a secure SAP solution
  • Complying with regulations, in particular, the data privacy regulations
  • Improving efficiencies (JML process)
  • Enhancing business accountability of risk

Enhancing business accountability of the organisation’s risk is fast becoming a key business objective. Not only is access risk a business risk, but many organisations are realising that enhancing business accountability of risk is making the organisation more risk-aware and more effective in their risk management activities. This can be illustrated by using the audit principle of the three lines of defence.

The first line of defence are your business or operational users. The second line of defence are your risk and compliance departments, and the third line of defence are the audit and assurance departments.

The first line of defence should be the strongest line of defence. These are people who have been in your organisation for 15 – 20 years. They understand your business better than anyone else. Yes, it is often the organisation’s weakest line of defence – not because users do not know the risks or the processes, but because the environment is not set up for these business users to take ownership and become accountable.

To facilitate business buy-in, organisations need to look further than just the GRC or access control solution. They need to look at all the associated components collectively and understand the inter-relationships. To illustrate this, we will use what we call the ‘Effective GRC Pyramid’.

At the base of the pyramid is the SAP role design. This forms the foundation of all things GRC. If the role design is not good, the entire GRC capability will be diminished. The middle section is the rule set and GRC or access control solution. And at the top are the internal processes.

GRC effectiveness is measured by how well business users carry out their access risk management activities, such as the review and approval of SAP access change requests, user access reviews, rule set reviews and business role reviews.

There are generally two reasons why organisations struggle to get the business to take ownership of access risks. The first is a lack of senior management support for such initiatives. It is very difficult to achieve business buy-in and accountability without significant support from senior management.  The second reason why organisations struggle to achieve access risk ownership is due to the complexity and technical nature of each of the components in the pyramid.

To explain this, let’s work through each layer.

The Role Design:
This is a very technical component made up of transaction codes, authorisation objects, fields and values. Yet it is the business users who need to understand the level of access contained in each role if they are expected to review and approve access, or when performing a user access review.

The Rule Set: Again, this is a technical component consisting of risks, risk functions, transaction codes, authorisation objects and field. Yet, these are business risks and need to be understandable by the business users.

The GRC Software: GRC or access control solutions are generally very technical in nature. Yet the ultimate user is a business user. Therefore, the risk assessment results need to be understandable to the business users.

The Internal Processes: This is partly technical in setting up the configuration and workflow, yet it needs to be practical and effortless for business users.

While business users are not expected to carry out many functions, it is important that the few tasks they are expected to do is presented to them in such a manner that they can perform these with maximum ease and with the data presented to them in such a manner that they can easily understand and interpret it, and make an informed business decision.

In summary, your entire GRC effectiveness will be measure by how well your business carries out these functions.

If you’d like more information or would like to discuss your companies GRC needs, feel free to email us on [email protected].

Thought Leadership

SAP Security 101 – The Basics to SAP Security

SAP Security and Authorisations are controlled by many different elements in the SAP system. We list the most common items and explain how they can assist in achieving a more secure SAP environment.

By Emile Steyn

Master the basics

To ensure that your SAP security solution provides the necessary level of control for your organisation, the SAP security administrator will need to have a good understanding of the basics of SAP security. The following section explains some of the basic concepts of SAP security.

Transaction Codes

A Transaction code is the term used to describe an action or activity in SAP e.g. ME21N – Create Purchase Order. An SAP user will be assigned various transaction codes in order to perform their job function.  Transaction codes have underlying authorisation objects and values that allow for a more granular control such as restricting a user to only operate in one Company Code or Plant. In a standard SAP system  there are over 140 000 possible transaction codes.  Most companies typically use between 2000 – 3000 of these transaction codes. Transaction codes need to be assigned to a role and the role in turn is assigned to the user.  From a risk perspective, it is important to only assign access that the SAP users require to perform their job function. Assigning wide access to users increases your organisation’s access risk exposure.

SAP Role

◦   SAP Single Role – A single role is a data container for a group of transaction codes. SAP users are assigned the single roles for them to be able to execute the transaction codes. The different approaches of assigning access is referred to as the role methodology. The various role methodologies are:

  • Derived – A derived / parent role methodology is where the parent role acts as a master role containing the transaction codes, and is derived out to cater for the various organisational levels (Company Code, Plant etc).
  • Task / Value – A task role is a functional (small) role that contains a group of associated transaction codes to perform a certain task e.g. Purchase Order Maintenance. Users are typically assigned many task roles to make up their complete access/profile.  Value roles are secondary roles that work in conjunction with the task role. Value roles only contain SAP authorisation objects with specific values to restrict the users to only operate in the Organisation Levels for which they have value roles assigned.
  • Profiles – Before SAP introduced the role concept, SAP profiles were mechanisms to provide users with the necessary access to carry out their job function. SAP profiles still exist in the SAP system, but are seldom used. The most common example of this is the SAP_ALL profile.

◦   SAP Composite Role – An SAP Composite role is a container for a group of single roles. The Composite role can then be assigned to the users who then inherit the access (transaction codes) contained in the single roles.

◦   SAP Business Role – The Business Role is similar to an SAP Composite Role but only exist in the IDM or Access Control solution, a virtual role that can be managed through an SAP Access Risk tool. Business roles have the added benefit of being a data container for SAP single roles from multiple SAP systems, simplifying provisioning significantly.

SAP Users

SAP users are the identities for the end-users to access the SAP system. When creating an SAP user, the following fields are available for maintenance:

  • SAP Password complexity – SAP allows for many different complexity settings on passwords. Your current password settings (these include minimum password length, special characters, Upper case letter, etc) can be viewed through transaction RSPFPAR.
  • User Types – In SAP there are different user types, namely: Dialog, Service, System, Communication and Reference users. The most common types are used for the following:
    • Dialog – Your typical user ID will be a dialog user. They are subject to password parameters unless specific security policies have been applied to them.
    • Service – A service user’s password does not change. There is a large risk with these IDs if passwords are shared.
    • System User – These IDs are used for background jobs, system communication etc. These IDs cannot logon via the SAP GUI, but carry risk because of the wide access typically assigned. These IDs can be used to expose the SAP System to risk through RFCs (Remote Function Calls).
  • Validity dates – Certain User IDs are only required to access the system for a certain time. It would be recommended to maintain a validity date for a user to ensure they cannot gain unauthorised access to the system. These dates should also be maintained when a date is known for a user leaving the company.

SAP Provisioning

SAP provisioning is the process of assigning SAP roles to the SAP User ID. SAP Provisioning can be handled in different ways. A user can inherit access directly or indirectly:

  • Direct – Assign roles directly to users.
  • Indirect – Assign roles to a Position. The HR team will assign a user to a position.

SAP Fiori Security

The transaction code is being replaced by Fiori Applications which are executed through a web browser. These changes add an additional level of complexity and security. Some of these changes include the use of the S_SERVICE authorisation objects and catalogs. Although a friendlier user interface, it is a more difficult solution to maintain.

SAP HANA Database Security

Certain users are provided database access to execute reports. It is important that access at database level is restricted to ensure no unauthorised inserts or edits are done at the database level.

SAP Access Risk

  • SAP SOD Risk – A segregation of duty risk is where a user has the ability to perform two or more conflicting functions. These conflicting functions expose a company to fraud, user error and misstatements.
  • SAP Critical Transaction Risk – Certain transactions can be sensitive all by itself based on the potential impact if misused. These are classified as Critical Transaction or Sensitive Access risks.

Optimise SAP Security to achieve business objectives


Once you’ve optimised and mastered the basics ask yourself, ‘How do I optimise my SAP Security to achieve my business objectives?’.

SAP Role Methodology

The methodology you have applied has a big impact on what you can achieve. Certain methodologies allow for easier remediation and ensuring users are only assigned the access they require for their job function. Decide what you need to achieve and see if the methodology allows for it.


There are different tools like Soterion and SAP that can help you manage the access risk in your SAP system. It is important to consider the benefits that the tools provide and what you want to get from a tool.

Items to consider:

  • User Interface
  • Ease of use
  • Implementation time
  • ROI
  • Process improvements

SAP Access Risk Rule Set

The SOD tools are shipped with a standard rule set. The rule set does not cater for customization or business process changes that have been applied. It is important to ensure the rule set is adjusted to be company specific.

Manage SAP Access Risks

After identifying the relevant risks, you need to clean-up your SAP Access Risks. How can this be done?

  • Remediation (role clean-up) – Clean-up can happen in different ways. Roles can be removed from users or transactions can be removed from roles.
  • Mitigation Controls – For access risk that cannot be remediated, Mitigation controls need to be defined to ensure the access risk exposure is adequately reduced.

SAP Role Redesign 

When your Role methodology does not allow you to reach your business objectives, it could be required to do a complete SAP Role Redesign. This would mean that new roles are built for the entire user base.

The information we have provided is focussed on SAP Access and the risks associated with it. Other items to consider could be the following:

  • SAP Security notes
  • SAP configuration settings
  • SAP Audit logging

Feel free to email us at [email protected] if you would like a discussion with one of our experts around SAP Security.