United Energy (UE) and Multinet Gas (MG) provide energy to people across east and southeast Melbourne and the Mornington Peninsula in Australia. They are two separate businesses but are managed by the same head office.
UE distributes electricity to more than 650,000 customers, managing a network of 215,000 electricity poles and approximately 13,000 km of wire. MG distributes natural gas to 660,000 customers. MG’s network of 164 km of transmission pressure pipelines and 9,866 km of distribution mains, transports gas from a high-pressure transmission network operated by APA GasNet to residential, commercial and industrial customers.
Setting the strategy
UE and MG ran SAP enterprise software but had no SAP access risk tool in place. This meant the companies relied on SAP audit reports to highlight risks within their systems. The reports indicated that IT support users had wide access to the SAP system, which created a threat to the integrity of the entire system.
“There was a need for an SAP authorisation tool to provide better visibility of the SAP system on a continuous basis. The solution also needed to limit the access of unauthorised users to certain SAP functionality and to be a good fit for both businesses in terms of cost effectiveness and complexity.” said Basile Sepsakos, United Energy.
Soterion for SAP was chosen as the best fit and the most user-friendly solution. The installation and training took place over three days. Historical user–transaction data was imported into Soterion and the solution reported on the access risk that users had in relation to the functionality (transaction codes) they were using.
“The results derived from the Soterion solution allowed our SAP security team to easily identify the roles and transactions contributing to the access risk which were removed,” said Mr Sepsakos. “Next, we went on to identify the transaction codes in roles that users were not accessing. These transaction codes were also removed from the roles.”
“Some support roles were so wide that we could not clean them up very easily. We used Soterion’s Wizard functionality to build new roles for a group of users based on actual usage. This allowed us to create more specific support roles. The clean-up exercise allowed us to reduce our segregation of duties count by 98% without any impact on the business,” he explained.
PriceWaterhouseCoopers (PWC) provided UE and MG with a customised rule set which was imported into Soterion. This allows the company to monitor access risks that are relevant and critical to the business.
“Soterion’s SAP authorisation solution prevents unauthorised users from having unnecessarily wide access in SAP. The tool is user friendly and has excellent business reporting functionality. Soterion for SAP also provides the risk visibility needed to make informed decisions, shifting responsibility for the SAP system’s authorisation security ranging from the IT support team to the company’s business leaders,” explained Johan van Noordwyk, director at Soterion Technologies,
He added: “Soterion for SAP assists companies to achieve SAP authorisation compliance in a cost-effective and systematic manner through Dynamic Authorisation Management. This is the on-going monitoring and adjusting of user access to ensure that the SAP authorisation solution is aligned to what users are actually doing in SAP. It allows our clients to differentiate between real SAP access risk and potential access risk, and empowers businesses to make more informed decisions relating to access risk. It enhances business ownership of SAP access risk through business-friendly reporting.”
Mr Sepsakos added: “We appreciate that managing SAP access risk will always take effort. The access risk rule set needs to be updated on a continuous basis to cater for new functionality, and there is a constant search for better and easier mitigating control reports. Soterion for SAP has allowed us to get to this point with minimal effort and at a far reduced cost than initially expected.”
“We initially started by renting the tool to allow us to evaluate it. After six months we quickly saw the immense value Soterion brought to our business and decided to purchase it outright,” said Mr Sepsakos.
To read the full case study, click here
For more information please email us at [email protected]