By Ashwin Bhaskar, Senior Software Engineer at NextLabs
Today’s ERP systems demand tight security controls at multiple levels of the application design. Most ERP systems, including SAP, are transactional in nature. Our customers have frequently asked us about extending security controls beyond transactions at a field level. For example, take a digital product catalog used by multiple departments within an enterprise, the view screen hides pricing information for products from a customer support rep that just needs to view technical product information. Whereas, a sales rep viewing the same product catalog would be able to view both technical and pricing information, but cannot make modifications. Granted another level of access. is the pricing team, that can view and modify the price fields of the product catalog.
To achieve this, field level security is required to restrict access to confidential data at a fine grained level.
The traditional approach of a Role Based Access Control Model (RBAC) based on ROLES assigned to users, the behavior of the fields is controlled based on specific criteria. To address the real world complex business processes, often multiple roles are identified and assigned to users to address access control and compliance policies.
Now, let us consider how this can be done in SAP. Instead of restricting access at the object/transaction level, we can restrict access at the field level. Does SAP support field-level security? The answer is both yes and no. Straight out of the box SAP may not support field-level security to the degree expected by most users. However, it is customizable using the enhancement framework.
The most common practice is to set up field level security using the Screen Variant Configuration or the Authorization Objects. Both these procedures rely heavily on Role Based Access Control (RBAC) provided through SAP’s Authorization Concept. Yet, RBAC is not scalable because field level access is often too fine grained for a roles based model. Additionally, field level access can dynamically change with different data and user sets.
For example, if you want to see different office hours or when an employee is onsite, you cannot easily do so through Screen Variant Configuration and Authorization Objects that rely on RBAC. In addition, maintaining the Screen Variants and Authorization Objects can quickly become a cumbersome task for Security Administrators.
Enterprise Access / Identity Management is Changing
So, is fine grained access control at the field level achievable; is RBAC sufficient?
The answer is – no
Field level security requires ABAC. In fact, Gartner predicts that by 2020, 70% of all businesses will use attribute-based access control as the dominant mechanism to protect critical assets, up from <5% today
The move towards ABAC provides us the framework to include attributes that can be available at the transaction level – apart from user and organization data – to design security controls
In my next blog, I shall take up a real world use case to hone in on a field level security solution using the ABAC approach. Stay tuned.
If you are aware of other scalable approaches to achieve field level security in SAP, please share.
Ashwin Bhaskar is a Senior Software Engineer in Research and Development for SAP at NextLabs, Inc. He works with the product development team to design and develop information risk management solutions for SAP enterprise customers. He has many years of experience in devising custom solutions for clients running their businesses on SAP Business Suite. He focusses on custom engineering on ABAP for the SAP Business Suite.