SAP Field Level Security – what are my options?

By Ashwin Bhaskar, Senior Software Engineer at NextLabs

Today’s ERP systems demand tight security controls at multiple levels of the application design. Most ERP systems, including SAP, are transactional in nature. Our customers have frequently asked us about extending security controls beyond transactions at a field level. For example, take a digital product catalog used by multiple departments within an enterprise, the view screen hides pricing information for products from a customer support rep that just needs to view technical product information. Whereas, a sales rep viewing the same product catalog would be able to view both technical and pricing information, but cannot make modifications.   Granted another level of access. is the pricing team, that can view and modify the price fields of the product catalog. more “SAP Field Level Security – what are my options?”

Attributes is the new role?

By Sandeep Chopra.

“Attributes” is the new Role?

In the last Gartner Identity and Access Summit in Nov 2013, Gregg Kreizmann, Research VP in Gartner, made a prediction that by 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today.

In Oct 2013, NIST published their report titled “Guide to Attribute-based Access Control Definition and Consideration”, which we discussed in an earlier blog. This is recognition that organizations, including the federal government, need to govern how information is shared across systems, applications, and organizations. more “Attributes is the new role?”

Controlling the Transfer of ITAR-related Technical Data: What will it take?

By Soujanya Madhurapantula.

In the previous post, you’ve seen how we can control the movement of physical products using GTS.  However, any company that deals in ITAR controlled products has associated technical data that they will need to share.  And when these guys are people who are outside the US, or people who are within the US but not US persons, then the technical data transmissions themselves are all considered as exports. more “Controlling the Transfer of ITAR-related Technical Data: What will it take?”

Industry Spotlight: How does GE Oil & Gas manage operational Information Risk?

By EK Koh.

Many companies need to protect sensitive intellectual property (IP) as they collaborate globally on product designs and across multi-level supply chains. They also need to comply with cross-border export regulations even as they collaborate and share technical data with global customers, partners and employees. more “Industry Spotlight: How does GE Oil & Gas manage operational Information Risk?”

Combining Role-Based Access Control with Attribute-Based Access Control for Export Compliance

By Soujanya Madhurapantula.

Recap: the 2-layer SAP authorization model

In our previous post, we introduced a 2-layer SAP authorisation model: a combination of Role-Based Access Control plus Attribute-Based Access Control. To comply with regulatory mandates such as export control, where access to data is dependent on multiple factors, such as location, nationality and content, it is prudent to augment SAP’s authorization model in order to control access at the data level. more “Combining Role-Based Access Control with Attribute-Based Access Control for Export Compliance”

Is Role-Based Access Control Sufficient?

By Soujanya Madhurapantula.

In SAP’s role-based security architecture, Users and Authorization objects are used to create profiles, such as “buyer” or “payer”, and these are used to define functional roles.

As a counter measure for potential fraud, the GRC Access Control Segregation of Duties can dictate that a user should not have, for example, both a buyer profile and a payer profile simultaneously.  In simple cases like this, SAP’s authorization concept works great!  It’s able to distinguish which user can perform a specific function by limiting their access to certain transactions, programs and services.  It even provides an easy way to administrate HR functions like role changes and employee turnover. more “Is Role-Based Access Control Sufficient?”