Monday, 20 February 2012

The Security Stuff (part 2)

I'm following on from last week's post - because I think that there is a bit more to say about this topic.

If you follow any of the people that promote the concept of "Empowerment" within a business, you'll no doubt be aware that many of these people or companies are talking about allowing staff access to more of the information held within their systems, so that it is easier for decisions to be made at lower levels, rather than having all decisions coming down from the top. This is also sometimes described as "agile" business decision making.

There is something to be said for this idea - if someone has to purchase some goods, and has been doing the job for some years, she may well be quite capable of negotiating the right kind of deal without having to refer it to her line manager. This then means that the manager is left to deal with more important issues - and when I was a younger manager, it was known as delegation. A senior manager once told me that if you cannot delegate, you cannot manage.

The problem is of course that not everyone is entirely capable of making decisions at certain levels, and need to be monitored more closely than some others. It also has to be said that there are more than a few managers and senior executives that would be horrified at the thought of more junior people making even quite minor decisons without referring to them. Even if all they are doing is glancing at an email and then replying "do what you think best", they feel that they are "managing the situation". (A bit like the PHB in the "Dilbert" cartoons!)

So it's necessary to decide how you want to secure your date as well as how you need to secure your data (the two are not the same). How you need to secure the data is often defined by regulatory compliance or the need to prevent commercially sensitive information from going astray. How you want to secure the data is more about how you structure the business and how the various processes work.

Most people would agree that when SAP was first created, the main target was the larger enterprise business. Within this size of business it is generally necessary to provide some separation of duties - you don't want the person that creates a new bank account being able to transfer money, otherwise  he might create an account for himself in the Caribbean and transfer $10 million, before taking a one way flight to his retirement (which he also puts on expenses!).

As a result, much of the way that things are structured in SAP security has been done specifically to provide the required levels of security for those large organisations. The problem is that when you get to the smaller businesses like ours, it's actually much harder to define what you need in terms of security. Worse, this can actually change a lot more frequently as staff will often be doing more types of jobs than their counterparts in the enterprise business.

Now we have a problem - I've been trying to make sure that all of the permissions are properly set-up and correctly tested, but even so, sometimes it's not always easy to do this. I will hold my hands up and admit that there have been many occasions when I was going thru a role and suddenly spotted something that didn't look right, that then needed to be corrected.

Partly this is due to some people taking the view that "give them access to everything, and we can take away what they shouldn't have". This doesn't work - why? Because the only time that you find someone can do something that they shouldn't is when they have done just that, and it has caused a problem. And usually, that is when things are going seriously wrong.

We have seen that, not just the one time, but on a number of occasions. Most recently because we have some transactions that were created for us by one of the consultants based upon standard SAP t-codes. Unfortunately, the new t-codes have absolutely no authorisation checks built into them - and as a result, we have found that some people are able to do some work that was supposed to only be done by the Production Manager once a day to clear up any issues.

Oh, and in case you wondered - when I said that I would take the offending t-code out of the role, the Production Manager asked me to leave it in. He is going to speak to staff to try to make sure that they understand that they shouldn't run this particular process, just use the t-code to look at the data. Yes - I'm sure that will work (until the next time).


  1. Loved the comparison to Dilbert's boss !

    Great series of articles. Gives the real picture of a SAP implementation..


  2. Now a days sap basis is highly learning course all countries..your providing such a good information on this blog ..its..really appreciate..

    sap basis online training

  3. Now a days sap hana is highly learning course all countries..your providing such a good information on this blog ..its..really appreciate..
    SAP HANA Online Training training


  4. Your given most of the use full information..The Sales and Distribution (SAP SD) consists of all master data, system configuration, and
    transactions to complete the Order to Cash process.
    It includes the following information and processes.SAP SD TRAINING IN A SIMPLE WAY.

    sap sd online training

  5. Before coming into SAP it is must to choose which module you can fit you can select that based on ur domain experience.Its always better to go for Classroom training if it does not suit then SAP Online training

  6. Thanks sharing such a wonderful site, appreciated it. see the latest news visit sap community

  7. Thanks to Sharing the SAP Material for Freshers and Experiences,
    Link as,

  8. Hi,
    Now a days sap plays a major role.nice material.thank you
    Sap Training in Chennai

  9. LoadRunner Training in Chennai,

    Really is very interesting, I saw your website and get more details..Nice work..

    Thanks regards

    Please refer this link below,
    LoadRunnerTraining in Chennai

  10. Thanks to Share the QTP Material for Freshers,


  11. Thanks to Share the LoadRunner Material for Freshers,Link as,
    LoadRunnerTraining in Chennai

  12. Thanks for sharing this valuable information.and I gathered some information from this blog. I did SAP Course in Chennai, at FITA Academy located which offer best SAP Training in Chennai with years of experienced professionals.

  13. I stand by your thoughts. It is important to make sure that the software application working precisely for the reason it originally designed for. Thus, load testing is mandatory for every application or system before deployment. Loadrunner course in Chennai

  14. Latest Govt Bank Railway Jobs 2016

    I have learn some excellent stuff here. Certainly worth bookmarking for revisiting, Thank you............

  15. Java SE Java EE Java Online Course Oracle Learning Tutorials. Java EE Training Java is a great cross-platform programming language. Java EE & Java SE Java Training Institutes in Chennai on Linux Training Course Materials. java j2ee training institutes in chennai Java Standard Edition Java Enterprise Edition Certification Training Course ware Java Training in Chennai . Java Development Kit JDK J2EE Training in Chennai Java Runtime Environment JRE Java Course in Chennai on Linux Java Interview Questions . IT Technical Articles

  16. I am extremely impressed with your writing skills and also with the layout on your blog

    sas online training in hyderabad

  17. nice posts thanku for shairng,...
    SAP HANA training in hyderabad,This is the best path You can Learn COmplete Course with full fledge knowledge of SAP.SAP HANA training in hyderabad

  18. I cant wait to check out some of these blogs! I’ve really wanted to start learning more about cars and auto repairs lately and I think this will help a lot. I think it can save my family some money if we knew how to do some repairs at home.! Thanks again for all the options.

    bike spa services in mumbai
    house cleaning services in mumbai
    car wash services in mumbai