Monday 20 February 2012

The Security Stuff (part 2)

I'm following on from last week's post - because I think that there is a bit more to say about this topic.

If you follow any of the people that promote the concept of "Empowerment" within a business, you'll no doubt be aware that many of these people or companies are talking about allowing staff access to more of the information held within their systems, so that it is easier for decisions to be made at lower levels, rather than having all decisions coming down from the top. This is also sometimes described as "agile" business decision making.

There is something to be said for this idea - if someone has to purchase some goods, and has been doing the job for some years, she may well be quite capable of negotiating the right kind of deal without having to refer it to her line manager. This then means that the manager is left to deal with more important issues - and when I was a younger manager, it was known as delegation. A senior manager once told me that if you cannot delegate, you cannot manage.

The problem is of course that not everyone is entirely capable of making decisions at certain levels, and need to be monitored more closely than some others. It also has to be said that there are more than a few managers and senior executives that would be horrified at the thought of more junior people making even quite minor decisons without referring to them. Even if all they are doing is glancing at an email and then replying "do what you think best", they feel that they are "managing the situation". (A bit like the PHB in the "Dilbert" cartoons!)

So it's necessary to decide how you want to secure your date as well as how you need to secure your data (the two are not the same). How you need to secure the data is often defined by regulatory compliance or the need to prevent commercially sensitive information from going astray. How you want to secure the data is more about how you structure the business and how the various processes work.

Most people would agree that when SAP was first created, the main target was the larger enterprise business. Within this size of business it is generally necessary to provide some separation of duties - you don't want the person that creates a new bank account being able to transfer money, otherwise  he might create an account for himself in the Caribbean and transfer $10 million, before taking a one way flight to his retirement (which he also puts on expenses!).

As a result, much of the way that things are structured in SAP security has been done specifically to provide the required levels of security for those large organisations. The problem is that when you get to the smaller businesses like ours, it's actually much harder to define what you need in terms of security. Worse, this can actually change a lot more frequently as staff will often be doing more types of jobs than their counterparts in the enterprise business.

Now we have a problem - I've been trying to make sure that all of the permissions are properly set-up and correctly tested, but even so, sometimes it's not always easy to do this. I will hold my hands up and admit that there have been many occasions when I was going thru a role and suddenly spotted something that didn't look right, that then needed to be corrected.

Partly this is due to some people taking the view that "give them access to everything, and we can take away what they shouldn't have". This doesn't work - why? Because the only time that you find someone can do something that they shouldn't is when they have done just that, and it has caused a problem. And usually, that is when things are going seriously wrong.

We have seen that, not just the one time, but on a number of occasions. Most recently because we have some transactions that were created for us by one of the consultants based upon standard SAP t-codes. Unfortunately, the new t-codes have absolutely no authorisation checks built into them - and as a result, we have found that some people are able to do some work that was supposed to only be done by the Production Manager once a day to clear up any issues.

Oh, and in case you wondered - when I said that I would take the offending t-code out of the role, the Production Manager asked me to leave it in. He is going to speak to staff to try to make sure that they understand that they shouldn't run this particular process, just use the t-code to look at the data. Yes - I'm sure that will work (until the next time).

25 comments:

  1. Loved the comparison to Dilbert's boss !

    Great series of articles. Gives the real picture of a SAP implementation..

    Cheers!

    ReplyDelete
  2. Now a days sap basis is highly learning course ..in all countries..your providing such a good information on this blog ..its..really appreciate..

    sap basis online training

    ReplyDelete
  3. Before coming into SAP it is must to choose which module you can fit you can select that based on ur domain experience.Its always better to go for Classroom training if it does not suit then SAP Online training

    ReplyDelete
  4. Thanks sharing such a wonderful site, appreciated it. see the latest news visit sap community

    ReplyDelete
  5. Thanks to Sharing the SAP Material for Freshers and Experiences,
    Link as,
    saptraininginchennai

    ReplyDelete
  6. Hi,
    Now a days sap plays a major role.nice material.thank you
    Sap Training in Chennai

    ReplyDelete
  7. LoadRunner Training in Chennai,

    Really is very interesting, I saw your website and get more details..Nice work..

    Thanks regards

    Please refer this link below,
    LoadRunnerTraining in Chennai

    ReplyDelete
  8. Thanks to Share the LoadRunner Material for Freshers,Link as,
    LoadRunnerTraining in Chennai

    ReplyDelete
  9. Thanks for sharing this valuable information.and I gathered some information from this blog. I did SAP Course in Chennai, at FITA Academy located which offer best SAP Training in Chennai with years of experienced professionals.

    ReplyDelete
  10. I stand by your thoughts. It is important to make sure that the software application working precisely for the reason it originally designed for. Thus, load testing is mandatory for every application or system before deployment. Loadrunner course in Chennai

    ReplyDelete
  11. Latest Govt Bank Railway Jobs 2016


    I have learn some excellent stuff here. Certainly worth bookmarking for revisiting, Thank you............

    ReplyDelete
  12. I am extremely impressed with your writing skills and also with the layout on your blog

    sas online training in hyderabad

    ReplyDelete
  13. nice posts thanku for shairng,...
    SAP HANA training in hyderabad,This is the best path You can Learn COmplete Course with full fledge knowledge of SAP.SAP HANA training in hyderabad

    ReplyDelete
  14. Hi,
    Good job & thank you very much for the new information, i learned something new. Very well written. It was sooo good to read and usefull to improve knowledge. Who want to learn this information most helpful. One who wanted to learn this technology IT employees will always suggest you take python training in bangalore. Because python course in Bangalore is one of the best that one can do while choosing the course.

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. your blog information's are really creative and It contains full of new innovative ideas.thank you for sharing with us.please update more data. share more
    Ai & Artificial Intelligence Course in Chennai
    PHP Training in Chennai
    Ethical Hacking Course in Chennai Blue Prism Training in Chennai
    UiPath Training in Chennai

    ReplyDelete
  17. This comment has been removed by the author.

    ReplyDelete
  18. This comment has been removed by the author.

    ReplyDelete