SAP system access reviews are the bane of any modern SAP systems administrator. The system itself does not lend itself to ease of use and manual access log traversal can be time-consuming, slow, and possibly be riddled with inaccuracies that can lead to problems later down the road. So how can a SAP administrator deal with an issue such as this? For us to speed up the process of reviews and make sure that they have a certain level of accuracy within them, we can look at implementing a few quality-of-life solutions that can impact how we deal with SAP system access and the associated review reports. These reports are usually done with a deadline in mind and being able to consistently hit that deadline might seem like a pipe dream. Fortunately, there are a few things we can promote to make life a little easier for the beleaguered system’s administrator.
Keep your Eyes on the Finish Line
Access reviews are an important part of a company’s security architecture when it comes to user account access to sensitive data. ERP Maestro’s Access Reviewer is a tool that can be used to do automatic pooling of information that we require in order to create and update these user review reports. If the tool is installed and is run regularly, then by the time the user report season rolls around a system admin should have a relatively up-to-date system regarding data access and which accounts are over-leveraged in their access permissions. Remember that the end goal is to ensure that the data we provide is relevant and the system itself isn’t put under strain by our requests for data that needs to be included in the report. ERP Maestro’s Access Reviewer is the ideal tool to accomplish this.
Offer Shared Responsibility for Reviews
While IT administration and Audit departments usually have control over the review process, at the end of the day the process is the property of the whole company since it directly impacts the company’s security measures. In such a case, management at all levels should be apprised as to why the audit is being done as well as establish internal systems for independent auditing within their departments. This requires a large amount of trust within the different levels in a company, and by assigning the head of a department to do routine audit checks this simplifies matters for administration in the later end of the process pipeline, allowing them to create reports quickly.
Manage Reviews at Start and Finish
Far too often in auditing the access controls of a department, a manager simply rubber-stamps the approval on each of the access logs, not really going into the details of such access and why it’s necessary. By removing the ability to mass-approve access, a company stops the inadvertent inclusion of security risks in certain user groups. These restricted access groups can be pared down to the bare minimum, with users that don’t need access being vetted by their direct managers. With additions like Access Reviewer, once the access level is flagged, it is automatically removed allowing for an accurate plan of the current access levels of each employee within the organization.
Automation is our Friend
One of the simplest ways to make review report construction faster is to automate the systems involved. Access Reviewer and Access Analyzer offer tools for dealing with audit reports and turn them from a tedious chore into something that can be quickly updated and added to a detailed port about the access privileges across the company. These serve to keep security tight within a company and should be done when necessary to ensure that the company doesn’t fall prey to unauthorized access of data. In this way a company takes steps to protect itself against industrial espionage.
Combining Technologies to Make Life Easier
The more technology we introduce into a system, the more complex that system becomes and the harder it is to manage. By building simplification into the system, we create a means of making the lives of system admins easier while keeping the efficiency of the system at the same level, or even improving it. Access review reports can be time-consuming and tedious, but they serve a purpose and are a necessary evil. Implementing a system that eases this pain is both essential and important to the overall efficiency of the review system and by extension the security of the organization.