Update the SAP BusinessObjects Access Control Rule Set with Custom Transactions

  • by Selva Kumar, Vice President, Auditbots
  • March 19, 2012
Most of the custom transactions in an SAP system have to be manually added to the SAP BusinessObjects Access Control rule set. Therefore, the SAP implementation team must have a full understanding of the functionality of the custom transaction and how to identify the proper location to add the custom transaction. Follow these guidelines for identifying and adding the custom transactions to the SAP BusinessObjects Access Control rule set.
Key Concept
An SAP BusinessObjects Access Control rule set tracks risks caused by a transaction combination, by individual sensitive transaction, sensitive authorization objects and sensitive role or profile. The transaction combination is called a segregation of duties (SoD) risk, the individual sensitive transaction is identified as a critical action risk, an object-related risk is treated as a critical permission risk, and a critical role is known as critical role profile. Custom transactions start with Z or Y. As companies use custom transactions they have to decide if they should be added to the SAP BusinessObjects Access Control rule set. This analysis is based on the functionality of the transaction and the risk it poses to the company. As part of the risk review of the custom transactions they have to be classified as three groups: display, report, and change transactions. Report and display transactions do not pose a risk, but change transactions need to be reviewed for risk. For example, create, change, and delete vendor management transactions are in the rule set, but display vendor master data is not part of the SAP GRC rule set. Companies have to review the rule set and see what risks are relevant based on their type of business.
Your SAP BusinessObjects Access Control system is tracking only a portion of your segregation of duties (SoD) and transaction risks if you have not added your custom transactions to the SAP BusinessObjects Access Control rule set. The rule set tracks risks created by conflicts between two transactions and risks created by the transaction itself.

SAP BusinessObjects Access Control’s risk analysis and remediation (RAR) functionality (renamed access risk management in version 10.0) comes with a default rule set that contains SoD transactions and critical action transactions. However, this SAP BusinessObjects Access Control rule set includes only transactions created by SAP, not the custom transactions created by the company that is using the SAP system.

You can follow the steps shown in Figure 1 to help you identify the functionality of custom transactions and establish criteria for adding them to the SAP BusinessObjects Access Control rule set. I explain best practices for securing custom programs and tables with transaction SU24 updates or authority check statements. Transaction SU24 maintains the USOBT_C and USOBX_C tables. These tables hold the relationships between the particular transaction and its authorization objects. It is possible to add or subtract the checks performed in the transaction by changing the appropriate flag in transaction SU24.

Selva Kumar

Selva Kumar is vice president of AuditBots, which is an SAP IT audit compliance solutions company providing preventive and detective SAP controls automation software solutions. He is also an SAP audit compliance consultant with the federal government working on SAP BusinessObjects GRC implementation. The implementation is focused on automating user provisioning, emergency access policy, and risk analysis and remediation. Selva writes for the blog sapsecuritytrainer.com and is a frequent contributor to various technical publications. Selva has spent 15 years as independent SAP security consultant with SAP America, Accenture, Deloitte, E&Y, Eli Lilly, Du Pont DE, Ogilvy Mather NY, IPG America, HMCO America MA, IGT NV, AutoFena PA, Rohm and Hass PA, Cephalon PA, and Johnson and Johnson PA.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.