1. Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers Jeremy Stokeld Sr Associate - PricewaterhouseCoopers Monday, May 19,2003

2. Security Overview Elements of a Good Role Design Maintaining the Standard Q&A Agenda

3. Copyright © 2003 Americas’ SAP Users’ Group Security Overview

4. SAP Security Check Profile Authorizations and Field Values User Master Record Overview - The Security Key Concept

5. User Role (Activity Group) – container for authorization data Transaction Code – a task within SAP (~52,000+) Field – element of data within a transaction, control point Object – template containing up to 9 fields (“uncut key”) Authorization – a completed object, all field values are filled in (“cut key”) Profile – container of authorizations (ring of “cut keys”) Profile Generator – tool to construct/generate profiles, tied to the USOBT_C and USOBX_C tables Definition of Terms

6. User Master Record User Level 1: User ID Access Level 2: Transaction Code Access Examples: SU01, MM01, SPRO Level 3: Authorization Access Examples: M_MATE_NEU,S_TABU_DIS Role/Activity Group/Profile Authorization Object Field Values Overview – The Authorization Concept

7. Tcode: F-43 Enter an Invoice Authority Check 1: Object: S_TCODE Field: TCD = “F-43” Authority Check 2: Object: F_BKPF_BUK – Authorization for Accounting Documents Field: ACTVT = “01” – Create BUKRS = “1000” – Company Code Security Check Example

8. Copyright © 2003 Americas’ SAP Users’ Group Elements of a Good Role Design

9. Role-based vs. Manual Profiles User menus, tcode controlled Tcode-based Not using asterisks or ranges Task-based vs. Job-based What is the logical grouping of tcodes with minimal duplication and no segregation of duty conflicts? Standardizing Control Points Which field-level security control points are we going to implement? What are the risks of not standardizing the control points? Elements of a Good Role Design

10. Copyright © 2003 Americas’ SAP Users’ Group Maintaining the Standard

11. What can they really do? Sensitive Objects Sensitive Transactions Segregation of Duties Tcode is only Half the story! Where did it come from? Role (Activity Group) or Manual Profile Cross-Pollination Ex: F_BKPF_BUK is referenced in over 250 Transactions Tool Focus: Authorization Field-Level Analysis What-if Analysis Query (User Driven) vs Detect (Automatic) Visibility

12. Business Involvement? Why – It’s their data How – Visibility & Workflow Approvals What is Security’s Role? Role Design, Maintenance, Control Optimization Where is the Administrator’s True Value? System Watchdog Demand for Better Controls vs Resource Allocation Tool Focus: Automatic Request Routing Preventative Check - Forced vs. Optional Approver Presentation – Data vs Information Ownership

13. Change History Record of Action What, Where, When, By Whom, Why Searchable Data Saved e-mails rarely tell the whole story! Meeting Audit Standards Identification of Controls Documentation of Testing Tool Focus: Change History / Approval Record Mitigating Controls Documentation

14. Where is the control – Its In the Process! Visibility – current issues & change impact Ownership – approval, risk presentation Documentation – audit requirements Tool Focus:  What Belongs in a Tool? Reality – When resources are strained, manual processes are the first to go. Summary

15. Christopher Lane PwC Security, Manager Phone: 713-870-6449 Email: christopher.lane@us.pwc.com Jeremy Stokeld PwC Security, Sr. Associate Phone: 713-501-5957 Email: jeremy.stokeld@us.pwc.com Contact Info:

16. Copyright © 2003 Americas’ SAP Users’ Group Questions

17. Copyright © 2003 Americas’ SAP Users’ Group Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code: 505