Segregation of duties - setting / adjusting the user group
Segregation of duties is important for preventing the company from risks by misuse of authorizations. For user administrators and role assigners in SAP systems the user group - as part of the user master data - in combination with excluding the own user group in the authorizations is a way to implement this.
Read in this article, how simple it can be to ensure that the right user group is assigned to user admins and role assigners.
Even apart from this perhaps special use case, this article shows how easily and quickly "Shortcut for SAP systems" can be used and how the often time-consuming development and deployment of ABAP reports can be reduced!
In a nutshell, this is the principle how to implement this segregation of duties to user admins and role assigners:
1.: Assign a specific user group to your user admins and role assigners, e.g. "SUPER_DLG1" for the 1st, "SUPER_DLG2" for the 2nd person and so on.
2.: Use a specific role for each user admin / role assigner, which has a restricted range for the field CLASS in the authorization(s) for object S_USER_SAS (resp. S_USER_GRP in case you have deactivated the use of S_USER_SAS). Let's name it Z_USER_ADMIN_1 / ...2 and so on.
With these settings the segregation of duties for the displayed user is fine. The user group of the user admin / role assigner is excluded in the assigned role, therefore the self-maintenance is not possible. At the moment. Now. But... the role can be assigned also to another user, and possibly the user group will not be adjusted - this is likely the case when the role is assigned via an IdM tool. Or the user group is going to be changed by mistake. If this pair of role assignment on the one hand and the assigned user group on the other hand do not match, it is possible to maintain the own account. This will be noticed at the next audit at the latest!
So, our requirement is, that each user with a valid assignment of role Z_USER_ADMIN_1 (...2, ...3,...) must be assigned to user group SUPER_DLG1 (...2, ...3, ...) - now, next week, next month - we must be able to rely on it.
How to achieve this? Of course you can develop a program that does this. Here I would like to describe a method faster than this.
In "Shortcut for SAP systems" we have the "Update table data" which can easily be used for this. No development of an ABAP necessary, just spend a minute or two into an SQL UPDATE statement:
Of course we have to choose the connection to the SAP system (1). Then we specify the client (2) - because the function also allows data to be updated in other clients than the one used in the connection. The user group is stored in table USR02 (3) in field CLASS (4), and the new value should be 'SUPER_DLG_1' (5) for all users that (6)
- currently are not assigned to user group 'SUPER_DLG1,
- have user type 'A' or 'S' (means: dialog users)
- are currently assigned to roles Z_USER_ADMIN_1 or Z_AUTH_ASSIGN_1
Now let's make a test. We assign another user group to the user, after this we execute the "Update table data" function.
Clicking on the "View output" button we can see that an update for 1 record was done. And consequently the user group SUPER_DLG1 is assigned to the user.
So this works. But there is one point open: we also want users to be assigned to another group in case the role Z_USER_ADMIN_1 is no longer assigned - finally these users are to taken out of this special user group in case the also special authorizations are not there anymore. For this we have to execute a second update with only 3 small changes:
With this we assign another user group (here: 'IT (Others)') for users currently assigned to group SUPER_DLG1, but without an assignment to the roles Z_USER_ADMIN_1 and Z_AUTH_ASSIGN_1 for the current date. This reverts these users 'back to normal users' and makes them maintainable by the current administrators.
Up to now - in the context of setting up the procedure - we executed the updates of the user group manually. But of course is our goal to automate this.
We can do this with the command line tool with variants...
or by using XML files. An XML file for assigning the user group SUPER_DLG1 (for users with current assignment of the specific roles) and for removing the user group (for users which currently have user group SUPER_DLG1, but are not assigned anymore to the specific roles) would look like this:
With an XML file you do not need to specify single variants for each system you want to apply this procedure. So with respect to use this for more than one system, I personally prefer to use XML files for the command line tool instead of variants. You can easily add more tasks to the XML file - for example for doing the same for the 2nd user admin / authorization assigner or doing this for other SAP systems.
Ok, let's run the command line tool with the XML file.
Ooops, first task ran fine, but the 2nd ended with a warning! Why?
It is just because the 2nd task did not find any data to be updated. "Done. 0 updated rows"
There was no user currently assigned to user group SUPER_DLG1 but without valid assignment to the specific roles. Just nothing to do...
As the command line tool works on OS level, this can be brought easily into an automatism, running daily on your SAP systems. With this you can be sure that the segregation of duties for user admins and authorization assigners is ensured in the system and there are no more findings for it in the next audit.
Es gibt noch keine Rezension.