As access rules grow in complexity, the SAP role-based authorization model (RBAC) is reaching its limitations

One-off role derivations have created a “role-explosion” – adding complexity and overhead to role management. And enforcing access controls beyond a user’s role, down to a field-value level, requires unscalable customizations.

SAP ERP Central Component (SAP ECC) and S/4HANA leverage static roles to govern access. These roles have reached their limitations in a dynamic workplace because static roles do not leverage contextual attributes. In addition, static roles remain in-tact as users move around the organization and change their job scope. Unless constantly provisioned, static roles can quickly become outdated, leaving an organization exposed to potential risk.

Appsian enables organizations to align data governance and business policies. By extending existing static roles with attribute-based controls, access can be dynamically managed. In addition, access deemed risky (based solely on context) can be restricted.

Key Challenges to SAP Access Management

Role-Based Access Controls (RBAC) group users into broad categories known as roles or permission lists. Limited to these static categories, RBAC cannot use dynamic information such as project ID, company code, IP address, location, device type, and more to authorize access. RBAC alone fails to provide the optimum level of security for highly sensitive transactions and data.

Over time, SAP applications become crowded with potentially thousands of roles and permission lists – a phenomenon known as role explosion. Managing these lists and keeping them current requires continuous vigilance and can quickly become one of your most time-consuming jobs. It can also become a potential source of security breaches.

There are situations where custom development is required to add access control restrictions based on dynamic attributes such as IP address, location, nationality, business unit, and project affiliation. However, these customizations create user friction to accommodate slight differences between static and dynamic privileges.

Why Appsian Attribute-Based Access Controls

Appsian takes a data-centric approach to security and compliance. A data-centric security model allows you to align security policies to your business requirements and limit the exposure of sensitive data and transactions. We start at the foundation – your core SAP ERP data and transactions – and add attribute-based access controls and user activity logging and analytics, so you have better visibility into who is accessing and potentially changing your data.

Key Benefits of Attribute-Based Access Controls

Data-Centric Security Policies

Appsian allows you to restrict access to sensitive data and transactions if the context is suspicious. For example, user attributes, data attributes, activity type, IP address, user location, time of day, amount of money transacted, the number of transactions, user activity trends, and segregation of duty.

Learn More

Key Benefits of Attribute-Based Access Controls

Extending SAP GRC Access Control Policies

For customers using SAP GRC, Appsian can extend existing access control policies, and enhance reporting capabilities. Appsian overlays GRC and leverages what you already deployed to protect your organization.

Learn More

Key Benefits of Attribute-Based Access Controls

Data Masking & Redaction

With Appsian, you can choose to mask (fully or partially), block, or redirect access to sensitive data fields across the application using a single policy. Click-to-View field masking prevents unnecessary exposure of sensitive data while still allowing users to view data with expressed intent. Reducing the exposure of PII and other sensitive data improves your regulatory compliance.

Learn More

Key Benefits of Attribute-Based Access Controls

Granular Access and Transaction Policies

Customers can reduce the amount of acceptable risk by using granular access controls to strengthen field and transaction-level security. You can block malicious activity in real-time and manage privileges by placing limitations on who can access an application, from where, when, how they can access it, and what they can do with it.

Learn More