×

Fine-Grained And Contextual SAP Access Control

Extend SAP’s Authorization Model with Attribute-based Access Controls

As access rules grow in complexity, SAP’s standard role-based authorization model is reaching its limitations

One-off role derivations have created a “role-explosion” – adding complexity and overhead to role management. And enforcing access controls beyond a user’s role, down to a field-value level, requires unscalable customizations.

Enforcing governance policies aligned to global trade regulations, segregation of duties, or the segregation of access between different business units requires an attribute-based layer of access controls beyond standard role-based controls.

Key Challenges

Role-Based Access Controls (RBAC) administer access permissions by grouping users into broad categories known as roles or permission lists. Limited to these static categories, RBAC cannot use dynamic information such as project id, company code, IP address, location, device type, and more to authorize access.
Over a long period of usage, SAP applications can become crowded with hundreds of roles and permission lists – a phenomenon known as role explosion. Keeping roles and related permissions up to date requires continuous maintenance following user provisioning and de- provisioning, change in user responsibilities, and more – a process that can be overwhelming and inefficient with role explosion.
In scenarios where an attribute is necessary in access control rule, role customizations are possible – but carry significant weight. Custom development is typically necessary to add access control restrictions based on attributes such as IP address, location, nationality, plant code/business unit, project affiliation – an approach that is tedious and unscalable.

Why Appsian

Appsian alleviates security and risk concerns with an adaptive security model tailormade for SAP enterprise applications. Appsian adds an additional authorization layer to SAP Access Controls, enabling fine-grained and contextual technical controls that align security policies with business and compliance requirements. With granular rules, SAP users can better protect sensitive ERP data and transactions, restrict activity that breaks from policy, and create attribute-based access controls that are easier to manage.

Key Features

Data-Centric Security Policies

Appsian Security Platform allows customers to implement data-centric security policies that enforce access restrictions based on the sensitivity of data. Combined with various access attributes, customers can choose to mask, block, or redirect access to specific high-risk data records. With Appsian, organizations can choose to fully or partially mask sensitive data fields across the application using a single ruleset.

Learn More
Data-Centric Security Policies

Key Features

Dynamic Enforcement, Contextual Control

Dynamically adjust user privileges based on contextual attributes such as device, location, IP address, and more. Using the dynamic approach, the context of access automatically determines whether a user will be granted or denied access to a particular transaction, thus preventing SoD violations, regulatory non-compliance, and more.

Learn More
Dynamic Enforcement, Contextual Control

Key Features

Field & Transaction Level Granularity

Customers can reduce the amount of accepted risk their organization must endure by using fine-grained controls to tighten field and transaction-level access control. Customers can block malicious activity in real-time and manage privileges by placing limitations on who can access an application, from where, when, how they can access it, and what they can do with it.

Learn More
Field & Transaction Level Granularity

Key Features

Data-Centric Security Policies

Appsian Security Platform allows customers to implement data-centric security policies that enforce access restrictions based on the sensitivity of data. Combined with various access attributes, customers can choose to mask, block, or redirect access to specific high-risk data records. With Appsian, organizations can choose to fully or partially mask sensitive data fields across the application using a single ruleset.

Learn More

Dynamic Enforcement, Contextual Control

Dynamically adjust user privileges based on contextual attributes such as device, location, IP address, and more. Using the dynamic approach, the context of access automatically determines whether a user will be granted or denied access to a particular transaction, thus preventing SoD violations, regulatory non-compliance, and more.

Learn More

Field & Transaction Level Granularity

Customers can reduce the amount of accepted risk their organization must endure by using fine-grained controls to tighten field and transaction-level access control. Customers can block malicious activity in real-time and manage privileges by placing limitations on who can access an application, from where, when, how they can access it, and what they can do with it.

Learn More

Additional Resources

Looking for more in-depth information? Review our resources on data security, compliance, threat protection and more.

Fine-Grained and Contextual SAP Access Control

Read More

Appsian is Trusted by

Request a Demo