Fine-Grained and Contextual SAP Access Control

Extend SAP’s Authorization Model with Attribute-based Access Controls




As access rules grow in complexity, SAP’s standard role-based authorization model is reaching its limitations. One-off role derivations have created a “role-explosion” – adding complexity and overhead to role management. And enforcing access controls beyond a user’s role, down to a field-value level, requires unscalable customizations.

Enforcing governance policies aligned to global trade regulations, segregation of duties, or the segregation of access between different business units requires an attribute-based layer of access controls beyond standard role-based controls.

Key Challenges

Multi-Factor Authorization Multi-Factor Authorization

Static Role-Based Policy

Accessible Volume of PII Accessible Volume of PII

Role Explosion

Compromised Reports Compromised Reports

Customizations Aren’t Scalable

Role-Based Access Controls (RBAC) administer access permissions by grouping users into broad categories known as roles or permission lists. Limited to these static categories, RBAC cannot use dynamic information such as project id, company code, IP address, location, device type, and more to authorize access.

Over a long period of usage, SAP applications can become crowded with hundreds of roles and permission lists – a phenomenon known as role explosion. Keeping roles and related permissions up to date requires continuous maintenance following user provisioning and de- provisioning, change in user responsibilities, and more – a process that can be overwhelming and inefficient with role explosion.

In scenarios where an attribute is necessary in access control rule, role customizations are possible – but carry significant weight. Custom development is typically necessary to add access control restrictions based on attributes such as IP address, location, nationality, plant code/business unit, project affiliation – an approach that is tedious and unscalable.

Why Appsian?

Appsian alleviates security and risk concerns with an adaptive security model tailormade for SAP enterprise applications. Appsian adds an additional authorization layer to SAP Access Controls, enabling fine-grained and contextual technical controls that align security policies with business and compliance requirements. With granular rules, SAP users can better protect sensitive ERP data and transactions, restrict activity that breaks from policy, and create attribute-based access controls that are easier to manage.

Key Features

Multi-Factor Authorization

Data-Centric Security Policies

Appsian Security Platform allows customers to implement data-centric security policies that enforce access restrictions based on the sensitivity of data. Combined with various access attributes, customers can choose to mask, block, or redirect access to specific high-risk data records. With Appsian, organizations can choose to fully or partially mask sensitive data fields across the application using a single ruleset.

Dynamic Enforcement, Contextual Control

Dynamically adjust user privileges based on contextual attributes such as device, location, IP address, and more. Using the dynamic approach, the context of access automatically determines whether a user will be granted or denied access to a particular transaction, thus preventing SoD violations, regulatory non-compliance, and more.

Click to View

Field & Transaction Level Granularity

Customers can reduce the amount of accepted risk their organization must endure by using fine-grained controls to tighten field and transaction-level access control. Customers can block malicious activity in real-time and manage privileges by placing limitations on who can access an application, from where, when, how they can access it, and what they can do with it.

Fine-Grained and Contextual SAP Access Control – Solution Brief

Download Solution Brief

Appsian Security Solutions are Trusted By

Want to see what Appsian can do for your ERP systems?
Request a Demo
Appsian

© 2019 Appsian. All rights reserved. | Privacy Policy