As access rules grow in complexity, SAP’s standard role-based authorization model is reaching its limitations. One-off role derivations have created a “role-explosion” – adding complexity and overhead to role management. And enforcing access controls beyond a user’s role, down to a field-value level, requires unscalable customizations.
Role-Based Access Controls (RBAC) administer access permissions by grouping users into broad categories known as roles or permission lists. Limited to these static categories, RBAC cannot use dynamic information such as project id, company code, IP address, location, device type, and more to authorize access.
Over a long period of usage, SAP applications can become crowded with hundreds of roles and permission lists – a phenomenon known as role explosion. Keeping roles and related permissions up to date requires continuous maintenance following user provisioning and de- provisioning, change in user responsibilities, and more – a process that can be overwhelming and inefficient with role explosion.
In scenarios where an attribute is necessary in access control rule, role customizations are possible – but carry significant weight. Custom development is typically necessary to add access control restrictions based on attributes such as IP address, location, nationality, plant code/business unit, project affiliation – an approach that is tedious and unscalable.
Appsian alleviates security and risk concerns with an adaptive security model tailormade for SAP enterprise applications. Appsian adds an additional authorization layer to SAP Access Controls, enabling fine-grained and contextual technical controls that align security policies with business and compliance requirements. With granular rules, SAP users can better protect sensitive ERP data and transactions, restrict activity that breaks from policy, and create attribute-based access controls that are easier to manage.
Appsian Security Platform allows customers to implement data-centric security policies that enforce access restrictions based on the sensitivity of data. Combined with various access attributes, customers can choose to mask, block, or redirect access to specific high-risk data records. With Appsian, organizations can choose to fully or partially mask sensitive data fields across the application using a single ruleset.
Dynamically adjust user privileges based on contextual attributes such as device, location, IP address, and more. Using the dynamic approach, the context of access automatically determines whether a user will be granted or denied access to a particular transaction, thus preventing SoD violations, regulatory non-compliance, and more.
Customers can reduce the amount of accepted risk their organization must endure by using fine-grained controls to tighten field and transaction-level access control. Customers can block malicious activity in real-time and manage privileges by placing limitations on who can access an application, from where, when, how they can access it, and what they can do with it.