2.1 Regulations
Wherever in the world a company operates, there are always regulations they have to comply with in order to ensure legal activities. These regulations can relate to data protection and cybersecurity, accountability in terms of taxes and financial governance, and measures to ensure the quality and safety of products and services. All these different regulations have one thing in common—companies need a proper authorizations concept in their SAP systems in order to be compliant.
Depending on a company’s geographical region, industry, size, and legal ownership, regulations of various origins, nature and detail can apply to the systems being operated. There are generally four important types of regulations, all of which impact a company’s SAP authorization concept:
- Data protection
- Regulations and the “need-to-know” principle
- IT-Security
- Financial and operational compliance
2.1.1 Data protection
Data protection regulations such as EU-GDPR (European Union General Data Protection Regulation) or PIPL (Personal Information Protection Law) aim to protect personal data from misuse and unauthorized disclosure and distribution. Given the variety and quantity of personal data contained in any SAP system—from employee data to highly sensitive data such as that relating to people in witness protection programs—it is highly unlikely that an SAP system will not be affected by legal compliance requirements.
2.1.2 Regulations and the need-to-know principle
Whatever regulations the SAP system must comply with, most decisions regarding its exact design, the quantity and content of roles, and the assignment of roles to users all adhere to one core guideline—the need-to-know principle, also known as the principle of least privilege.
Principle of least privilege—one role per person?
A common question that arises when discussing the need to comply with the principle of least privilege in authorization concepts is: does that mean the company needs one role per person?
That would be considered impossible!
Some stakeholders point out that the variety of functions and responsibilities in their company make it impossible to reduce access, because the company is small, and everybody has many tasks, in different combinations.
Like many other areas, IT security is one where compromises between security, feasibility, and business impact need to be reached. Most companies find it impossible to create, assign and maintain an authorization role strictly containing one employee’s rights in order to comply 100% with the principle of least privilege. Most companies, however, are able to describe the positions that perform certain processes and identify the tasks that belong to that position’s responsibilities. These two levels, the position and the task are key concepts in the overall role structure.
2.1.3 IT security
Risks indirectly relating to an end user’s business activities refer to the associated IT components—software, customizing, parameter settings, connectivity with other systems, the patching strategy applied, or the overall vulnerability management. In addition, these regulations affect the administration of SAP systems up to their authorization concept.
2.1.4 Financial and operational compliance
Regulations relating to financial and operational compliance aim to prevent fraud and minimize consumer risks. Fundamentals such as the principle of completeness and erasure prohibition (restricting the deletion or removal of data) in accounting tasks need to be observed without any compromises. This has very clear implications for a company’s authorization concept.
DORA regulation—need-to-know principle
Article 21 of the Digital Operations Resilience Act (DORA) states that “access rights to information assets, ICT assets, and their supported functions, and to critical locations of operation of the financial entity, are managed on a need-to-know, need-to-use and least privileges basis, including for remote and emergency access” (Commission delegated regulation 2024/1774 with regard to 2022/2554 of the European Parliament and of the Council of 14 December 2022).