Solved: SoD ruleset for BW

Former Member · ‎01-21-2016

Hi folks,

Despite being a reporting environment, I wonder if any colleagues has a ruleset for SoD in BW for even the reports can reveal information sometimes confidential (or should be confidential) and / or restricted.

I have seen here in the forum, some colleagues with the same question, however, dating from 2010 or 2013.

Could it be there is any update on this issue? Or any colleagues would own a SoD ruleset for BW that can be shared?

Regards.

AR.

Former Member · ‎01-22-2016

Hi Andre,

I do not have a BW ruleset that evaluates critical reports, and I'm not sure that you will have luck finding a pre-configured ruleset because reports are very specific to each company. Although, it could be developed if you know which reports and "gateways" (authorizations) allow a user to reach the report: You could have your technical SAP security team open a trace on a user's account who is able to view these reports, and then you could review the trace log to see which authorizations were required to reach the report - then build new ruleset functions and risks from this information. These risks would be "Critical Action" risks (Sensitive Access), and are single-sided SOD risks (there's not a combination of functions, there's a single function = accessing the sensitive reports). There are several Critical Action risks within the standard-delivered SAP ruleset for ECC that you could reference as a model for how to build new Critical Action risks for this purpose.

Aside from BW access relating to reports, you can evaluate your BW system for all of the same Basis-related risks that are being evaluated for ECC. Both systems have similar ABAP foundations, and all of the system-maintenance abilities are the same. Ideally, you would already have your ECC system connector included in a GRC Logical Group "SAP_BAS_LG" or something similar, which is where your Basis ruleset is uploaded - and any system connectors that are assigned to this LG will be evaluated against this same ruleset. Therefore, you would simply need to include the BW system connector within this GRC Logical Group; generate the rules; and the you will be able to run risk analysis against BW just like ECC. At least in this case you will be able to see SOD issues and Critical Actions that your BW technical users have - and you can reduce the risk of one of these users being able to blow up the system. For example, a user having SCC4 and SM30 with Create/Change ability in BW production can be a very bad thing. All of these Basis SODs are already configured in the standard-delivered ruleset.

Hopefully this helps,

Ken

Former Member · ‎01-22-2016

Hi Andre,

I do not have a BW ruleset that evaluates critical reports, and I'm not sure that you will have luck finding a pre-configured ruleset because reports are very specific to each company. Although, it could be developed if you know which reports and "gateways" (authorizations) allow a user to reach the report: You could have your technical SAP security team open a trace on a user's account who is able to view these reports, and then you could review the trace log to see which authorizations were required to reach the report - then build new ruleset functions and risks from this information. These risks would be "Critical Action" risks (Sensitive Access), and are single-sided SOD risks (there's not a combination of functions, there's a single function = accessing the sensitive reports). There are several Critical Action risks within the standard-delivered SAP ruleset for ECC that you could reference as a model for how to build new Critical Action risks for this purpose.

Aside from BW access relating to reports, you can evaluate your BW system for all of the same Basis-related risks that are being evaluated for ECC. Both systems have similar ABAP foundations, and all of the system-maintenance abilities are the same. Ideally, you would already have your ECC system connector included in a GRC Logical Group "SAP_BAS_LG" or something similar, which is where your Basis ruleset is uploaded - and any system connectors that are assigned to this LG will be evaluated against this same ruleset. Therefore, you would simply need to include the BW system connector within this GRC Logical Group; generate the rules; and the you will be able to run risk analysis against BW just like ECC. At least in this case you will be able to see SOD issues and Critical Actions that your BW technical users have - and you can reduce the risk of one of these users being able to blow up the system. For example, a user having SCC4 and SM30 with Create/Change ability in BW production can be a very bad thing. All of these Basis SODs are already configured in the standard-delivered ruleset.

Hopefully this helps,

Ken

Former Member · ‎02-04-2016

Hi Ken,

Your answer matches with my feelings and thoughts related to this topic and definitely help me a lot to establish the base argument within company.

Once more, thank you for your promptly answer and apologies for my late answer back to you.

Regards.

AR

Former Member · ‎01-25-2016

Hi Andre,

Attached an analysis on the BW authorization objects. Use these files as starting point to quickly build your custom BW rule set

Best regards

TJ de Jong

Former Member · ‎02-04-2016

TJ de Jong,

Thank you for your valuable contribution.

Regards.

AR

Former Member · ‎02-04-2016

Thank you. I may build a (generic) BW rule set with the next 1-3 months.

btw please reward points if the answer(s) are satisfactory

Former Member · ‎02-04-2016

Ken,

I'm pretty "new" in this platform, so which is the way to reward the answers? Just liking them?

Regards.

AR

Former Member · ‎02-04-2016

You can mark the question as answered