Attribute Based Access Control for SAP
Key Takeaways
⇨ Regulatory Compliance: Global businesses must navigate complex regulatory requirements and ensure secure access to sensitive data, such as ITAR, by integrating location and user-specific attributes into their SAP environments.
⇨ Role-Based Access Control: SAP's RBAC system provides structured and efficient management of user roles and permissions, preventing unauthorized access and potential fraud within large organizations.
⇨ Hybrid Authorization Approach: Combining SAP's RBAC with Attribute-Based Access Control (ABAC) optimizes data security by dynamically managing access based on contextual attributes, reducing administrative burdens and enhancing compliance.
INTRODUCTION
Data security has become one of the most significant challenges in global businesses. Requirements are driven by a variety of sources including government compliance, lack of data identification, product development
in trade restricted countries where legal protections are inadequate, data leakage beyond project teams due to mishandling, insecure or unmonitored data transfer or distribution between supply chain partners, and data lost on unprotected laptops, removable drives, or mobile devices. This guide will discuss the features and roles of functional and data access level controls and how they interoperate to address the data security
challenges companies operating globally face within the context of their enterprise SAP landscape.
BUSINESS REQUIREMENTS
Large organizations are increasingly dealing with regulatory compliance issues such as CWC, FDA 21 CFR Part 11, ITAR, EAR, BAFA, DOE 810, NERC/ CIP and SEC, among others. Securing intellectual property is also a
major concern as growing business is often necessitated by increasing collaboration, both internal and external, such as in the areas of product and engineering, supply chain, partnerships and joint ventures. In order to support these business scenarios within a SAP environment, it is necessary to incorporate attributes such as access location, time of day, export license, user citizenship, or project/program assignment. Consider a US-based product manager of a US corporation whose product is subject to ITAR regulations, but has both government and commercial application. The business rule for compliance may be that ITAR data in SAP is only accessible by US persons while in US locations. When she is on a business trip to Singapore meeting with her suppliers in their APAC regional HQ, exposing material data, CAD drawings or BOM’s stored in SAP would be a violation of ITAR.
Explore related questions
