Since its creation in 2000, The French Blood Service l'Etablissement Français du Sang (EFS), EFS in short, implemented SAP for its Enterprise Resource Planning and administration. When in 2004, some dysfunctions were discovered, an Internal Audit Committee was established to look into the matter. Assisted by a contractor, an issue of non-separation of duties in certain processes was quickly uncovered and the Committee was charged with its remediation. Between 2004 and 2006, the Committee worked out a first model of SAP authorizations management, based on roles divided in two levels: single roles, representing large tasks (composed of transactions) and including them in composite roles, which represent a function. Matrixes of conflict management between composite roles were put in place and procedures for roles attribution were implemented and partly automated.
Since then, the ERP system has been steadily growing and many new modules have been implemented, such as SAP Portal, providing data access to the entire user group of EFS employees. Nine years later, EFS decided to review its SAP authorizations management. “Many new modules have been implemented; therefore, we decided that we needed to be audited in order to get a global overview”, explains Nicolas Merlière, the assistant executive director of the audit and strategic management of EFS. For this mission EFS contracted the services of axl & trax.
At project startup, the authorizations management system contained:
• 131 composite roles
• 333 single roles
• 6257 transactions
• 50 roles for the SAP Portal.
The project brought several lines of work together, in the first place to scrutinize the organization’s operations, including management of roles and access rights. “axl & trax found that the composite roles in place were rather suited. However, there was an issue with the concept design of the single roles”, says Jean-Nicolas Maupain, internal auditor in the committee of audit and strategical management of EFS.
The second line of work focused on the SAP authorization objects. “The concept of authorization objects has a key role. In fact, it is the object that defines whether it is possible to input an article or to validate a purchase order, for example”, explains Jean-Nicolas Maupain. “Earlier, our approach was strictly based on transactions. We now understand that the authorization objects are of importance.”
The mission objective was not only to strengthen the existing status, but also to prepare for the future. Therefore, axl & trax presented the tool CSI Authorization Auditor (AA), which was used to deliver the first analyses. “This tool helps to identify the risk levels. It also allows us to link compliancy rules (type SOx and others) with the authorizations in SAP,” states Nicolas Merlière.
For EFS, who wished to approach the standard, this solution also allowed the implementation of normalized rules, categorized by importance, while incorporating these rules. “This way, we were better equipped to identify the conflicts, allowing us to make a systemic analysis with a solid tool while, among other things, taking the authorization objects into account. Therefore, we reinforce the separation of duties while securing our processes”, adds Jean-Nicolas Maupain. The CSI AA tool also contributed to strengthen the implementation of a continuous monitoring system within the heart of the organization, for which it heavily relies on the tool.
Currently, EFS is rebuilding its singles roles and progressively remediating the conflicts identified by the audit. “The first approach is to restrict overly broad permissions of certain roles while clarifying the authorizations based on objects. For example, removing the *parameter types, which give all access rights, or by implementing simplified roles, dedicated only to display data”, says Nicolas Merlière. If certain conflicts can’t be resolved this way, EFS plans to implement compensating controls.
Another point of improvement concerns the roles linked to the SAP portal, which were initially designed separated from the roles of the ECC6 system, with different user identifiers for each system. The conjunction of the two types of roles causes access anomalies which need to be fixed.
“The risks related to the SAP parameters must be taken into account as well.” Warns Nicolas Merlière. “If some element parameters are not correctly set, expert users would be able to access certain objects which they should not be able to address”. Certain support or administration roles must also be restricted, monitored and limited in time. The CSI Emergency Request tool has been acquired, since it enables us to assign such roles strictly on demand while tracing all performed actions.
Finally, the creation of reference roles is planned in order to facilitate their management. “Today, there is 130 roles per region (17 regions), for which only the scope changes” states Jean-Nicolas Maupain. “Starting from a reference role which could be amended following the area would simplify the role management.”
Freely translated from its first publication in USFmag #28 of October 2015 in French, magazine trimestriel / Octobre 2015 in context of the USF 2015 Convention, titled «Changement de paradigme: vers une séparation effective des habilitations à l'EFS".
Download the PDF: EFS Ets. Français du Sang USF 20151015