By making use of axl & trax' expertise, the EFS (Etablissement Français du Sang - French Blood Establishment) has redesigned its authorization concept in SAP.
EFS has the legal monopoly of blood collection and transfusion. Through 15 regional institutions, which are often still heteregeneous, EFS has 10,000 employees spread over 150 sites. The complexity of the authorizations in the SAP ECC 6 ERP system created a security breach. EFS reacted by redesigning its authorization concept, drawing on the expertise of axl & trax.
“EFS started in 2000 and we immediately installed SAP ECC 6 for management with 1500 active users, 180 business functions and 400 task roles,” says Guillaume Belleil, auditor for EFS during his testimony at the USF Convention on October 12th, 2016. The authorization concept was so complex that the content of the task -and function roles was not always really as clear as wanted. In 2004 an incident occurred when a person with too broad access rights leaded to a security breach and this prompted the management to analyze the authorizations in their SAP system.
Implementation of an authorization matrix
In 2005, a first step to improve the security concept resulted in the implementation of a matrix with assigned authorizations. If a person had certain roles, he was prohibited from getting additional authorizations that would lead to too broad access rights and/or SoD conflicts. This basic solution had its disadvantages in some establishments in the provinces.
Between 2006 and 2008, this strict matrix was softened with the implementation of compensating controls to make certain role combinations possible for some regions.
In 2013, there was an evolution of the information system and it was necessary to redesign the matrix to ensure segregation of duties. Guillaume Belleil pointed out: “Authorizations are never assigned to users via single roles directly, only via composite roles”
The complexity of the matrix made the revision difficult. In 2014, a consulting and support phase started and contained an audit as a first step. In 2015, the redesign was launched with the help of axl & trax.
Misleading authorizations
The audit revealed a collection of risks. Using the matrix resulted in more extensive rights than the composite role would suggest. Also, there was confusion about the granted permissions related to a lack of knowledge of SAP function roles and a lack of tools and methods. “We chose to create a matrix based on the reference standards. Many roles, like that of a buyer, which wasn’t significantly different between EFS or another organization”, emphasized Guillaume Belleil. “axl & trax brought a solid reference point based on SAP standards and had the dual of business and technical expertise we needed.”
In 2015, the authorization matrix was defined in a new form, oriented on to SAP's functionalities to avoid granting too broad permissions in the event of changing roles. Furthermore, a strict traceability of the role changes was implemented.
A long-term solution
To achieve their objectives, EFS relied on CSI Role Build & Manage (CSI RBM). CSI RBM is used to build all the roles, it takes the matrix in consideration and avoids inconsistencies and SoD conflicts within the roles. Even more, once the roles were documented, their assignment to people was easily automated. After the single roles were redesigned into “SoD conflict free” roles with the correct authorizations, the next step is to review and redesign the composite roles. When all roles are SoD conflict free and restricted in the proper way, we can further automate the role approval flow with CSI RBM.
Article written by Bertrand Lemaire, CIO Editor-In-Chief
Freely translated from French to English.
For the original French text, please refer to this article's attachment.