Last week I visited a large European telecomm company in order to assist and consult them on their SAP system access rights.
In the first couple of days, we dedicated the time to analyze the data that was imported into Eurekify/Sage and generate many cleansing reports. A cleansing project is an essential process before any RBAC project.
By the way, the import of data was done by using the Eurekify built-in connectors to SAP.
The cleansing analysis was done on 2 levels:
1. Roles (complex and simple)
2. Authorization objects and fields.
The second phase of the analysis revealed astounding facts about their current roles:
1. The complex roles covered only 2% of the users!!
2. Most of the access rights were not via complex roles, but rather directly to simple roles. Only 4% of the access rights to simple roles where via complex roles.
3. They had many dual access rights to “simple role” which means that a user had access to the simple role directly and also via a complex role.
4. They found that they had many simple roles that could be merged.
5. Many simple roles could be deleted since they were not used any more.
The highlight of the project was the SAP complex role re-engineering. We reversed engineered the “complex roles” and deleted the roles.
Within 1 day of (partial!!) role engineering, we managed to create new complex roles (less than what they had before by 20%), however:
1. The new roles covered 40% of the users!!
2. The new roles covered 26% of the access rights to “Simple Roles”!!
In the upcoming weeks the project will continue in 2 layers:
1. Cleansing the SAP access rights data from complex roles down to the fields.
2. Continuing with the Role Engineering in order to create a full model of complex roles.
Are you interested in applying this experience to your SAP system?
If yes, feel free to contact me.
Ilan Sharoni
http://www.eurekify.com/
Monday, October 22, 2007
Wednesday, October 17, 2007
When was the last time you ran a “health check” on privileges in your Top Secret system ?
I was driven to write this short article due to a recent visit I made to a large bank that has been using TSS for over 20 years. This short questionnaire is designed for Top Secret administrators and Security Directors.
Below, you will find Eurekify’s average statistics for some of the questions.
1. Do you know how many dead accounts you have in your TSS system?
2. Do you know how many dead transactions you have in your TSS system?
3. Do you know how many dead profiles you have in your TSS system?
4. Do you know how many profiles have exactly the same users, or overlap in 80%? Would it be interesting to try and merge a few of them?
5. Do you know how many profiles provide access to exactly the same transactions or data sets, or overlap by 80%? Would it be nice to try and merge them?
6. Do you know how many users have direct access rights to transactions (not via a profile)? In addition how many direct links does each user have? Would you like to get this detailed report?
7. Do you want to quickly figure out profiles to which direct access rights may be assigned?
8. Do you know how many users have “dual access” rights to transactions (i.e., via a profile as well as directly)? How many dual links does each user have? Would you like to get this detailed report?
9. Do you know how many users have out-of-pattern privileges to profiles or direct access rights? For example, analysis of HR attributes and other access rights may reveal people that moved to a new job, but retained access rights.
10. Over the years, you have probably established a few “rules” to govern the distribution of access rights in your TSS. Do you want to automatically verify that these rules are upheld?
11. Your auditors probably ask you to implement a few other rules such as segregation of duty and other constraints on the assignment of privileges, especially to sensitive and high-risk transactions and data. Do you want to automatically verify that these rules are upheld, and to be able to easily provide them with a report that proves so?
12. Would it be nice to be able to answer complex queries on access rights with a few clicks in a visual browser?
On a higher level:
1. Would you be interested to design and implement a role-based access control (RBAC) framework within TSS across TSS and other enterprise platforms?
2. Would you be interested to establish and manage a governance, risk, and compliance management framework within TSS and across TSS and other enterprise platforms?
Eurekify estimations for an average TSS:
# of dead accounts: 5%-15%
# of dead transactions: 10%-40%
# of overlapping profiles: 30%
# of users that have direct access rights: 50%
# of users that have out-of-pattern access rights: 20%-40%
For TSS, we built a special connector that makes it easy to run an initial evaluation in a matter of 3-5 days. You will usually start to see substantial results in the FIRST day.
Let me know if you want a demo on your own TSS system.
Ilan Sharoni
http://www.eurekify.com/
Below, you will find Eurekify’s average statistics for some of the questions.
1. Do you know how many dead accounts you have in your TSS system?
2. Do you know how many dead transactions you have in your TSS system?
3. Do you know how many dead profiles you have in your TSS system?
4. Do you know how many profiles have exactly the same users, or overlap in 80%? Would it be interesting to try and merge a few of them?
5. Do you know how many profiles provide access to exactly the same transactions or data sets, or overlap by 80%? Would it be nice to try and merge them?
6. Do you know how many users have direct access rights to transactions (not via a profile)? In addition how many direct links does each user have? Would you like to get this detailed report?
7. Do you want to quickly figure out profiles to which direct access rights may be assigned?
8. Do you know how many users have “dual access” rights to transactions (i.e., via a profile as well as directly)? How many dual links does each user have? Would you like to get this detailed report?
9. Do you know how many users have out-of-pattern privileges to profiles or direct access rights? For example, analysis of HR attributes and other access rights may reveal people that moved to a new job, but retained access rights.
10. Over the years, you have probably established a few “rules” to govern the distribution of access rights in your TSS. Do you want to automatically verify that these rules are upheld?
11. Your auditors probably ask you to implement a few other rules such as segregation of duty and other constraints on the assignment of privileges, especially to sensitive and high-risk transactions and data. Do you want to automatically verify that these rules are upheld, and to be able to easily provide them with a report that proves so?
12. Would it be nice to be able to answer complex queries on access rights with a few clicks in a visual browser?
On a higher level:
1. Would you be interested to design and implement a role-based access control (RBAC) framework within TSS across TSS and other enterprise platforms?
2. Would you be interested to establish and manage a governance, risk, and compliance management framework within TSS and across TSS and other enterprise platforms?
Eurekify estimations for an average TSS:
# of dead accounts: 5%-15%
# of dead transactions: 10%-40%
# of overlapping profiles: 30%
# of users that have direct access rights: 50%
# of users that have out-of-pattern access rights: 20%-40%
For TSS, we built a special connector that makes it easy to run an initial evaluation in a matter of 3-5 days. You will usually start to see substantial results in the FIRST day.
Let me know if you want a demo on your own TSS system.
Ilan Sharoni
http://www.eurekify.com/
Subscribe to:
Posts (Atom)