Security
Strategies for HCM
Implementations
Scott GoolikDirector of Security and Controls - Symmetry
June 16, 2010
Kellie FitzpatrickCOO – Symphony Consulting
Download the presentation recording with audio from the
Symmetry Knowledge Center
www.sym-corp.com/knowledge-center
Introducing…
Scott Goolik
Director of Security & Controls –
Symmetry Corporation
14 years experience in SAP security
Lead architect for ControlPanelGRC
compliance automation tools
21st Century ERP Model
Quality – proactive support
delivered by US-based experts
Accessibility – 24x7 direct access
to your support team
Affordability – highly competitive,
fixed price contracts
Symmetry Corporation
Established 1996
Based in Milwaukee WI
100% SAP focusAll SAP applications
All platforms
Symphony Management Consulting
• One of the leading providers of SAP HCM consulting services
• Established in 2002 and led by experienced SAP HCM consultants
• We strive to not only assist you in your current need, but to become
a trusted advisor to your organization
• SAP Services Partner since 2007
• Industry focus includes Chemicals, Healthcare & Biotech, Manufacturing & Distribution, Pharmaceuticals and State & Local Government
• Need help from an expert? Symphony’s experts provide complimentary answers to some of your most difficult questions!
• Visit us at http://www.symphonyhcmexperts.com
Introducing
• Kellie Fitzpatrick– Chief Operating Officer
– Co-owner Symphony Consulting
– Over 15 years experience in scoping, planning, implementing and upgrading SAP Human Resources
What We Will Learn
• Determine when you should consider a separate
landscape and when you should consider a combined
landscape.
• Understand the limitations of implementing on a
separate instance and the level of maintenance required.
• See real-life examples of companies that have
implemented on separate landscapes, those that have
implemented on the same landscape, and why that
decision was right for them.
Single vs. Separate SAP Instances When Implementing HCM
• What does it mean?– Single Instance
• One Instance of SAP across all business functions
• One transport path across all systems
• When SAP is currently installed on a single landscape it is Dev QA Prod only
– Separate Instance• There are two different SAP instances running
– Potentially one for FI, MM, SD, PM, CRM
– Another for HCM
• Transports run across one landscape – Data is interfaced between multiple systems via an ALE
– Data is configured twice (once on each system)**
• There are usually 2 of each box
** This typically means multiple maintenance and can result in inaccurate
data or data integrity issues
Single Instance Advantages
• Real-time data for all business functions in one system
• No need to transfer data across multiple instances via an interface (ALE) or configuration
• Support packs can be implemented for only HCM
• Configuration is tested, transported and configured to meet total business requirements one time and in one system
• Master data is accessed through a single point of entry– Global headcount reporting
– Compliance reporting
– Budget preparation
• One system to maintain with reduced costs
• Security administration should be monitored on an ongoing basis– ControlPanelGRC can help and will be discussed later in this presentation
Single System Disadvantages
• HCM requires support packs and updates multiple times a year
– Usually four times a year, but definitely year-end
– Typically requires the entire organization to shut down the system over a weekend for a few hours
• Requires Unicode compliance if implementing in multiple countries
– Language and currency issues are addressed
• HCM Talent Management functionality recommends at least ECC 5.0
– Encourage ECC 6.0 due to functionality enhancements
– Enhancement Pack 4 or above should also be installed
Benefits of a Separate system for HCM
• One system which is dedicated to only HCM data requirements
• Organization is running multiple large payrolls across multiple countries– Can cause system to run slower if running during the workday
• Either way – we would recommend you run after hours in a batch session
• Time is evaluated for a large employee population at the same time– Can cause system to run slower if running during the workday
• Either way – we would recommend you run after hours in a batch session
• Safe Harbor laws prevent employee data from being housed in a different country– If this is a concern, other entities have procured waivers from their
employees to allow this to be done ~ P&G, Coke, PolyOne
Separate System Advantages
• Ability to upgrade and apply support packs whenever necessary
– System downtime for the rest of the organization is decreased
• Ability to implement SAP HCM with the “latest and greatest”
functionality if the rest of the organization is on a lower SAP
version
• Ability to run payroll/time across multiple countries with minimal
impact to departments outside HR
• Localization issues arising from Safe Harbor restrictions are
minimized or eliminated
Separate System Disadvantages
• ALE needs to be created and run for HR required data related to
– Cost Centers
– G/L Accounts
– Work Orders
– Activity Types
• The disability of having data in one system available real-time
– Reporting may be limited by 24 hours
– Ability to set up specific items which relate to FI
• Positions, Departments, Jobs (Cost Center integration)
• Users may need to sign into multiple systems to complete their position responsibilities
Separate System Disadvantages
• Additional Costs may be incurred by
– Multiple upgrades
– Multiple support streams
– Multiple configuration tasks
– Multiple system maintenance
• Requirement to understand two landscapes with multiple
types of configuration with very different data
• When the other system upgrades data – we need to test
on both systems to ensure the data flow is not
compromised
Common Misconceptions of
Why a Separate Instance is Needed
• HR support packs require us to apply support packs for
every other module
• There is to much HR data to allow us to incorporate it on
one instance
• Reporting is much more labor intensive
• Security issues are major
– HR data is not secure if it is on the same system
– Employees have access to items they shouldn’t
– A portal will open us up to data integrity and liability issues
Large Organization – Same System
• System Requirements
– 21,000 users
– Over 75,000 Employees – all on ESS
– 35 countries
– 22 languages
• Modules Implemented - Finance, HR, Materials, Production Planning, CRM
– Specific HCM
• PA, OM, PY, Time, ESS, MSS Globally
• Payroll runs in batch at night
• Time Eval runs in batch at night
– Securities are assigned primarily to positions (structural) in order to ensure system is “locked-down”
Mid-size Organization – Same System
• System Requirements
– 500 users
– Over 3,000 Employees – all on ESS
– US Only
– 2 languages
• Modules Implemented - Finance, HR, Materials, Production Planning, CRM
– Specific HCM
• PA, OM, BN, PY, Time, ESS, MSS, Talent Management
• Payroll runs in batch at night
• Time Eval runs in batch at night
– Securities are set up by person and are monitored frequently
Large Organization – Separate System
• Standardized on a common IT backbone
– 15,000 users
– Over 100,000 Employees
– 45 countries
– 175 legal entities
– 18 languages
• Modules Implemented - Finance, HR and Supply Chain.
– Due to size and requirements of payroll processing
– HCM is on a separate instance
– ALE is run at night and new positions are created the next day
Mid-size company example – Separate System• System Background
– 1,000 users
– Over 5,000 Employees
– 12 countries
– 8 languages
• SAP Environment – 4.6c– Finance does not have a need to upgrade
– Finance did not want to apply support packs to all modules at the same time**
– There was no compelling reason to upgrade
• HR – ECC 6.0– Required Talent Management Functionality
– Security team did not want to continuously update employees• This was not necessary, however they were never told the system has structural
authorization capability
– The rest of the organization was on 4.7, • Prior to ECC 5.0 – all modules had to apply support packs together
– Data is being configured in two systems• Sometimes it isn’t completed for weeks, workload issue
Security & HCM
Security is not a reason for a separate landscape
Authorization flexibility in SAP is a key component to its value
proposition
All critical data can be restricted!
Can require a culture change
Remediation project is generally required for “live” customers during
HCM implementation
Step 1 – Review of HCM Authorizations in existing Roles
Review of “P” Authorization
Objects in existing Roles
Or any Object in the HR Class!
Needs to be reviewed and
likely removed or restricted
further
If not required, update SU24 so
you don’t accidentally provide
access in the future!
Step 1 – Review of P_ORGIN in existing Roles
P_ORGIN is commonly in existing Roles
Authorization controls access to HCM Master Data – very sensitive
Can be automatically proposed when Production Planning Transactions
are added to Roles
Not likely required if there was no HCM data available in the system!
Consider activating P_ORGINCON in the HCM system instead of
P_ORGIN to increase future flexibility!
Step 1 – Review of PLOG in existing Roles
PLOG is commonly in existing Roles
Authorization controls access to HCM Organizational Structure
Can be automatically proposed when Production Planning, Controlling,
or other Transactions are added to Roles
These might be required going forward as the structures are used for
more than just HCM
Need to restrict the OTYPE field according
Exclude any used HCM Object Types – definitely O, S, P, but check with
your HCM team for others!
Step 1 – Review of P_ABAP in existing or new HCM Roles
P_ABAP could be in existing Roles, but will be in HCM Roles
Provides the ability to bypass HCM Master Data Authorization checks
during report execution
Useful to provide someone with the ability to run a telephone list
without giving them access to underlying HCM data
Watch for this Authorization in Roles with REPID field set to wildcard or
report SAPDBPNP!
Recommend updating SU24 so that you don’t accidentally provide this
access
Step 2 – Sensitive Authorizations in existing and new Roles
Sensitive Authorizations can accidentally compromise data privacy
Display of Spool Output belonging to the Payroll Manager
Displaying HCM Infotype data via SE16 or ABAP Query
We’ll provide some examples of what to look out for
Not a complete list – just getting you pointed in the right direction!
Step 2 – remove S_DEVELOP from end-user Roles
S_DEVELOP enables maintenance of ABAP Workbench Objects...
Which is bad in non-Development Systems
Debug Replace (Activity 02 for Object Type DEBUG)
Enables Users to step around Authority-Checks
Debug Display (Activity 03 for Object Type DEBUG)
Enables Users to view data in Internal Tables before Authority-Checks
determine access is not allowed
In general, no end-user should have any S_DEVELOP Authorization!
Step 2 – remove S_BTCH_NAM from end-user Roles
S_BTCH_NAM enables Users to submit a batch job as someone
else
If I’m not Authorized to run an HCM report, I can schedule it as our
Payroll Manager
End-users rarely need S_BTCH_NAM Authorizations
Occasionally, Payroll Administrators might need this Authorization for the
Background User that runs payroll
End-users should not have S_BTCH_NAM with a wildcard!
Step 2 – restrict S_TABU_DIS in end-user Roles
S_TABU_DIS enables Users to display tables via SE16 or ABAP
Query
Use of SE16 and ABAP Query (i.e., SQ01-03) really should be limited to
your IT folks (at a minimum)
ABAP Queries can be assigned to Transactions for end-users
Displaying tables via these methods bypasses all HCM Authorizations
HCM data is generally stored in tables assigned to “P” Authorization
Groups
Some HCM tables are unclassified – causing risk for the &NC& Authorization
Group
Need to restrict S_TABU_DIS from having access to Authorization Groups
that start with “P” and “&NC&”
Existing unclassified Tables need to be assigned to an Authorization Group!
Step 2 – remove S_SPO_ACT from end-user Roles
S_SPO_ACT enables Users to access Spool Requests belonging to
other Users
Would allow a User to view reports printed by my Payroll Manager
In general, this Authorization should be removed from all Users
In some cases, it may be reasonable to provide groups of Users with the
ability to display spools generated by a specific background user
Verify that SPOAUTH is not set to wildcard in Roles!
Step 3 – Continuous Monitoring
Once Security is restricted, we need to make sure that it stays
restricted
Don’t want to find out about a breach after it’s too late!
Establish procedures for periodic review of Sensitive Authorizations
Other companies have used automated tools like ControlPanelGRC
Risk Analyzer
Enables for periodic or real-time review of risks!
Data in Non-Productive Systems
Authorization restrictions are required in any system that contains
live Production data
This could impact more than just the end-user community in
Development and Q/A environments!
Consider data scrambling to “free up” User Authorizations in the
environment
Scramble Names, SSN, Birthday, Addresses, Pay/Additional Pay, Benefits
Information, EH&S data, etc.
Symmetry has tools and/or services to assist!
32
Implementations of HCM do not require separate instances
Real-time data is essential to the daily operations of business
Symphony is an SAP HCM only firm with extensive experience in global and local implementations
Security should never be the reason to have a separate HCM landscape
Security can be adapted to protect sensitive HCM data
Tools like ControlPanelGRC can be used to provide assurance that sensitive data is restricted to appropriate Users
Symmetry can assist with security architecture design and implementation, or risk assessment and remediation specifically for HCM
7 Key Points to Take Home
Download the presentation recording with audio from the
Symmetry Knowledge Center
www.sym-corp.com/knowledge-center
Heather Mickelson414-732-2738
Kellie Fitzpatrick704-556-2288
Scott Goolik414-732-2740