Security

Strategies for HCM

Implementations

Scott GoolikDirector of Security and Controls - Symmetry

June 16, 2010

Kellie FitzpatrickCOO – Symphony Consulting

Download the presentation recording with audio from the

Symmetry Knowledge Center

www.sym-corp.com/knowledge-center

Introducing…

Scott Goolik

Director of Security & Controls –

Symmetry Corporation

14 years experience in SAP security

Lead architect for ControlPanelGRC

compliance automation tools

21st Century ERP Model

Quality – proactive support

delivered by US-based experts

Accessibility – 24x7 direct access

to your support team

Affordability – highly competitive,

fixed price contracts

Symmetry Corporation

Established 1996

Based in Milwaukee WI

100% SAP focusAll SAP applications

All platforms

Symphony Management Consulting

• One of the leading providers of SAP HCM consulting services

• Established in 2002 and led by experienced SAP HCM consultants

• We strive to not only assist you in your current need, but to become

a trusted advisor to your organization

• SAP Services Partner since 2007

• Industry focus includes Chemicals, Healthcare & Biotech, Manufacturing & Distribution, Pharmaceuticals and State & Local Government

• Need help from an expert? Symphony’s experts provide complimentary answers to some of your most difficult questions!

• Visit us at http://www.symphonyhcmexperts.com

Introducing

• Kellie Fitzpatrick– Chief Operating Officer

– Co-owner Symphony Consulting

– Over 15 years experience in scoping, planning, implementing and upgrading SAP Human Resources

What We Will Learn

• Determine when you should consider a separate

landscape and when you should consider a combined

landscape.

• Understand the limitations of implementing on a

separate instance and the level of maintenance required.

• See real-life examples of companies that have

implemented on separate landscapes, those that have

implemented on the same landscape, and why that

decision was right for them.

Single vs. Separate SAP Instances When Implementing HCM

• What does it mean?– Single Instance

• One Instance of SAP across all business functions

• One transport path across all systems

• When SAP is currently installed on a single landscape it is Dev QA Prod only

– Separate Instance• There are two different SAP instances running

– Potentially one for FI, MM, SD, PM, CRM

– Another for HCM

• Transports run across one landscape – Data is interfaced between multiple systems via an ALE

– Data is configured twice (once on each system)**

• There are usually 2 of each box

** This typically means multiple maintenance and can result in inaccurate

data or data integrity issues

Single Instance Advantages

• Real-time data for all business functions in one system

• No need to transfer data across multiple instances via an interface (ALE) or configuration

• Support packs can be implemented for only HCM

• Configuration is tested, transported and configured to meet total business requirements one time and in one system

• Master data is accessed through a single point of entry– Global headcount reporting

– Compliance reporting

– Budget preparation

• One system to maintain with reduced costs

• Security administration should be monitored on an ongoing basis– ControlPanelGRC can help and will be discussed later in this presentation

Single System Disadvantages

• HCM requires support packs and updates multiple times a year

– Usually four times a year, but definitely year-end

– Typically requires the entire organization to shut down the system over a weekend for a few hours

• Requires Unicode compliance if implementing in multiple countries

– Language and currency issues are addressed

• HCM Talent Management functionality recommends at least ECC 5.0

– Encourage ECC 6.0 due to functionality enhancements

– Enhancement Pack 4 or above should also be installed

Benefits of a Separate system for HCM

• One system which is dedicated to only HCM data requirements

• Organization is running multiple large payrolls across multiple countries– Can cause system to run slower if running during the workday

• Either way – we would recommend you run after hours in a batch session

• Time is evaluated for a large employee population at the same time– Can cause system to run slower if running during the workday

• Either way – we would recommend you run after hours in a batch session

• Safe Harbor laws prevent employee data from being housed in a different country– If this is a concern, other entities have procured waivers from their

employees to allow this to be done ~ P&G, Coke, PolyOne

Separate System Advantages

• Ability to upgrade and apply support packs whenever necessary

– System downtime for the rest of the organization is decreased

• Ability to implement SAP HCM with the “latest and greatest”

functionality if the rest of the organization is on a lower SAP

version

• Ability to run payroll/time across multiple countries with minimal

impact to departments outside HR

• Localization issues arising from Safe Harbor restrictions are

minimized or eliminated

Separate System Disadvantages

• ALE needs to be created and run for HR required data related to

– Cost Centers

– G/L Accounts

– Work Orders

– Activity Types

• The disability of having data in one system available real-time

– Reporting may be limited by 24 hours

– Ability to set up specific items which relate to FI

• Positions, Departments, Jobs (Cost Center integration)

• Users may need to sign into multiple systems to complete their position responsibilities

Separate System Disadvantages

• Additional Costs may be incurred by

– Multiple upgrades

– Multiple support streams

– Multiple configuration tasks

– Multiple system maintenance

• Requirement to understand two landscapes with multiple

types of configuration with very different data

• When the other system upgrades data – we need to test

on both systems to ensure the data flow is not

compromised

Common Misconceptions of

Why a Separate Instance is Needed

• HR support packs require us to apply support packs for

every other module

• There is to much HR data to allow us to incorporate it on

one instance

• Reporting is much more labor intensive

• Security issues are major

– HR data is not secure if it is on the same system

– Employees have access to items they shouldn’t

– A portal will open us up to data integrity and liability issues

Large Organization – Same System

• System Requirements

– 21,000 users

– Over 75,000 Employees – all on ESS

– 35 countries

– 22 languages

• Modules Implemented - Finance, HR, Materials, Production Planning, CRM

– Specific HCM

• PA, OM, PY, Time, ESS, MSS Globally

• Payroll runs in batch at night

• Time Eval runs in batch at night

– Securities are assigned primarily to positions (structural) in order to ensure system is “locked-down”

Mid-size Organization – Same System

• System Requirements

– 500 users

– Over 3,000 Employees – all on ESS

– US Only

– 2 languages

• Modules Implemented - Finance, HR, Materials, Production Planning, CRM

– Specific HCM

• PA, OM, BN, PY, Time, ESS, MSS, Talent Management

• Payroll runs in batch at night

• Time Eval runs in batch at night

– Securities are set up by person and are monitored frequently

Large Organization – Separate System

• Standardized on a common IT backbone

– 15,000 users

– Over 100,000 Employees

– 45 countries

– 175 legal entities

– 18 languages

• Modules Implemented - Finance, HR and Supply Chain.

– Due to size and requirements of payroll processing

– HCM is on a separate instance

– ALE is run at night and new positions are created the next day

Mid-size company example – Separate System• System Background

– 1,000 users

– Over 5,000 Employees

– 12 countries

– 8 languages

• SAP Environment – 4.6c– Finance does not have a need to upgrade

– Finance did not want to apply support packs to all modules at the same time**

– There was no compelling reason to upgrade

• HR – ECC 6.0– Required Talent Management Functionality

– Security team did not want to continuously update employees• This was not necessary, however they were never told the system has structural

authorization capability

– The rest of the organization was on 4.7, • Prior to ECC 5.0 – all modules had to apply support packs together

– Data is being configured in two systems• Sometimes it isn’t completed for weeks, workload issue

Security & HCM

Security is not a reason for a separate landscape

Authorization flexibility in SAP is a key component to its value

proposition

All critical data can be restricted!

Can require a culture change

Remediation project is generally required for “live” customers during

HCM implementation

Step 1 – Review of HCM Authorizations in existing Roles

Review of “P” Authorization

Objects in existing Roles

Or any Object in the HR Class!

Needs to be reviewed and

likely removed or restricted

further

If not required, update SU24 so

you don’t accidentally provide

access in the future!

Step 1 – Review of P_ORGIN in existing Roles

P_ORGIN is commonly in existing Roles

Authorization controls access to HCM Master Data – very sensitive

Can be automatically proposed when Production Planning Transactions

are added to Roles

Not likely required if there was no HCM data available in the system!

Consider activating P_ORGINCON in the HCM system instead of

P_ORGIN to increase future flexibility!

Step 1 – Review of PLOG in existing Roles

PLOG is commonly in existing Roles

Authorization controls access to HCM Organizational Structure

Can be automatically proposed when Production Planning, Controlling,

or other Transactions are added to Roles

These might be required going forward as the structures are used for

more than just HCM

Need to restrict the OTYPE field according

Exclude any used HCM Object Types – definitely O, S, P, but check with

your HCM team for others!

Step 1 – Review of P_ABAP in existing or new HCM Roles

P_ABAP could be in existing Roles, but will be in HCM Roles

Provides the ability to bypass HCM Master Data Authorization checks

during report execution

Useful to provide someone with the ability to run a telephone list

without giving them access to underlying HCM data

Watch for this Authorization in Roles with REPID field set to wildcard or

report SAPDBPNP!

Recommend updating SU24 so that you don’t accidentally provide this

access

Step 2 – Sensitive Authorizations in existing and new Roles

Sensitive Authorizations can accidentally compromise data privacy

Display of Spool Output belonging to the Payroll Manager

Displaying HCM Infotype data via SE16 or ABAP Query

We’ll provide some examples of what to look out for

Not a complete list – just getting you pointed in the right direction!

Step 2 – remove S_DEVELOP from end-user Roles

S_DEVELOP enables maintenance of ABAP Workbench Objects...

Which is bad in non-Development Systems

Debug Replace (Activity 02 for Object Type DEBUG)

Enables Users to step around Authority-Checks

Debug Display (Activity 03 for Object Type DEBUG)

Enables Users to view data in Internal Tables before Authority-Checks

determine access is not allowed

In general, no end-user should have any S_DEVELOP Authorization!

Step 2 – remove S_BTCH_NAM from end-user Roles

S_BTCH_NAM enables Users to submit a batch job as someone

else

If I’m not Authorized to run an HCM report, I can schedule it as our

Payroll Manager

End-users rarely need S_BTCH_NAM Authorizations

Occasionally, Payroll Administrators might need this Authorization for the

Background User that runs payroll

End-users should not have S_BTCH_NAM with a wildcard!

Step 2 – restrict S_TABU_DIS in end-user Roles

S_TABU_DIS enables Users to display tables via SE16 or ABAP

Query

Use of SE16 and ABAP Query (i.e., SQ01-03) really should be limited to

your IT folks (at a minimum)

ABAP Queries can be assigned to Transactions for end-users

Displaying tables via these methods bypasses all HCM Authorizations

HCM data is generally stored in tables assigned to “P” Authorization

Groups

Some HCM tables are unclassified – causing risk for the &NC& Authorization

Group

Need to restrict S_TABU_DIS from having access to Authorization Groups

that start with “P” and “&NC&”

Existing unclassified Tables need to be assigned to an Authorization Group!

Step 2 – remove S_SPO_ACT from end-user Roles

S_SPO_ACT enables Users to access Spool Requests belonging to

other Users

Would allow a User to view reports printed by my Payroll Manager

In general, this Authorization should be removed from all Users

In some cases, it may be reasonable to provide groups of Users with the

ability to display spools generated by a specific background user

Verify that SPOAUTH is not set to wildcard in Roles!

Step 3 – Continuous Monitoring

Once Security is restricted, we need to make sure that it stays

restricted

Don’t want to find out about a breach after it’s too late!

Establish procedures for periodic review of Sensitive Authorizations

Other companies have used automated tools like ControlPanelGRC

Risk Analyzer

Enables for periodic or real-time review of risks!

Data in Non-Productive Systems

Authorization restrictions are required in any system that contains

live Production data

This could impact more than just the end-user community in

Development and Q/A environments!

Consider data scrambling to “free up” User Authorizations in the

environment

Scramble Names, SSN, Birthday, Addresses, Pay/Additional Pay, Benefits

Information, EH&S data, etc.

Symmetry has tools and/or services to assist!

32

Implementations of HCM do not require separate instances

Real-time data is essential to the daily operations of business

Symphony is an SAP HCM only firm with extensive experience in global and local implementations

Security should never be the reason to have a separate HCM landscape

Security can be adapted to protect sensitive HCM data

Tools like ControlPanelGRC can be used to provide assurance that sensitive data is restricted to appropriate Users

Symmetry can assist with security architecture design and implementation, or risk assessment and remediation specifically for HCM

7 Key Points to Take Home

Download the presentation recording with audio from the

Symmetry Knowledge Center

www.sym-corp.com/knowledge-center

Heather Mickelson414-732-2738

hmickelson@sym-corp.com

Kellie Fitzpatrick704-556-2288

Kfitzpatrick@symphony-consulting.com

Scott Goolik414-732-2740

scott.goolik@sym-corp.com