In our previous SAP Controls Series Blog, we identified custom t-codes within SAP as one of the most significant challenges our customers have faced in controlling access to their SAP instances. Customizations can often cause unintended access. In one example, unintended access was caused by the application of patches, and the resulting access to FB05 by a significant number of users was discovered by External Audit late in the year, resulting in a significant amount of detective work by the audit and systems’ teams, as well as a loss in confidence between external and internal stakeholders.Many organizations running SAP have thousands of customizations built over the lifetime of their SAP installation. When performing a review of access in SAP, if these customizations are neglected or incorrectly included within the analysis, the analysis is incomplete. Any analysis that is partially complete is completely insufficient.
There are several ways to deal with the inclusion of customizations in your ruleset. The most common and effective is a continuous change management process (or Systems Development Lifecycle) that includes identifying customizations and cataloging their purpose and function prior to them being transported into your production environment. But what can you do if this ship has already sailed?
How to Manage ITGCs with the Fastpath Assure® SAP Custom Code Checker
The most common initial approach to cataloguing customer t-codes is to do this manually. This effort requires investigation into each one of your custom t-codes and what standard t-code it is calling. To determine the source of access, you need to walk down the pathways created by a Z* or Y* transaction codes to determine what access is being granted. This effort is labor intensive, error prone, and requires the time of your BASIS team who have much more critical tasks at hand.
As an alternative to the manual approach, Fastpath has a function within our SoD analysis platform which interrogates your SAP environment line by line, identifying all objects that begin with Z* and Y*. From there, the SAP Custom Code Checker will identify if these custom programs call any SAP standard objects to determine if there is indirect, unintended access being granted to users. At this point, the Code Checker can determine if the standard objects called by the customization are part of the ruleset that has been established by the organization, whether that be in SAP GRC or Fastpath itself.
If that custom object calls a standard object, which is part of the ruleset, the code checker will automatically prompt the user to add it into their ruleset with one click. The Fastpath Assure SAP Custom Code Checker was developed with one thought in mind: ensure that our customers are able to establish complete and accurate rulesets for their SAP instances.
Watch a brief demo of the SAP Custom Code Checker:
Please feel free to reach out for additional information on the Fastpath Assure SAP Custom Code Checker, how to handle your customizations, or any questions about what this means to your SDLC or ITGC processes. Ready to learn more? Download our eBook "Access Controls in SAP".