Xiting SAP Security Blog

How does the European GDPR affect my Roles and Authorizations?

by

What is GDPR? 

GDPR is the General Data Protection Regulation (GDPR) of the European Union. The data protection regulation will become active on May 25, 2018. GDPR will not only affect businesses in Europe, but it also applies to organizations that do business with European customers. Business in that sense means trading goods or services to customers in the European Union. GDPR sets new guidelines on how an organization is dealing with the information of customers, prospects and also employees.

Once the regulation becomes active, the EU will begin to enforce all of the 99 articles that exist in the GDPR. If an organization does not comply with those articles, the EU can enforce penalties that include fines of up to 4% of annual global turnover, to a maximum of EUR 20,000,000.

GDPR consists of 11 chapters with a total of 99 articles.  At least three of these articles, article 25, 28, and 32, affect the roles and authorizations in your SAP system:

  • Article 25 addresses Data Protection By Design and Default,
  • Article 28 addresses Security of processing, and
  • Article 32 talks about the Processor.

Why GDPR may affect your  SAP system

Your SAP system stores a huge amount of data, including data that according to the new GDPR guidelines must be protected from unauthorized use. That data includes personal data such as first- and last name, date of birth, addresses, social security numbers, etc. According to GDPR, organizations must protect such information.

How to comply with GDPR?

It is not only essential to understand the impact and consequences of GDPR, but also to know how to be compliant with the new regulation. You must learn where critical data is stored and how to protect that data from unauthorized access using proper roles and authorizations. Ultimately, your authorization concept impacts whether you are protecting your SAP data according to the new guidelines, or not.

In addition to end-user authorizations, you must protect all RFC interfaces that send, receive, and transfer data from one system to another. As a result, assigning the powerful SAP_ALL authorization profile to RFC users inherently increases the risk of falling out of compliance with GDPR. That is why, Xiting recommends taking a close look at all your RFC interfaces and hardening them, if necessary.

Learn how AUDI redesigned their RFC interfaces

How can Xiting help you?

The Xiting Authorizations Management Suite (XAMS) is an innovative solution to safely, quickly and efficiently redesign the roles and authorizations dialog and RFC users. The XAMS eliminates most of the time-consuming tasks, significantly improving your chances to comply with GDPR by May 25. With the XAMS, you can:

  • Detect vulnerabilities in your custom code that allow access to sensitive data
  • Build roles and authorizations in SAP standard – complying with GDPR
  • Test the new role design in production without impacting business users – no time must be allocated to testing
  • Harden your RFC interfaces and document them according to GDPR guidelines
  • Apply best-practices to speed-up the redesign project with XAMS Quick Start – a rapid deployment solution
  • Automatically create and verify your SAP Security concept – get ready for an audit

Conclusion

If your SAP system is not yet fully compliant with the new guidelines of the European Union, don’t panic but don’t waste any more time either. Contact us to find out how the XAMS can help you.

Alessandro Banzer

Alessandro has worked in the field of IT since 2004, specializing in SAP in 2009 and working on global SAP projects in various roles since that date. Alessandro is an active contributor and moderator in the Governance, Risk and Compliance space on SAP SCN. Alessandro is in charge of Xiting's operations in the United States and a subject matter expert in SAP Access Control and SAP Security.

Latest posts by Alessandro Banzer (see all)