AUDI AG used an automated tool from SAP partner Xiting to verify the authorizations of more than 500 interfaces within a complex SAP system landscape, thereby closing any potential security holes without disrupting operations.
SAP landscapes communicate using RFC interfaces. But which data may be transmitted via an interface? From where and to where does this interface have access? And why is such a simple question of such monumental importance? “Complex SAP landscapes in which multiple solutions are connected by many RFC interfaces contain hidden risks,” says Patrick Bockel from SAP partner Xiting AG. And this is why: “RFC interfaces with authorizations that are set too high make abuse possible, for example, if ERP users gain access to the HR solution and can see their co-workers’ salaries.”
Minor Mistakes during Clean-Up …
Long-time SAP customer Audi is quite familiar with this problem. The automobile manufacturer operates multiple SAP system landscapes, for instance for ERP, human capital management, customer relationship management and business warehousing, and uses the SAP Solution Manager to manage its applications. “These SAP systems and various other non-SAP solutions are connected to one another by more than 500 RFC interfaces, which until recently had authorizations that were too high,” explains Dieter Krebs, IT project manager at Audi.
To check the complex network of RFC authorizations and correct them without disrupting operations, Xiting worked together with SAP Consulting and SAP Active Global Support to establish a unique service, which was announced in SAP Note 1682316. “Cleaning up the authorizations of about 500 interfaces, as we did at Audi, can only be consistently accomplished without putting operations at risk by using an automated tool,” explains Patrick Bockel.
… Can Have Major Consequences
If even a single interface is missed, it could potentially be abused by a large number of users—even by external suppliers, which are common in the automotive industry. On the other hand, if an interface ceases to function because too many authorizations are removed, this can mean that subsequent operations cannot be carried out. In an automobile manufacturer’s worst-case scenario, this can mean that just-in-time delivery processes no longer work properly, causing assembly lines in the production area to come to a halt.
“Even a small mistake made while cleaning up the interfaces can result in costs that run into the millions. We did not want to take that risk,” says Dieter Krebs from Audi. And he, like many other customers, chose the service from Xiting for precisely this reason.
“First, we hold a one-day workshop to determine the status quo in the customer’s interface landscape,” says Patrick Bockel, in explaining the procedure. Next, the interface users are defined: Which interfaces from which feeder system can access the interface currently under examination? These users are then grouped by context: Are they accessing HR data or financial information?
Security through Automated Monitoring
“To prevent errors of any kind, it is crucial to use an automated procedure to reassign authorizations to the interfaces,” Bockel continues. At the beginning of the process, all interfaces continue to operate with their old authorizations. Parallel to this, the Xiting Authorizations Management Suite (XAMS) is installed, which runs an agent on each interface and monitors it for about three months.
“Our XAMS allows us to determine the incoming RFC requests as well as the context for each. We use this information to create a role that contains the necessary RFC authorizations. An agent then verifies that these authorizations are sufficient.” The new authorizations go live only after the XAMS has automatically checked the authorizations and permissions of all interfaces while operations are running and corrected them if necessary.
The three-day workshop during the preliminary phase, the three-month agent monitoring, the final go-live—everything at Audi went precisely according to plan: “The 500 connections had their new, cleaned-up authorizations assigned without disrupting operations—a successful project from our point of view,” reports Audi project manager Krebs. “Without automated tools like the Xiting Authorizations Management Suite, a clean-up project like that could not be carried out without risks,” concludes Patrick Bockel from Xiting. “That is why all of our customers so far have decided to keep and fully license the suite after completion of the project.” That gives the company the ability to continuously clean up not only the interfaces but also all background users (BTCH) and dialog users, thereby ensuring constant protection against abuse.
Originally published on news.sap.com in German.