As a defense contractor with the US government, this Aerospace and Defense Manufacturer must observe federal regulations and customer contractual obligations to limit certain information only to employees who are US citizens. Prior to the implementation of a central SAP instance, the organization maintained multiple legacy systems and limited access to sensitive information by simply granting only the employees who are US citizens access to the systems which contained such information. With the implementation of a single SAP instance, the company now required a security model to limit access to federally and contractually regulated information as well as a means to continually monitor compliance to ensure these obligations are met.

The phased implementation would grow to 20,000 core users over the course of five years in the FI/CO, SD, MM, PS, and QM modules.

A comprehensive analysis of transactions was performed to identify each transaction where sensitive information could be accessed directly or through standard drill-down functionality. The authorizations for these transactions were assessed and fields identified which could control access appropriately. Using these authorization fields, the security model was redesigned to appropriately limit sensitive data from non-US Citizens. User master records were identified as US versus non-US Citizens. Governance processes and procedures were put into place to ensure that on-going users are assigned to the appropriate roles.

As part of the redesign, legacy security roles were scrutinized for functionality as well as flexibility to adapt to the client’s changing requirements. Security and business process owners worked together to redefine global business functions to meet the requirements of the client’s detailed business operations. Leveraging industry business process best practices together with in depth knowledge of SAP security functionality, HBCG designed a security model to meet the client’s business requirements within a controlled and secure environment. The effort to design security around sound business processes not only created a more manageable security environment, but brought to light numerous business issues previously overlooked by the client, including the segregation of incompatible duties (SOD). Seemingly disparate client business units were united under a global strategy that could more easily adapt to meet the business’ requirements.

In addition, HBCG assisted the client in package selection of a SOD and controls monitoring software. Approva’s BizRights tool allowed rules to be created to monitor User Master Records (UMRs) belonging to non-US Citizens against their data-level authorizations. The reports are scheduled (or can be run on an ad hoc basis as needed) to run on a periodic basis and to notify data owners of any violations. This allows the business owners, who are ultimately accountable for the business controls, to continually monitor who has access to their data.