Platform Specific Controls

SAP HANA

SAP HANA provides Enterprise Resource Planning (ERP) business applications that tightly integrate business processes organization wide and is available in the cloud. ERP business applications are the cornerstone for any organization. An organization’s most critical business cycles and most sensitive data are most often managed by an ERP and as such the risk inherent in these applications is critical and must be controlled effectively.

The following SAP HANA related controls are organized by Control Type. You can also “Jump To” other Control Types and Categories by clicking on the link located at the right of this screen.

The following are links to more detailed pages:

Identity Governance

Showing 2 controls:
Control TitleControl TypeRisk Rating
Monitor locked users for more than 6 months that are not deleted Identity GovernanceHigh
Review read only roles with write/execute/change access Identity GovernanceHigh

Least Privilege

Showing 56 controls:
Control TitleControl TypeRisk Rating
Enabler Roles (Organizational access) with transactions Least PrivilegeHigh
Monitor accounts having access to Sensitive Data Screens (e.g. BOM) critical transactions Least PrivilegeHigh
Monitor Critical transactions_usage counts Least PrivilegeHigh
Monitor critical transactions usage, role assignment, and role_user assignment Least PrivilegeHigh
Monitor dialog users with the number of authorization objects Least PrivilegeMedium
Monitor Info Providers containing Company Code only as a characteristic Least PrivilegeHigh
Monitor Info Providers that do not contain any of the characteristics Least PrivilegeMedium
Monitor Info Providers (with queries) containing characteristics (key fields for security) with company code not a part of selection criteria Least PrivilegeHigh
Monitor Infocubes secured by Profit Center/Company Code Least PrivilegeMedium
Monitor queries Restricted by Company Code and its Usage in the InfoProviders List Least PrivilegeHigh
Monitor queries restricted by Company Code/Profit Center and their usage Least PrivilegeHigh
Monitor queries that are not restricted by ProfitCenter/Company Code Least PrivilegeHigh
Monitor Roles with Company Code (BUKRS) and Profit Center as wildcards (*) Least PrivilegeHigh
Monitor roles with manually inserted authorizations to replace or append to suggested standard authorizations Least PrivilegeMedium
Monitor Roles with * (or pseudo wildcards) that give complete or excessive access Least PrivilegeMedium
Monitor Roles with organizational access such as postings to legal entities Least PrivilegeMedium
Monitor Roles with selected authorization objects (), Fields(), Values() Least PrivilegeMedium
Monitor Roles with the number of unused transactions Least PrivilegeMedium
Monitor Roles with their count of unused transactions Least PrivilegeHigh
Monitor Roles with wildcard (*) value which provides all levels of access for activity (i.e. create/change/delete etc.) Least PrivilegeMedium
Monitor S2P or R2R roles and accounts with usage Least PrivilegeHigh
Monitor Source to Pay (S2P or R2R) roles with their child roles or transactions Least PrivilegeHigh
Monitor transactions associated with more than one role Least PrivilegeMedium
Monitor Transactions not used in the last () days Least PrivilegeMedium
Monitor transactions with their security status Least PrivilegeMedium
Monitor unused transactions with their associated Roles Least PrivilegeMedium
Monitor users and user groups that approve invoices Least PrivilegeHigh
Monitor users and user groups that can be process asset write-offs Least PrivilegeHigh
Monitor users and user groups that can create asset master records Least PrivilegeHigh
Monitor users and user groups that can create customer master records Least PrivilegeHigh
Monitor users and user groups that can create material master records Least PrivilegeHigh
Monitor users and user groups that can create Vendor master records Least PrivilegeHigh
Monitor users and user groups that can perform security administration activities – Role Maintenance Least PrivilegeHigh
Monitor users and user groups that can perform security administration activities – user master maintenance Least PrivilegeHigh
Monitor users and user groups that can perform treasury operations Least PrivilegeHigh
Monitor users and user groups that can post depreciation Least PrivilegeHigh
Monitor users and user groups that can process payments to vendors Least PrivilegeHigh
Monitor users and user groups that can process returns/refunds Least PrivilegeHigh
Monitor users and user groups that can process Sales Orders Least PrivilegeHigh
Monitor users and user groups that create Bank master data Least PrivilegeHigh
Monitor users and user groups that perform invoice processing (from Vendors) Least PrivilegeHigh
Monitor users and user groups with access to significant financial reporting transactions/financial statements Least PrivilegeHigh
Monitor users by their positions/titles with Process (OTC/STP/FIN etc.) roles assignment Least PrivilegeHigh
Monitor users executing reports (Business Intelligence (BI)) Least PrivilegeMedium
Monitor users not in selected user group () having access to transactions () with change/update ability Least PrivilegeHigh
Monitor users that approve purchase orders Least PrivilegeHigh
Monitor users that process purchase orders Least PrivilegeHigh
Monitor users who are assigned SAP Standard template Roles Least PrivilegeHigh
Monitor users with access to high risk SOX critical transactions Least PrivilegeHigh
Monitor users with access to Joint Ventures Data Least PrivilegeHigh
Monitor users with access to program maintenance and ABAP workbench Least PrivilegeCritical
Monitor users with access to system administration transactions Least PrivilegeCritical
Monitor users with change permissions in critical authorization objects such as S_PROGRAM, S_DEVELOP, S_TABU_DIS, S_TABU_CLI, S_BTCH_JOB, S_BTCH_ADM Least PrivilegeCritical
Monitor users with Company Code (BUKRS) and Profit Center (PRCTR) as wildcards (*) which allows all levels of access Least PrivilegeHigh
Monitor users with Security Maintenance transactions Least PrivilegeCritical
Usage history for transaction/s () and or user/s () Least PrivilegeHigh

Password controls

Showing 2 controls:
Control TitleControl TypeRisk Rating
Monitor accounts that cannot change their password Password controlsMedium
Monitor all accounts for which password never expires Password controlsMedium

Process controls

Showing 3 controls:
Control TitleControl TypeRisk Rating
Monitor purchase orders with three way match not activated Process controlsHigh
Monitor users that can post journal entries Process controlsHigh
Monitor users with ability to open and close posting periods Process controlsHigh