Tuesday, 27 August 2019 16:04

SAP_ALL is the supreme power, but poses a major risk Featured

We’re probably all aware of the potential risk incurred in having the SAP_ALL profile in a user’s authorizations. This authorization profile allows the user access to perform an almost unlimited number of tasks within an SAP system, which needless to say should be highly restricted for a select trusted few.  However, SAP_ALL is not the only dangerously powerful profile, there are many others such as:  SAP_NEW, S_A.ADMIN and S_A.SYSTEM.

The assignment of these security critical authorization profiles, generates huge risks by granting broadly sweeping, and often overly powerful authorizations. It also directly exposes an organization to the risk of fraud- and other cyber vulnerabilities. Although most organizations take diligent measures to restrict the assignment of critical profiles through strict policies, the reality is that these policies often fail and unintended profiles are assigned. Typically, the assignment of a critical authorization is often only identified as a threat during an audit or even worse, while investigating an actual exploit.

But at what point does due diligence typically fail?  Our experience has shown that the most common weak spots are:

  • While converting written policies into a technical setup. A practical example here might be that: SAP_ALL has not been assigned directly though the authorization, and may be inherited indirectly, when creating users by reference.
  • A lack of regular validation, checking for compliance against the stipulated policy. Even a regular authorization audit may not be sufficient, for example, to highlight an authorization coverup.
  • Reviewing the effectiveness of the policy periodically, validating it against the practical execution. Those establishing the rules should also methodically apply the policy in day- to- day operations.

The effort required to continuously validate whether critical assignments slipped through the net is often the main reason why most organizations continually struggle to control a basic, albeit major, SAP vulnerability.


SAP_ALL does not mean SAP for all !

Automate Security

There’s a compelling argument for having SAP security automated with systems monitored, 24/7. Security threats, including critical authorization assignments and cover-ups, can be identified in real-time. Once a vulnerability is identified, your administrators would receive an instant notification and the threat  can be remediated before any harm is done, without human intervention.
Let’s look at a basic use-case delivered by the SecurityBridge Intrusion Detection System.

In the example below, user “Blogger” requires additional authorizations in production. Since the authorization is only temporary and time critical, ”Blogger” decides not to follow the established procedures for getting an approved and documented support account. Instead “Blogger” checks with a co-worker who reluctantly agrees to assign the critical profile, as is illustrated in this post.

Immediately after the assignment of the critical profile, an email alert was sent to the system administrator. The assignment culprit was caught red handed.

SAP ALL Alert email

The timely identification of exploits and vulnerabilities is of utmost importance, and should be preferably be in real-time. However, when an organization’s security is at stake, automated response capabilities are the ideal scenario. Below is a screenshot from the SecurityBridge monitoring app, showing the action log linked to the initial alert.

Action Log

Immediately after the identification of the authorization allocation, SecurityBridge removed SAP_ALL from “Blogger”.

The use of automated response capabilities not only reduces manual efforts in remediation; it protects against human error and eliminates potentially devastating risk.

Additional Info

  • Language:: English
Christoph Nagy

Christoph Nagy

My name is Christoph Nagy. I am founder and managing director of ABEX - NCMI GmbH. We develop strategic security solutions for our customers, enabling them to perform automated analysis of security settings and to detect cyber-attacks against SAP© in real-time.

Email This email address is being protected from spambots. You need JavaScript enabled to view it.