Critical authorizations and sensitive authorizations are two types of authorizations in SAP security. The main difference between the two is the level of risk associated with each authorization.
Critical authorizations are authorizations that provide unrestricted access to sensitive data and transactions. Access to these authorizations can lead to fraud, financial loss, and reputational damage to the organization. Examples of critical authorizations include:
To identify and mitigate risks associated with critical authorizations, organizations should implement a principle of least privilege, which means granting users only the minimum level of access necessary to perform their job responsibilities. In addition, regular access reviews should be conducted to ensure that users are not retaining authorizations that are no longer required.
Sensitive authorizations are authorizations that provide access to sensitive data and transactions that require additional monitoring and control. While not as high-risk as critical authorizations, these authorizations still have the potential to cause harm to the organization. Examples of sensitive authorizations include:
To identify and mitigate risks associated with sensitive authorizations, organizations should implement a segregation of duties (SoD) policy. This policy ensures that no single user has access to both sensitive transactions and sensitive data, preventing the ability to commit fraud or other malicious activities.
For example, suppose a user has access to the vendor master record maintenance transaction (FK01) and the ability to post accounting documents (FB01) in the SAP system. This SoD conflict could allow the user to create a fictitious vendor, post invoices to that vendor, and then approve the payment for that invoice. This could result in financial loss and reputational damage to the organization.
Furthermore, suppose a user is granted the SAP_ALL authorization without undergoing proper due diligence. This would give the user complete access to all SAP transactions and data, allowing them to make changes to critical information and potentially carry out cyber attacks.
It is crucial to identify and mitigate the risks associated with these types of authorizations to maintain the integrity and security of an SAP system.