SAP S/4HANA安全性和项目挑战

Organizations need to be aware of the SAP S/4HANA security challenges as they prepare for the year 2025 SAP deadline for converting SAP ECC and other older SAP systems to SAP S/4HANA.  The 2025 deadline is to implement the SAP S/4HANA (application) and not just to implement the SAP HANA in-memory database.   Of course, the standard system development lifecycle processes should be followed, as well.  下面是帮助成功迁移到SAP S/4HANA的清单:

1. 不把SAP S/4HANA仅仅当作一个更新.  把它当作一个“主要项目”.”  Organizations are devoting multiple months and even multiple years to the change.  自定义代码和安全性将需要更新.  Dedicate a budget of skilled IT and business resources and adequate time to set the foundation for project success.
2. 让组织的SAP安全组在一开始就参与进来.  即使有外部实现者在项目中提供帮助, 内部SAP安全组应该推动策略, 确保项目成功的标准和控制.  Transaction changes are found throughout the SAP S/4HANA Business Processes.  但是，许多交易仍然是一样的.  Existing roles should be leveraged as much as possible as a starting point.
3. 内部审计和外部审计应该在项目早期进行.  Auditors will work with the project team by advising on security and control requirements.  Do not hesitate to request the auditors to review security and controls prior to- and after go-live.
4. Spend time reviewing the “Simplification List 用于SAP S/4HANA” whitepaper written by SAP.  SAP S/4HANA is simplifying the SAP environment and preparing for future innovations.  这些更改记录在这个900多页的参考文档中.
5. Ensure the added and removed transactions and SAP tables are properly updated and tested in the SAP security roles.
6. Custom SAP reports need to be thoroughly identified, evaluated, updated and tested.  Organizations need to be aware of their custom code but need to evaluate the future usage.  Valuable time and resources should not be wasted if the custom reports will no longer be used in SAP S/4HANA.  需要更新和测试将要使用的自定义报告.   
7. If possible, try to avoid implementing SAP S/4HANA close to the end of the fiscal year.  惊喜可能会出现, 可能导致项目延迟或投入使用后的清理工作增加.  对于任何大型项目来说，这都是一个很好的规则, 虽然, 特别是对于那些必须遵守萨班斯-奥克斯利法案的组织.
8. 计划在第一天就符合生产控制.例如:, the formal production transport change management process with the production restricted client settings should be in place at go-live.  客户端设置也应该设置为强制日志记录.  还应该限制和建立安全设置和流程, 包括根据公司策略设置密码, enforcing the production security provisioning processes (adding and removing access), 适当地限制SAP_ALL配置文件和其他特权访问, 评估是否可以将bet9平台游戏帐户更改为系统帐户, and performing a formal users and roles approved security baseline prior to go-live. 
9. 在SAP S/4HANA中不再使用开发人员密钥.  Organizations need to re-evaluate their segregation-of-duties of transports.  Developer keys in the past may have mitigated a transport risk (for example, the Basis Team having developer access in the development environment and the ability to push transports to the production environment but did not have a developer key). 然而, 用于SAP S/4HANA, organizations may need to implement a mitigating control to validate that the same user is not creating and moving the same transport to the production environment.
10. SAP GRC控制需要更新.  The segregation-of-duties (SOD) rule set needs to be updated with the transactions being added and removed.  还应该评估SAP S/4HANA内部的SOD冲突.  Extra attention should be devoted to the vendor maintenance authorizations.  SAP consolidated vendor management maintenance within the “BP” transaction.  Mitigating controls should be considered to address SOD conflicts that access cannot be separated.  The firecall process should also be reviewed to ensure only appropriate users can request firecall accounts that provide reasonable elevated access.