Introduction to Access Risk Controls for SAP

Access Risk Controls for SAP (ARCS) engine extends the capabilities of ARC to the authorization framework of SAP systems, enabling the implementation of a SoD analysis based on the SAP system transactions.

The activity-based SoD model defines SoD conflicts in terms of high-level business-oriented activities. This approach allows business experts to define and maintain SoD policy separately from the low-level entitlements, which are administered by IT specialists.

Starting from the activity-based SoD model of an organization, ARCS supports native inspection of SAP roles involved in the activities modeled and low-level SAP authorization objects.

The ARCS module enables you, using the functions implemented by the RBAC engine of the ISIG platform, to assign cluster roles to users of a SAP system; the cluster roles are defined as SAP roles aggregates.

A generic SAP role is composed by a specific set of transactions (T) and authorizations objects (AO).

The transaction object is a specific type of AO, which determines the elementary operation performed by the user on the system.

The real access privileges which a user has on a SAP system do not depend exclusively on the enabled transactions, but derive from the specific combination of AOs associated to the transaction.

The transaction represents the main object that determines what a user is enabled to do but this alone is not sufficient; it is necessary to analyze the combined presence of multiple AOs which determine what and how to operate using the transaction.

The ARCS module can perform a SoD transaction-oriented analysis considering possible AO combinations that can significantly modify the behavior of the transaction.