SAP Field Based Authorization Solution – MBIS aura

Arif Arifoğlu
R&D Center Team Leader

In-house authorizations and data privacy are essential topics for almost every institution. For this reason, you may have provided user authorizations using the SAP authorization architecture until today. However, the fact that SAP’s user authorization architecture works only on a functional and organizational basis may be insufficient for your more comprehensive authorization needs.

At this point, we offer aura to your service, which takes the role-based authorization approach of SAP to a higher level and allows you to authorize for every field in your SAP systems.

MBIS R&D Center Solutions I Protecting User Data & Authorization
●	Functional authorization
Purchase order
Stock movement
Invoice entry
HR reporting
●	Organizational authorization
Production site 1,2,3,4,
●	MBIS Field-Based authorization
Screen
Domain
Comparison of SAP and MBIS with Authorization Application

SAP’s General Authorization System

The general authorization system of SAP is a 5-layer structure based on the ‘role-based access control’ methodology, including user, profile, authorization, authorization object, and object class. This structure ensures that authorizations are managed in a functional and organizational basis in a very practical way. In this way, employees can be easily separated according to their duties in the company or their location.

This system, which originally operated quite successfully, has been found inadequate due to changes in the quality and sensitivity of data such as big data, regulations on data management and the importance of protecting personal data, resulting in the emergence of field-based authorization approaches and the need for granular management of data.

However, automation in SAP systems is increasing rapidly. Although this provides an excellent opportunity for companies to manage the increasing transaction volume, it is a situation that makes it hard to audit companies and makes them vulnerable to abuse. Hence, it requires tighter authorization management.

Risks Taken In The Case of No Field-Based Authorization

Many risks can be encountered in an SAP system where only role-based authorizations can be done. For example, when an over-authorized employee consciously or unconsciously makes a 1% change in the exchange rate, it will be a very difficult and long process to determine the damages that will occur in the invoices. Likewise, situations such as a small change in your purchasing contracts without your knowledge or the leakage of a project you have been working on for a long time by someone else will cause difficult processes for both you and your organization.

On the other hand, you can avoid all these risks with aura, the special software created by MBIS for exactly this purpose.

What is aura?

aura is a special MBIS software that allows you to define hundreds of field-based authorization rules. aura, which contains more than 30 predefined rule sets that institutions frequently control in their audit practices, also allows you to organize critical fields for your business with aura rules and authorize only certain users or user groups to access these areas. Thus, different from the standard SAP system, it enables you to perform dynamic authorization and field hiding functions for standard or non-standard screens on a field basis in SAP.

Field-Based Authorization with aura

aura allows you to easily manage this service in 4 steps and process it within hours.

1. Rule Definition

SAP screens/applications/transaction codes to be authorized on a field basis are determined. It can create rules for hiding, turning off changes, making mandatory fields, and masking –if SAP UI masking is used- based on defined user roles. You can use predefined rules or create your own rules for this.

2. Condition Definition

Using all aura comparison operators (less than, greater than, equal, etc.) for the display fields (Num, Date, Char), singular, or via linking it with AND I OR when needed, you can create a chained condition. In this way, the rules, filters, and exceptions that will form the basis for attribute-based authorization are determined.

3. Role Definition

It is ensured that the rule defined in aura is created as an SAP user role. Defined roles are added to SAP GRC processes (if GRC is used). In this way, you can link your authorizations regarding your critical processes to workflows.

4. Role Assignments

It is the final stage that consists of assigning authorizations generated with aura to users. Thus, the following workflow is created.

User access requests
●	SAP Functional Authority check
            SAP Organizational Authority check
●	aura Business Rules check
●	aura Condition check
●	Hide
            Mask
            Close to change / Make mandatory field
●	SAP screen
            Domain
            Column
aura Authorization Workflow

What are the Technical Features of aura?

This software, which will provide data security and privacy to your organization, brings many features with it.

Rule & Condition & Authorization Definition

In addition to the ready-made rule set consisting of more than 30 predefined rules within the framework of best applications, aura has the feature of rule definition for field-based displaying, hiding, making mandatory fields, and masking -if there is an SAP UI Masking plug-in-.

In cases where SAP UI Masking is in use, you can authorize the masking of the areas you want by using the masking feature. Moreover, with the column-based authorization feature, you can authorize columns in aura, ALV, List View, and other report types based on rule and condition.

Easy Setup

Since aura is an SAP compliant solution, it can be added directly to the SAP system as an add-on without requiring a separate server and allows you to easily manage from a single screen.

Integration

While aura ensures that each business rule defined by GRC integration can be defined to a role and these roles can be linked to workflows with the GRC system, it can also be easily used for non-standard (Z) screens. Also, aura – UI Masking integration is also available so that the field-based rules can be used in Fiori and Web-Dynpro applications.

User Friendly

aura offers the best user experience with its easy-to-use management cockpit where rule and condition definitions are managed.

Security

Security, one of the essential elements for organizations, is provided by a system that even covers users with SAP_ALL profiles and prevents them from seeing or changing the hidden area.

aura Predefined Rule Set

The field-defined rule set of aura consisting of 32 rules, which we frequently mentioned, helps prevent the reporting and monitoring of critical data of many organizations by rushing to the point where SAP’s standard authorization system is inadequate, eliminating the irregular control environment caused by managing field-based authorization needs with non-standard developments and it ensures that the authorization rules designed based on a field are managed by a risk perspective through workflows.

Example Uses for aura

Examples of aura’s field-based authorization rules:

  • Hiding material and quantity information in the bill of materials
  • Changing the material definition in purchasing documents
  • Failure to change payment terms and currency configurations in purchase documents
  • Failure to change shipping information (incoterm, shipping port, etc.) on purchase documents
  • Failure to change alternative payee field on purchase invoice
  • Prevention of main account changes in purchase documents
  • Prevention of unlimited delivery clogging in purchase orders
  • Failure to change goods receipt indicators that come from customizing in purchase orders
  • MG Not Valued and MG Based Invoice Control parameters are closed to change in the purchase order
  • Preventing the change of critical data such as vendor reconciliation account, tax office, tax number, bank, payment term, and IBAN number
  • Failure to change “Purchase value key” in material master data purchase view
  • Failure to change the delivery time, payment terms, ‘Invoice Control Based on Goods Receipt’ indicator, and net price information in the purchase information record
  • Hiding price cost information in material inventory report (MB52)
  • Failure to change the useful life and fixed asset class information in the fixed asset master data
  • Prevention of unplanned supply ancillary costs
  • Preventing entry to the posting date field in purchase invoices
  • Preventing the recording date field from being changed on the material movements screen
  • Prevention of entering currency information field in purchase invoices
  • Changing the material definition in the sales order
  • Changing payment terms in sales documents
  • Hiding prices in sales reports
  • Failure to change customer group (Dealer, agent) fields in sales documents
  • Failure to change pricing and invoicing dates in sales documents
  • Failure to change payment terms in invoice documents
  • Currency entry and change in sales documents
  • Change of address and information of “Receiving the Goods” on delivery
  • Failure to change the record date fields in Sent Delivery and other material transactions
  • Failure to change the registration dates in sales and accounting invoices
  • Failing to change the IBAN, payment terms, bank and tax office information in the customer master data
  • Prevention of main account changes in sales documents

With aura, you can decide whether the data can be accessed or not, even at the time of the transaction, and you can also authorize based on order and spending limits, so you can create an access limit according to your preferences.

By integrating MBIS’s SAP-compatible authorization and Turkish Personal Data Protection Law solution aura into all your processes within a few hours, you can ensure in-house data privacy and security.

Contact us to meet aura or to get more detailed information.

Arif Arifoğlu
R&D Center Team Leader

SAP Field Based Authorization Solution – MBIS aura

In-house authorizations and data privacy are essential topics for almost every institution. For this reason, you may have provided user...

Read More
Birim Baykal
Support Service Project Manager

Optimize Your SAP System with Application Management Services

Digital transformation has been a part of our lives for a while now. And yet, its speed and constant change is still a challenge to keep up with for...

Read More

Please contact us for further information