In-house authorizations and data privacy are essential topics for almost every institution. For this reason, you may have provided user authorizations using the SAP authorization architecture until today. However, the fact that SAP’s user authorization architecture works only on a functional and organizational basis may be insufficient for your more comprehensive authorization needs.
At this point, we offer aura to your service, which takes the role-based authorization approach of SAP to a higher level and allows you to authorize for every field in your SAP systems.
The general authorization system of SAP is a 5-layer structure based on the ‘role-based access control’ methodology, including user, profile, authorization, authorization object, and object class. This structure ensures that authorizations are managed in a functional and organizational basis in a very practical way. In this way, employees can be easily separated according to their duties in the company or their location.
This system, which originally operated quite successfully, has been found inadequate due to changes in the quality and sensitivity of data such as big data, regulations on data management and the importance of protecting personal data, resulting in the emergence of field-based authorization approaches and the need for granular management of data.
However, automation in SAP systems is increasing rapidly. Although this provides an excellent opportunity for companies to manage the increasing transaction volume, it is a situation that makes it hard to audit companies and makes them vulnerable to abuse. Hence, it requires tighter authorization management.
Many risks can be encountered in an SAP system where only role-based authorizations can be done. For example, when an over-authorized employee consciously or unconsciously makes a 1% change in the exchange rate, it will be a very difficult and long process to determine the damages that will occur in the invoices. Likewise, situations such as a small change in your purchasing contracts without your knowledge or the leakage of a project you have been working on for a long time by someone else will cause difficult processes for both you and your organization.
On the other hand, you can avoid all these risks with aura, the special software created by MBIS for exactly this purpose.
aura is a special MBIS software that allows you to define hundreds of field-based authorization rules. aura, which contains more than 30 predefined rule sets that institutions frequently control in their audit practices, also allows you to organize critical fields for your business with aura rules and authorize only certain users or user groups to access these areas. Thus, different from the standard SAP system, it enables you to perform dynamic authorization and field hiding functions for standard or non-standard screens on a field basis in SAP.
aura allows you to easily manage this service in 4 steps and process it within hours.
SAP screens/applications/transaction codes to be authorized on a field basis are determined. It can create rules for hiding, turning off changes, making mandatory fields, and masking –if SAP UI masking is used- based on defined user roles. You can use predefined rules or create your own rules for this.
Using all aura comparison operators (less than, greater than, equal, etc.) for the display fields (Num, Date, Char), singular, or via linking it with AND I OR when needed, you can create a chained condition. In this way, the rules, filters, and exceptions that will form the basis for attribute-based authorization are determined.
It is ensured that the rule defined in aura is created as an SAP user role. Defined roles are added to SAP GRC processes (if GRC is used). In this way, you can link your authorizations regarding your critical processes to workflows.
It is the final stage that consists of assigning authorizations generated with aura to users. Thus, the following workflow is created.
This software, which will provide data security and privacy to your organization, brings many features with it.
In addition to the ready-made rule set consisting of more than 30 predefined rules within the framework of best applications, aura has the feature of rule definition for field-based displaying, hiding, making mandatory fields, and masking -if there is an SAP UI Masking plug-in-.
In cases where SAP UI Masking is in use, you can authorize the masking of the areas you want by using the masking feature. Moreover, with the column-based authorization feature, you can authorize columns in aura, ALV, List View, and other report types based on rule and condition.
Since aura is an SAP compliant solution, it can be added directly to the SAP system as an add-on without requiring a separate server and allows you to easily manage from a single screen.
While aura ensures that each business rule defined by GRC integration can be defined to a role and these roles can be linked to workflows with the GRC system, it can also be easily used for non-standard (Z) screens. Also, aura – UI Masking integration is also available so that the field-based rules can be used in Fiori and Web-Dynpro applications.
aura offers the best user experience with its easy-to-use management cockpit where rule and condition definitions are managed.
Security, one of the essential elements for organizations, is provided by a system that even covers users with SAP_ALL profiles and prevents them from seeing or changing the hidden area.
The field-defined rule set of aura consisting of 32 rules, which we frequently mentioned, helps prevent the reporting and monitoring of critical data of many organizations by rushing to the point where SAP’s standard authorization system is inadequate, eliminating the irregular control environment caused by managing field-based authorization needs with non-standard developments and it ensures that the authorization rules designed based on a field are managed by a risk perspective through workflows.
Examples of aura’s field-based authorization rules:
With aura, you can decide whether the data can be accessed or not, even at the time of the transaction, and you can also authorize based on order and spending limits, so you can create an access limit according to your preferences.
By integrating MBIS’s SAP-compatible authorization and Turkish Personal Data Protection Law solution aura into all your processes within a few hours, you can ensure in-house data privacy and security.
Contact us to meet aura or to get more detailed information.