Case Study #001.01

Scenario

A request for the SAP_ALL authorization profile has been submitted via the helpdesk system for a user (this could also be a firefighter account). The system administrator who granted the authorization forgot to set an expiration date. Normally, SAP_ALL authorization should only be granted for one day, but the firefighter user has been using it for a week. During this time, the user intentionally accessed payroll tables and assigned new roles to other users.

Impact

The SAP_ALL authorization profile is the most powerful authorization profile in the system, granting nearly unrestricted access to all activities. System administrators need to be promptly informed if this profile is assigned to a user. In cases of misuse, a wide range of harmful activities can be carried out with this profile.

DefenceMore OCA Capabilities

Defencemore OCA's A002 control lists critical authorization profiles granted within a specific date range. Additionally, the A003 control lists users who currently hold critical authorization profiles. The A022 control shows recently created roles and the authorization profiles assigned to these roles. Through the A004 control, all master change activities performed on users are displayed, including the list of users to whom roles have been assigned. The A018 control lists recently created roles. Using the K006 control, access to payroll tables is tracked, showing which users have accessed this information. Moreover, when the A002 use case is triggered, an alarm notification is immediately sent to system administrators via SMTP.

Related Checks

• A002 Critical Profile History
• A003 Critical Profile Users
• A004 User Master Record Changing
• A022 Last Modified Roles
• K006 Payment Data Display Logging