How to do Data Level Control without the Constraints of RBAC

By Soujanya Madhurapantula.

Recap from my previous SAP Security post:

As we discussed last week, traditional authorization models like role based access control (RBAC) were never intended for complex use cases. These models focused on static job roles or work-group use cases and assigned permissions to data.

Due of the limitations of traditional SAP access control, many organizations relied on manual gate-keeping and end-user training to control information use. These manual security procedures often hinder partner collaboration, and if too onerous, are likely ignored by end users.

The 2-layer SAP Authorization Model: RBAC + ABAC

The key to sustainability is not to abandon your RBAC authorization models, but to complement them. RBAC is best for functional authorization and should be augmented with newer authorization models such as attribute based access control (ABAC) for data authorization.

Untitled

Separating SAP authorization into 2 layers allow a transaction to be first evaluated based on functional roles, and then separately for data entitlements, providing the fine grained access control that is sustainable. Static attributes such as department and position are best implemented in SAP authorization, while dynamic attributes such as location and security clearance are best implemented by the additional layer of ABAC to help police log-ins with complex project affiliations due to export licenses and such.

Wait, what is ABAC?

In order to support these business authorization requirements in a scalable way within the SAP environment, it is necessary to incorporate attributes such as access location, time of day, export licence, user citizenship, and project/program assignment. So to constitute the 2nd layer, we can use data elements to contribute to the access criteria and change the SAP authorization model to one of Attribute Based Access Control (ABAC)

ABAC allows you to extend access control to data beyond the roles of the users.  This allows organizations to control data access at a finer grained level and enables seamless and secure collaboration with partners.

The power and scalability of the ABAC model is that access may be granted using any combination of attributes for a given scenario. As business requirements and environments change, the businesses only need to update the attribute values, and authorization can be dynamically determined based on these updated values, reducing the need for ongoing system maintenance that would otherwise be onerous and costly.

SAP Authorization Concept + ABAC

SAP Authorization Concept can work with ABAC to fulfil this 2-layer authorization model.  Together, this hybrid model can provide fine grained access control to SAP business objects such as materials, BOMs, routings, change master, parts specifications, CAD drawings, and other critical technical data. It leverages SAP roles and access control contexts and combines them with other attributes for dynamic authorization decisions, improving SAP security.

In fact, the team at NextLabs is hosting a webinar  on exactly this kind of hybrid authorization model on April 10th.  I recommend you check it out if this is something you’re curious about.

Soujanya is the Product Manager for the Entitlement Manager for Enterprise Applications at NextLabs. She works with the Solutions Management team to devise best practices for securing and controlling data in order to develop solutions for Global 5000 business around partner collaboration, export regulations, IP and Data security.

Advertisements

One thought on “How to do Data Level Control without the Constraints of RBAC

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s