ISACA Journal
Volume 6, 2,014 

Book Reviews 

100 Things You Should Know About Authorizations in SAP 

Andrea Cavalleri and Massimo Manara | Reviewed by Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL 

100 Things You Should Know About Authorizations in SAPThere are many things to know about authorizations in SAP. Ask SAP security administrators or auditors, and they will say that they discover new things all the time. The reason is that SAP is a developing product that frequently rolls out new components and has become so complex that working with SAP is a constant journey of learning.

That said, the fundamentals of SAP security remain stable in each silo supporting the functional components, such as modules, applications, portal and application server. Considering this stability and the fact that many new consultants and auditors want or need to learn SAP security, 100 Things You Should Know About Authorizations in SAP provides a strong foundation for anyone interested in becoming familiar with SAP.

To outsiders, security is often seen as being just the tool to grant a user access to the system and its functionality. But, security is much more than that. Understanding, knowing and applying the SAP security/authorization concept is an important prerequisite for successful SAP implementation, sustainment, ongoing administration and business controls. Knowledge of the SAP security/authorization concept can also be valuable when conducting a financial, business controls/IT or quarterly Sarbanes-Oxley audit. SAP security provides the means to grant users access to the functionality they need for their daily business tasks in the SAP system. At the same time, it also allows for organizations to follow the principle of least privilege, control the work flow or segregate duties for user access. This book helps the reader understand the basics of SAP authorizations and security.

This 364-page book is well structured and contains many useful screen shots, explaining concepts, tasks and maintenance steps, and the 100 tips are delivered as stand-alone topics. The book’s focus is R/3, ABAP, profile generator, transaction and role security. These are the core concepts everyone who wants to dig deeper into SAP security must understand. The chapters in this book cover user master records, development security, segregation of duties, upgrades, auditing, security templates, and continuous compliance and governance.

This book is recommended as a study guide and reference book. It also touches on more specific topics, such as single sign-on, creating a transaction variant, structural authorizations, ABAP code security inspection, use of parameter transactions, master derived roles, change logs, and analyzing security or risk analysis with SAP GRC 10.

Editor’s Note

100 Things You Should Know About Authorizations in SAP is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit, email or telephone +1.847.660.5650.

Reviewed by Horst Karin, Ph.D., CISA, CRISC, CISSP, ITIL, president of DELTA Information Security Consulting Inc. He has been working in SAP/IT security and risk management for 16 years. He served as chair of the ISACA Publications Committee for three years and is coauthor of SAP Security and Risk Management.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.