Automated checking of SAP security permisisons

Abstract

Configuring user security permissions in standard business applications (such as SAP systems) is difficult and error-prone. There are many examples of wrongly configured systems that are open to misuse by unauthorized parties. To check permission files of a realistic size in a medium to large organization manually can be a daunting task which is often neglected. We present research on construction of a tool which automatically checks the SAP configuration for security policy rules (such as separation of duty). The tool uses advanced methods of automated software engineering: The permissions are given as input in an XML format through an interface from the SAP system, the business application is described ba a diagram modeled with standard UML CASE (Computer-Aided Software Engineering) - tools and output as XMI, and our tool checks the permissions against the rules using an analyzer written in Prolog. Because of its modular architecture and its standardized interfaces, the tool can be easily adapted to check security constraints in other kinds of application software (such as firewall or other access control configurations). © 2004 Kluwer Academic Publishers.