En holistisk tilgang til adgangsstyring og autorisationskoncepter i ERP systemer: A holistic approach to access management and authorisation concepts in ERP systems

Stefan Bendtsen Sønderup

Student thesis: Master thesis


The diffusion of Enterprise Resource Planning Systems (ERP) to almost all organisations has made the integration of processes and information possible. Thus, individuals often find themselves with access to, for example, financial and human resources (HR) information regardless of the department they belong to, when both Finance and HR modules are implemented in a single system. This integration of modules and systems can cause that the individual, could, intentionally or unintentionally, get unauthorised access to sensitive information. In the worst case, this could lead to, among other things, data loss and information theft. Furthermore, a breach of security could not only cause financial losses, but could also harm the organisation’s reputation. In an extreme case, an organisation will face legal charges for being non compliant with the existing laws and regulations. In order to minimise or avoid these risks, organisations need to ensure a proper access management is in place, handling which users get access to which information in their systems. Many organisations today have various different, often complex and poorly integrated authorisation concepts, and the authorisation consultants are lacking structures and concrete methodologies to develop these. On the basis of the above, this thesis examines what factors influence an organisation’s authorisation concepts, how an organisation integrates and uses the factors in the development of these concepts, and finally how these factors can be utilised in a structured way for future development of authorisation concepts. Since most literature within access management are focusing on the technical aspects of access controls, and recent research within the literature of information systems security calls for a more holistic approach to be taken within this field, a business model for information security, inspired by the systems thinking approach, has been used to structure the way the literature have been reviewed. From this approach the 8 following factors have been construed that can influence the development of an authorisation concept: • The prescribed requirements • Risk analysis • The paradigm of the authorisation consultant • The involvement of the authorisation consultant • Ownership model • System integration • The approach to Role development • The Awareness of information security The above identified factors have been examined through a case study that is carried out in KMD by following different approaches KMD takes in developing authorisation concepts for their customers’ SAP solutions. KMD, being the biggest Danish-based IT company and with the choice of SAP as its strategic partner, is one of, if not the biggest, SAP project in Denmark. In the analysis it is revealed that some of the factors are handled identically through the different approaches KMD takes in developing authorisation concepts, some of the factors are handled differently, and some are not taken into consideration at all. The research showed that most of the factors were handled in an implicit way, e.g. Segregation of duties, which is included in “The prescribed requirements”, is often carried out due to the authorisation consultants’ prior experiences, and not because of explicit requirements, which can create unnecessary implemented constraints. Furthermore, they are more often applied with an atomistic than holistic perspective, e.g. “The involvement of the authorisation consultant” happens in some of the approaches after the processes are designed and implemented. As a result, it can be difficult for the authorisation consultant to implement proper constraints, since some of these are directly related to the process definition and implementation. It became apparent that the factors also helped in answering some fundamental questions for developing authorisation concepts, e.g. “System integration” answered what technology we have, and “Ownership model” gave an answer to who is responsible. This leads to that the factors are being grouped into a tangible and a non tangible group, according to what kind of answer they can produce. The tangible group gives answers to “what” and “who” questions and consists of: “The prescribed requirements”, “Risk analysis”, “Ownership model” and “System integration”. The intangible group gives answers to “how” questions and consists of: “The paradigm of the authorisation consultant”, “The involvement of the authorisation consultant”, “The approach to Role development” and “The Awareness of information security”. In an ideal world, all the factors would exist explicitly in the organisation, all relevant employees would be aware of them, and they would be used in a holistic manner as opposed to a purely atomic manner. However, the costs have to match the benefits, and since the developing of authorisations are often not the key factor of the developing projects, it should also be scoped accordingly. One of the purposes of this thesis is to bring in more structures to access management and the development of authorisation concepts. Therefore, it is suggested first to ensure awareness exists of the tangible factors, since they provide critical input to the way the concept should be designed. According to the allocated resources in approving the use of these factors they should be transformed from implicit to explicit factors. During the development and again depending on the resource constraints, a change of the utilising of the intangible factors should be to work on changing them from an atomic perspective to a more holistic perspective. By following these suggestions many of the problems related to developing authorisation concepts would be resolved.

EducationsMSc in Computer Science, (Graduate Programme) Final Thesis
Publication date2009
Number of pages115