Have you ever thought about how much data SAP systems exchange with third-party systems or between SAP systems on their own?
How many interfaces are there? How many systems are connected? And especially what and how much data are exchanged? Who can have access to this data? In most cases this is business data so not purely technical.
I find it difficult to be able to make an exhaustive list of all possibilities. Certainly some are more widely used than others, just as some have become obsolete (but still active in various situations) than others for example:
There is also a specific SAP system that has also changed several names over time:
SAP XI (Exchange Infrastructure), SAP PI (Process Integration) and finally SAP PO (Process Orchestration) dedicated exclusively to managing the exchange of data between SAP and non-SAP systems.
Unfortunately, it is not so straightforward. For several reasons. Probably in less extensive contexts, it is easier to know all the exchange mechanisms that occur from SAP input or output.
In many cases there is no structured documentation that provides a clear representation of the data flow. This is compounded in contexts where there are many systems (SAP and otherwise) many projects and multiple companies involved (from the same group or vendors).
These aspects mean that very frequently the management of interface security is either underestimated (assuming that they are technical users involved) or less manned.
It should also be considered that the exchange of information between systems, despite being managed by "machines," must/can then also be seen and managed by administrator or process-support users.
For example, imagine the system of IDocs that allows information to be exchanged between SAP systems. They are actually packets of information that contain data, for example of orders, invoices or employee data (also GDPR relevant).
Therefore, a user who is not enabled to that (potentially sensitive) data directly but indirectly through IDoc management could see or even modify, data outside his or her perimeter.
Clearly it is inconceivable to block access to anyone. Someone in the company must be able to use that data. However, it can happen that these aspects are underestimated and therefore there is no real sense of who is empowered to do things (in its more overall set of permissions)
What to check out then? Here are two suggestions from which you can start:
Topics: audit, gdpr, sap data masking, data privacy, sap data obfuscation