Release 5 · Programme pack

SAP Fraud Patterns — SAP GRC parity

30 anti-fraud patterns that go beyond pure role-pair SoD. These are the combinations of access, configuration, and behaviour that together make fraud achievable — STAD audit-log delete on a standing user, debugger replace authority in production, transport release on PROD, BDC fast-input self-release, Z* shadow SAP_ALL roles, dormant accounts holding SAP_ALL. The same patterns SAP GRC Process Control checks for, with V/ergent's faster setup.

30Fraud patterns

9Specialised checks

21Role-pair patterns

SAP S/4 + B1Coverage

1 The 30 fraud patterns — by family

Foundational patterns (Release 2 — FRAUD-001..005)

FRAUD-001

CRITVendor-master + payment-execution authority on the same user (canonical fictitious-vendor fraud)

FRAUD-002

HIGHBackground job runs as super-user / SAP_ALL principal

FRAUD-003

HIGHRFC destination uses stored credentials of a privileged user

FRAUD-004

HIGHDirect table-write authority + financial-reporting access

FRAUD-005

CRITDormant user account still holds SAP_ALL / privileged authorisations

Audit-trail tampering

FRAUD-006

CRITSTAD / SM20 audit-log delete authority on a standing user

FRAUD-019

HIGHWildcard table-display authority (S_TABU_DIS *) on standing user

FRAUD-022

HIGHDB-layer SAPUSER credential not rotated in 365+ days

Direct-DB / production-bypass paths

FRAUD-007

HIGHSE16N table-write authority + finance-posting authority same user

FRAUD-008

CRITDebugger replace (S_DEVELOP DEBUG ACTVT 02) authority in production

FRAUD-009

HIGHTransport release authority on production system

FRAUD-018

HIGHSystem Change Option enabled in PROD (SE03 / SCC4 unrestricted)

FRAUD-010

HIGHBDC fast-input session creation + execution on same user

FRAUD-011

MEDCustom Z-report read with no AUTHORITY-CHECK on sensitive tables

Posting-stream fraud

FRAUD-012

CRITVendor banking-detail edit + payment release without dual approval

FRAUD-013

HIGHCustomer credit-limit change + AR-receipt posting same user

FRAUD-014

HIGHGL journal entry + posting-period re-open on same user

FRAUD-025

CRITPosting-period unlock + journal-entry authority on same user

FRAUD-029

CRITTax-code maintenance + tax-document posting on same user

FRAUD-015

CRITHR user can edit own personnel record (self-edit on PA30)

FRAUD-030

HIGHWage-type maintenance + payroll-run authority same user

Identity-attack chains

FRAUD-017

CRITSU01 user-create + role-assign on same admin (shadow-user attack)

FRAUD-020

HIGHSAP_ALL granted via Z* shadow composite role

FRAUD-028

CRITSAP_ALL embedded in customer-namespace shadow composite (Z*/Y*)

FRAUD-024

MEDConcurrent active sessions for one user > 5 (cred-sharing)

Output / spool / RFC pivot

FRAUD-016

MEDSpool device-change authority + finance / payroll authority

FRAUD-026

MEDOutput device override + financial-reporting authority

FRAUD-021

MEDEarlyWatch user + customer cross-system RFC role

FRAUD-027

HIGHAriba / SRM RFC user holds production-posting authority

FRAUD-023

HIGHAnonymous / JCO async RFC destinations

2 Required data slots

Slot	How to populate	Used by
`user_role_matrix.csv`	SAP transaction `SUIM` → Users by Role; or table `AGR_USERS`	FRAUD-001-005, role-pair patterns
`role_auth_objects.csv`	SAP `SUIM` → Roles by Authorisation Object; `AGR_1251`	FRAUD-004, FRAUD-007, FRAUD-019
`rfc_connections.csv`	SAP `SM59` → export RFC destinations + stored-user metadata	FRAUD-003, FRAUD-023
`background_jobs.csv`	SAP `SM37` → scheduled-job runner accounts	FRAUD-002
`user_details.csv`	SAP `SU01` / `USR02` with last-login timestamps	FRAUD-005
`composite_roles.csv`	SAP `PFCG` composite-role membership graph; `AGR_AGRS`	FRAUD-028
`system_params.csv`	SAP `RZ11` profile-parameter dump (incl. SAPUSER last-change)	FRAUD-022
`active_sessions.csv`	SAP `SM04` active sessions; or `USR41`	FRAUD-024
`audit_log_status.csv`	SAP `SM19` audit policy + `SM20` retention metadata	FRAUD-006

The V/ergent extract scripts (scripts/Extract-VergentS4HANA.ps1 and scripts/Extract-VergentSAPB1.ps1) emit Release 5 stub headers for every slot above. Replace stubs with real data; missing slots fail-closed (the related fraud check skips silently with an informative reason).

3 Where the pack runs

The fraud-patterns module is loaded by the SAP S/4 HANA connector and runs on every SAP audit. The role-pair patterns work for any SAP-style role naming (S/4HANA + B1) and substring-match against customer-specific Z*/Y* role names. Fraud patterns can also be triggered standalone via checks.fraud_patterns.run_all(exports) for batch scans.

4 Framework citations

Every finding carries 13-framework citations

Most cited per pattern: SAP Security Baseline §4.1-§4.5 · SAP Note 1420281 / 28175 · COSO 2013 P10 · NIST PR.AA-04 / PR.AA-05 / PR.PS-06 / DE.AE-04 · ISO 27001:2022 A.5.18 · CIS SAP Hardening · SOX 302/404 ITGC · COBIT BAI06.01 · DSS05.04 / DSS05.06 · ACFE Occupational Fraud Manual · GDPR Art 32 · Kenya DPA §41.

5 Related

For role-pair SoD on banking transactions see the Banking-Extended pack. For programme-level AML controls (sanctions / SAR / monitoring tuning) see AML / Wolfsberg Controls. For multi-ERP conflict patterns see Cross-System SoD.