Академический Документы
Профессиональный Документы
Культура Документы
com
Authorization in SAP
Published on February 28, 2015
No one individual or related individuals should have complete control over a major
phase of a process.
Workflows proceed from one person to another so that, without duplication, the
work of the second acts as a recorded verification of the propriety of work of the
first.
The person authorizing the use of an asset should not be responsible for its custody
or derive any real or conceived benefits from the use of the asset.
Record keeping and bookkeeping activities should be separated from handling and /
or custody of assets.
First action bridge the gap between A and B. You can increase 300 computing end
users. Then bridge the gap between C and A. We are now getting additional 600 SAP
users.
Get the benefit of this and distribute the roles or t-codes to entire 1500 SAP end
users instead of earlier 900. Now check how of SOD conflicts you can ruled out.
Thumb rule is more you get the actual SAP users on board you can simply
distribute the t-codes based job profile or even role assignment to reduce SOD
conflict at maximum.
Objective
Formal job roles and responsibilities of the user are not defined and mapped in SAP
R/3 system
Excess authorisation
Benefits
Strategy
2. The methodology involves Role based authorisation which will list the activities to
be performed by the users. These roles will have one common organisational level
profile and one functional profile which will define the transactions for the role.
3. The role designing phase would require both, system administrators, functional
consultants and the business users to ensure the user authorisations reflect the
organisational needs.
Role Design
Transaction Role will consist of only transactions and reports. SAP Display Transaction
and Reports.
Composite Role:
Transaction and Organizational roles are grouped in Composite roles. Only composite
roles will be assigned to users.
Each Composite role contains the necessary authorizations needed to perform the
designated transactions based on the need to do and need to know
Key Users - Identify and Validate the business activity access required for the users
depending upon their roles.
Head of the Department HOD - (Authorized to authorize the access requirement of
the users). Approval of the access required for the user. Key Users and HODs
contribution is mainly on providing Organizational Chart and Job Description (for every
role).
Role Owner:
1. Validate the Access Control Matrix - ACM with proper txns codes with
corresponding org values
4. Taking justification and valid decision in allotting critical t-codes and mvt. types
5. Giving the names of users and ids which are missed by project team based on his
understanding of users function irrespective of naming convention.
Example
Functional Role
Chief Cashier
Supervisor
ZSP:FI_CASH_CHIEFCASHIER_SUSER
ZTR:FI_CASH_CHIEFCASHIER_SUSER
Security Framework
Cash Supervisor will be restricted from creating G/L account posting, posting
documents and clearing G/L Account.
Account Authorization for G/L Accounts BK02, CH01, GL50, SA01, SA02,
SA03
Authorization for Business Areas C010, C011, C012, D010, F010, J010, L010,
M010, MSPA, P010, UO1O, V010
Key Challenges
1. Building Roles w/o SOD even if not detected by GRC 10 or 10+ SOD detecting
tools because of absence of proper SOD rule set.
5. Dealing with SE16 table browser where access was not restricted to specific tables
so it necessary to build SE16N view roles based on specific table access
6. No SOD rule set defined for Critical Movement type or HR Info type level
7. Filling up of an ACM with accurate data: Plant Code , Pur Org, Pur Doc Type, Mvt
type, S-loc , Excise Grp, Excise Series ,Release Grp and Release Code etc
9. Total support and patience at the time of Testing of Roles and after Go-Live
Precautions
1. Dont mix up display t-codes with create / change t-code within the role
4. Restrict the usage of critical t-code and movement types at super users level
6. Ongoing challenge is to maintain number of roles at optimal level - Use Rule Book
for maintenance team for new role creation and amendment of existing roles
19 comments Newest
Robotic Process Automation to disrupt Are We Missing to Look into These Areas? Moving Around with SAP Movement
traditional GRC Tools? Possible Fraud Indicators under GRC Types and Associated Vulnerabilities
CA CISA Jayjit Biswas on LinkedIn scanner. CA CISA Jayjit Biswas on LinkedIn
CA CISA Jayjit Biswas on LinkedIn
Help Center About Careers Advertising Talent Solutions Sales Solutions Small Business Mobile Language Upgrade Your Account
LinkedIn Corporation 2017 User Agreement Privacy Policy Ad Choices Community Guidelines Cookie Policy Copyright Policy Send Feedback