Due to pressure of local regulatory compliance issues and/or corporate governance demands there is a growing awareness of Governance Risk and Compliance among executive management. But what do we need to do to get (and stay) in control?
Is the organization secure with the current set up of the roles in SAP? Are your users happy with the assigned authorizations? If they are, the auditor probably is not happy with the assigned authorizations to the roles and users…..
Maybe there are already plans to redesign the current authorization concept…. How easy would it be if you can redesign the authorization concept with reverse business engineering? Instead of thinking and designing which authorization should be included in which role from scratch, just have a look at the authorization the users have and analyze the functionality the users have been using (or wanted to use) based on the executed transactions and assign these needed authorizations to the roles.
This blog describes how you can set up the Segregation of duties (SoD) analysis for the SAP security concept. I compare 2 methods. The first one is using the standard SAP report RSUSR008_009_NEW and the second one is using CSI Authorization Auditor.
People who are using a SAP system all known the term transaction code. SAP data is restricted using role based access controls. Users that get access to the SAP system via a Graphical User interface (I include portal-like functionality just to keep it simple) and the restriction of SAP table data for the users is managed by the assigned authorizations of this user. If users want to have access to functionality in the SAP system, the transaction code is the front door to get access to this functionality.
Sometimes it is necessary to create new (custom) transactions in the SAP systems. These customized transactions should always be taken into account when doing an audit/analysis on the authorizations concept.How to identify the authorization checks for these custom transactions?