Praveen,

I am a puzzled that you would ask such a question.

Authorizations ALWAYS derive from requirements. In this case, Sarbanes-Oxley speaks of control mechanisms. Your SOX auditors should tell you what they consider to be critical, and they should advise the client company as to which transactions should be controlled, and how best to control them.

There is no transaction that should be disallowed to everyone. That would eventually make the system unusable. The question is, "how many people should have these critical transactions, and how should the execution of these transactions be monitored and controlled".

Generally, the APO portion of SCM should require less SOX controls than ERP, since APO is mostly a planning system, and not an execution system (there are some exceptions here though). Likewise, the BI portion of SCM usually contains no financial reports, and therefore should have relaxed controls over, say, the main BI instance used by your company.

Don't make the mistake of strangling yourself to satisfy your perception of what you think an auditor may require. Make them tell you the minimum requirements for compliance. Anything beyond minimum compliance with SOX is costly. This question is then a matter of your company's policies. I usually vote for 'no additional restrictions' (but my poor vote doesn't usually count for much).

Rgds,

DB49

Hi Praveen,

Your question is too subjective & descriptive to answer.

You can derive the role based transactions based on

the following aspects:-

1) Administration related transactions

(Includes BASIS, Security, Roles, authorisations, controlling, etc.,)

2) Integration related transactions

(Model creation, activation, deletion)

3) Job scheduling transactions

4) Master Data maintenance transactions

5) Deletion of Master Data & transactional data transactions

6) Livecache related transactions (like cons checks, database etc.,)

Regards

R. Senthil Mareeswaran.