My approach would be keep your roles as clean as possible and then try use mitigation at user level where you think you can't remediate but give conflicting access to user as part of the business requirement.
What Partha suggested is a best practice approach. SAP roles should be clean so that the SoD violations as user level do not multuply. Once the roles are clean, you can identify the users having SoD vioaltions and either remove the access (remediate) or apply a mitigating control (mitigation).
Remediation : Reducing conflicts from the role/user( nothing but removing roles from user if they causes violations, remove tcodes or authorization objects/fields from role if they are having violations in role)
Mitigation : if you cant remediate roles or users then alternate procedure is Mitigation.
Mitigation is process identifying controls(alternatives) using this procedure we can assign conflciting access to users/ roles with the help of control monitors who will be responsible for the above risks if something fraud happened.
This is all about documenting every risk and alternative procuderes we took to reduce the impact of the risks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.