12-21-2012 3:46 PM
Hello SAP Security Gurus-
I need your help-
I hav been given a project to redesign of existing roles to create job-based roles for FICO,SD,MM,module to decrease segregation of duties conflicts among users as well as allow for flexibility as the organization changes.
Help me on how i proceed on this task.
Thanks
Uttam
12-21-2012 4:25 PM
12-21-2012 5:07 PM
12-21-2012 9:50 PM
Hi, with the greatest respect isn't this what your client is paying for you to know? At least post up the salient facts to give us a bit of background.
Cheers
12-24-2012 9:30 AM
Thank you Alex.
Redefine roles (AP, AR, FI-CO, GL, MM, SD) to create a more flexible platform which may adapt to organizational changes | |
a | Create "base" roles comprised of view accesses |
b | Create "report" roles comprised of reports |
c | Create "task" roles aligned with SAP "functions" for write access |
This is the requirement.
12-21-2012 10:18 PM
I still have 1 hour and a bit to go without the world ending, so can the guru please confirm that it is safe on the other side, or does it all look like this post?
Cheers,
Julius
12-21-2012 10:36 PM
Hi Julius,
The "World Ending" was postponed due to a system error lol.. So every one is safe. Its time to plan for the Xmas holidays now. Wishing you and the team a very great XMas.
@Uttam - There are numerous ways that can be followed to re-design the roles. It would be better to recommend the possible approches when you provide all the required information. If you have a SoD tool (RAR or any other SoD tool), you may use the simulate option before actually adding the transaction code(s) is the role(s).
Further, as a quick recommendation, try to have a quick discussions to map the various business processes into roles. This way you can reduce the intra level violations.
Happy Christmas to you too..
Best Regards,
Raghu
12-24-2012 8:28 AM
12-26-2012 9:40 AM
Hello Raghu-
I am new to this company and this is something new for me,
When i check the SAP roles in the system, its currently messed up as lot of users have access to critical tcodes to do malpractices, Business says thats fine to have, but internal controls team says that users cannot have such access, so issue is that we cannot remove current access of users as the business would get impacted.
Internal Controls team wants to Redesign the current roles existing in the system.
Can you help and guide me on how i go ahead with this assignment.
Any help is much appreciated!
Thanks
Uttam
<telephone_number_removed_by_moderator>
12-26-2012 10:14 AM
Hello Uttam
As per your post what i feel is that the role structure defined and the access that ur users holds are beyond what it is required and used by them .
Can you tell Whats the User strength?currently how many users that u gv support for ..?so that can suggest u accordingly..
12-26-2012 10:39 AM
Hello John,
yes you are right John the role structure is not defined properly,
The current user strenth in the system are 10k,issue is that there are different business unit of this company which has different processes/methodology to work,so we cannot remove any current access of users as it would impact business directly.
Instead we have to redesign the current roles into more SOD free roles or create separet roles in the system which would be SOD free.
Their usage of GRC is also very minimal so lot of manual work needs to be done.
Thanks
Uttam
12-26-2012 10:44 AM
Hi Uttam,
There is no bible that tells you the easiest way to design roles. As pointed by John, it may depends on the # of users too. If the user base is only (or below) 100, there is no point in segregating them at a very micro level, since you will end up assigning them to the same users which gets extra level violations (risks) again. Your SAP system, business teams, and company processes might be the best bet to decide on the future design.
Regards,
Raghu
12-29-2012 7:26 PM
Hi
"Their usage of GRC is also very minimal so lot of manual work needs to be done."
If the business has invested in any of the RAR tools then they are probably extemely eager to get the management SoDs and Criticals down.
EDIT - I initially took this to be reference to the VIRSA/GRC/AC10 tools but maybe this really means the business doesn't bother about SoDs and criticals at this time
EDIT
It's not easy/business friendly to try doing a remediation by stealth...
Is this work covered by an approved project?
Cheers
David
Message was edited by: David Berry
01-15-2013 2:47 PM
Hello David,
Yes this is covered by a approved project, SAP Security team does not want to get involved in this task so Business has hired me to look into this SOD issues and redesign the current sap roles.
Thanks
Uttam