Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Need Help from Gurus on Role Redesign

Former Member
0 Kudos

Hello SAP Security Gurus-

I need your help-

I hav been given a project to redesign of existing roles to create job-based roles for FICO,SD,MM,module to decrease segregation of duties conflicts among users as well as allow for flexibility as the organization changes.

Help me on how i proceed on this task.

Thanks

Uttam

13 REPLIES 13

Former Member
0 Kudos

Hello

What have you put into your plan so far?

Cheers

David

Former Member
0 Kudos

Hello

what is the current role structure that your organization follow?

Former Member
0 Kudos

Hi, with the greatest respect isn't this what your client is paying for you to know?  At least post up the salient facts to give us a bit of background.

Cheers

0 Kudos

Thank you Alex.

Redefine roles (AP, AR, FI-CO, GL, MM, SD) to create a more flexible platform which may adapt to organizational changes
aCreate "base" roles comprised of view accesses
bCreate "report" roles comprised of reports
cCreate "task" roles aligned with SAP "functions" for write access

This is the requirement.

Former Member
0 Kudos

I still have 1 hour and a bit to go without the world ending, so can the guru please confirm that it is safe on the other side, or does it all look like this post?

Cheers,

Julius

Former Member
0 Kudos

Hi Julius,

The "World Ending" was postponed due to a system error lol.. So every one is safe. Its time to plan for the Xmas holidays now. Wishing you and the team a very great XMas.

@Uttam - There are numerous ways that can be followed to re-design the roles. It would be better to recommend the possible approches when you provide all the required information. If you have a SoD tool (RAR or any other SoD tool), you may use the simulate option before actually adding the transaction code(s) is the role(s).

Further, as a quick recommendation, try to have a quick discussions to map the various business processes into roles. This way you can reduce the intra level violations.

Happy Christmas to you too..

Best Regards,

Raghu

0 Kudos

Thanks Raghu for your advice..

0 Kudos

Hello Raghu-

I am new to this company and this is something new for me,

When i check the SAP roles in the system, its currently messed up as lot of users have access to critical tcodes to do malpractices, Business says thats fine to have, but internal controls team says that users cannot have such access, so issue is that we cannot remove current access of users as the business would get impacted.

Internal Controls team wants to Redesign the current roles existing in the system.

Can you help and guide me on how i go ahead with this assignment.

Any help is much appreciated!

Thanks

Uttam

<telephone_number_removed_by_moderator>

0 Kudos

Hello Uttam

As per your post what i feel is that the  role structure defined and the access that ur users holds are beyond what it is required and used by them .

Can you tell Whats the User strength?currently how many users that u gv support for ..?so that can suggest u accordingly..

0 Kudos

Hello John,

yes you are right John the role structure is not defined properly,

The current user strenth in the system are 10k,issue is that there are different business unit of this company which has different processes/methodology to work,so we cannot remove any current access of users as it would impact business directly.

Instead we have to redesign the current roles into more SOD free roles or create separet roles in the system which would be SOD free.

Their usage of GRC is also very minimal so lot of manual work needs to be done.

Thanks

Uttam

0 Kudos

Hi Uttam,

There is no bible that tells you the easiest way to design roles. As pointed by John, it may depends on the # of users too. If the user base is only (or below) 100, there is no point in segregating them at a very micro level, since you will end up assigning them to the same users which gets extra level violations (risks) again. Your SAP system, business teams, and company processes might be the best bet to decide on the future design.

Regards,

Raghu

Former Member
0 Kudos

Hi

"Their usage of GRC is also very minimal so lot of manual work needs to be done."

If the business has invested in any of the RAR tools then they are probably extemely eager to get the management SoDs and Criticals down.

EDIT - I initially took this to be reference to the VIRSA/GRC/AC10 tools but maybe this really means the business doesn't bother about SoDs and criticals at this time

EDIT

It's not easy/business friendly to try doing a remediation by stealth...

Is this work covered by an approved project?

Cheers

David

Message was edited by: David Berry

0 Kudos

Hello David,

Yes this is covered by a approved project, SAP Security team does not want to get involved in this task so Business has hired me to look into this SOD issues and redesign the current sap roles.

Thanks

Uttam