Consultant SAP GRC
Posted on Nov 6, 2019 by Universe Technology
The client's actual SAP roles and authorizations configuration was set in 2002 during the SAP financial system implementation. SAP HCM implementation in 2007 resulted in major enhancements of the existing roles and authorizations set-up. Since then a major review took place in 2013 in which new sets of roles and authorizations have been created. The review has been suspended due to lack of resources, resulting in two sets of roles, updated and original, using different naming conventions. Additionally, the client went through substantial organizational and functional changes during the last 15 years, which require an update of the client's roles and authorizations Matrix.
In order to actualize, harmonize and ensure that the client's current roles and authorizations solution is compliant with the segregation of duties principles, the client proposes the following actions to be taken:
1. Complete the existing role Matrix (reverse engineering)
2. Analyze the client's current solution based on the preliminary analyzes done in 2017 & 2019 (including institutes).
3. Formulate recommendation for follow-up actions to guarantee the coherence of the client's roles and authorizations solution and ensure its adherence to best practices
4. Recommend a GRC automation tool as to facilitate the roles and authorizations management, improve change control based on responsibilities, organization structure, data security rules and job position, enable risk monitoring in Real Time and simulations and reduce SoD risks.
5. Long term - apply the recommendations in consultation with the business
Additionally, the SAP user concept should be comprehensive and easy to maintain and govern.
Main challenges in the past
Limited business ownership
No SOD checks in user role assignments or changes
Many users had access to transactions without need/knowledge
Most users had individual user profiles (incl. unclear substitutions and ad-hoc assignment requests that might not be SOD compliant)
User profiles did not follow any structure (eg, no split of read vs. write, direct assignment of single roles, no naming convention, various transactions assigned to single roles)
No system integration (eg, Portal vs. SRM vs. ECC roles)
Many transactions under-utilized
Constant audit challenges and very high efforts on access analyses and follow-up activities.
As a first step, the client wishes to contact an expert to complete steps 1-4 .
Analyse the client's roles and authorizations solution and assess its compliance to the segregation of duties principles (SAP standard in general and the client SoD Matrix in particular)
Risk analysis - Identify existing and potential risks and contribute to the elaboration of The client Risk Analysis Matrix
Check the coherence between the authorizations and roles
Perform role rationalization based on STAT
Analyse Organizational Structure (Segregation based on company code/sector perimeter) and provide recommendations
Propose a mechanism to automate the assignment of roles based on Role Management workflow
Provide guidelines for role definition (single and composite role usage, naming conventions etc.) and assignment (best practice)
Formulate recommendation for follow-up actions to guarantee the coherence of the client's roles and authorizations solution and ensure its adherence to best practices
Recommend a GRC automation tool as to facilitate the roles and authorizations management, improve change control based on responsibilities, organization structure, data security rules and job position, enable risk monitoring in Real Time and simulations and reduce SoD risks. Log temporary roles assignment"