Segregation of Duties on SAP ? 1987



  • Hello Everyone,
    This is my first message on this forum so be kind with me.
    One of our subsidiary is on SAP and I am looking for the best way to ensure the SOD is OK throughout that subsidiary. We do have profiles for AP clerk, Payroll,…
    I am not that knowledgeable on SAP and I’d like to know if there are specific reports that could be the basis for the review.
    Do you have any idea ?
    Thanks



  • http://peacecorpsonline.org/messages/jpeg/minefield.jpg
    SOD in SAP is a huge subject, I would suggest reading up on the subject a little and then engaging some professional support.
    Will dig out some resources for you and post them shortly.



  • try this link out.
    Though it gives out the conflicting roles in SAP, i would say what denis said.
    SAP SOD calls for lotsa techy understanding. Authorizations in SAP are controlled by granular items called objects and is highly time consuming exercise if the number of users are 100
    Better go in for some tool like virsa CC, or Biz rights.
    cheers



  • Also keep an eye out for generic user access issues in addition to SOD issues. For example:
    No users with multiple logins
    No logins that aren’t assigned to specific users (e.g., ‘tempuser’)
    No shared logins
    Appropriate controls around user setup.
    Appropriate controls around system logins.
    etc.
    I love the graphic from Denis–this is a minefield and can take a huge amount of effort to evaluate and remediate depending upon how your system was initially configured. Think also about the business impact–business processes will need to change once you start reassigning permissions. And people will need to be trained, and on board with the changes.



  • Hello NC,
    Kindly send the SOD Link to my e-mail address aafarif_at_yahoo.com. I would need this info for my latest GIG. I have also put a request to the forum for SOX Related Test Scripts



  • What’s so tough about SoD in SAP? I currently do a lot of SoD in Oracle and while it can be complicated, it’s really more tedious then difficult.



  • 72,000 transaction codes in SAP v.4.7 would certainly be tedious :lol:
    frankly it would not be really tough given the fact that SOD for any ERP or application depends on the list of Transaction codes/ menus each organization uses for each of the activity.
    If we can ensure SOD on paper, the same can be translated to the ERP.
    :idea:



  • We had a huge issue with SOD in SAP in the previous company I worked for. These involved embedded transactions. In other words you may have authority to do an entry on a particular transaction type but what you dont see is the accesses you have to a multitude of supporting modules that support or feed into the transaction you are performing. When these embedded transactions support other types of transactions that you do NOT have authority to do, you have a SOD issue.



  • Everything in SAP revolves around Objects. It would take lot of time to understand and analyze the objects to which a user has access to.
    Once this is done, we can reasonably address SOD issues.



  • As several of the previous posts point out rather nicely, SOD in SAP is complex. Much of that complexity arises the sheer scale of the system and there being, potentially, multiple ways of accessing equivalent functionality. E.g. you may have adequately secured access to manual G/L journals yet may fine that other transaction types allow you to basically do the same thing.
    Add in an additional complication of custom transactions and scalability up to tens of thousands of users and things that are conceptually straightforward become very difficult to manage in practical terms.



  • Hi.
    Does anyone know the best time for testing SOD conflits? If I do test SOD before September 30, will I still need to complement my scope?
    Tanks in advance.



  • SOD testing should be on a periodic basis (probably quarterly) so as to provide evidence that it was monitored throughout the year.
    In addtion, even if tested in September, you will have to come up with testing results for the year-end too.



  • Unless, of course, september 30 is his year-end 😉



  • Absolutely.
    The cut off date is 15 December 2007.



  • try this link out.
    Though it gives out the conflicting roles in SAP, i would say what denis said.
    cheers

    Hello NC,
    could you please send the link to ml.forum at gmail.com ?
    Thanks
    Omasliebling



  • omasliebling: do you have any solution about to create SAP SoD matrix? I have to do the same in the company for security reason.

    Thanks,
    Sandor


Log in to reply