Question for SAP users

[Gwylan]

The questions you're asking are not really aimed at the average SAP user, but rather system administrators I'd say.

When you mention authorisation (and later SoD), I assume you're talking about the roles assigned to users (we refer to that as SAP Security) and segregation of duties? That's a specialization within SAP . I'm a SAP Finance Manager and while responsible for the Finance roles, they are built by the SAP Security team. That team also run a tool called GRC to check a role for SOD issues, based upon sets of standard and customised rules. Customised rules would be required for custom transactions / programs. The checks are a complete pain in the arse if I'm honest. We did an exercise to reduce the conflicts the GRC tool reported, and many of them seemed to be invalid. But anyway we ended up removing losts of transactions from the roles and having to create quite a few new roles. The users just ended up requesting more roles, so the end result was that they ended up with pretty much the same transactions. So while we check for conflicts within a role, we don't check for conflicts across the roles assigned to a user, well not often.

One large weakness that I've seen with SAP roles, is that when the users has more than one roles they can get unintended access because the authorsation to the various objects is checked individually across all the users roles. The best way I can describe it is:
Role A gives the user transaction X for Company code 1.
Role B gives the user transaction Y for Company code 2.
If you give a user both roles A & B, they can run transaction X for Company Code 2, and transaction Y for Company Code 1.

At least that's what I've been advised by the SAP Security team!

Yes, I meant sysadmin

That's exactly the sort of answer I was looking - really helpful

 

[Seagull58]

I have a 'friend' who is a SAP Security and GRC consultant.

He wants to know why he would give free information to a journo who has asked what are the issues with SAP Governance, Risk and Control but doesn't seem interested in the benefits?

Would you ask "Any bakers out there want to tell me what's bad about bread?"

Because bread is generally edible but SAP is pure poison?

 

[Gwylan]

I have a 'friend' who is a SAP Security and GRC consultant.

He wants to know why he would give free information to a journo who has asked what are the issues with SAP Governance, Risk and Control but doesn't seem interested in the benefits?

Would you ask "Any bakers out there want to tell me what's bad about bread?"

Because the article isn't about the benefits. And I'm not looking to quote anyone directly, I'm just looking for background information for when I do start asking questions.