Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP SECURITY SOX SOD FOR MASTER DATA (MM) &

Former Member

‎09-25-2008 4:56 PM

0 Kudos

Hi Guys my Client are running on ECC6 for SAP, they have Ironed out the issues with authorisations in FI and QM. The next stage is SD and MM.

The below areas need to be evaluated, i have 2 weeks to do this .

SAP SD, Master Data and Sales Processing.

SAP MM, Master Data and Purchase Processing.

I will have to evaluate current authorization settings, limit access to sensitive transactions, and create an SOD (Segregation of Duties) between purch. and sales.

Guys i would appreciate some advice on how you guys would approach this SOD task as i only have 2 weeks to do this.

Thanks alot

Jonathan

3 REPLIES 3

Former Member

‎09-25-2008 5:11 PM

0 Kudos

Hi Jonathan,

To be honest with you 2 weeks is not enough time to do justice to this, however a simple approach that I have found is useful is

1. Get the business to identify conflicting functions. E.g. Invoice entry and payment processing. This bit will take the time and unless you get full business buy in, this is very tight timing.

2. Map your in-scope transactions to each function. This will then give you transactions which should not be combined.

It is a very basic approach & it doesn't take into account object level SOD which is really where you need to address it, but it's better than nothing and you might just be able to swing it.

There are also vendor solutions which could be deployed very quickly to help you out but these come at a cost & the rulesets still need tweaking.

Cheers

Alex

former_member248712
Active Participant
In response to Former Member

‎09-25-2008 6:40 PM

0 Kudos

I know this a project by itself.

But to add a little SAP has tool for Critial Combinations and Critial Authorizations under SUIM-> User->With Critical Authorizations.

As Alex said 1. Get the business to identify conflicting functions. A T-code in itself is not a Risk from an SOD perspective. A combination of two or more T-codes would create the risk.

Two simple steps. 1. Identify critical T-codes. 2. Create a Matrix with these T-codes and identify the risk levels(for ex. Low, Med and High) and address the risks.

SD and MM would not take as much time as FI. Good Luck

AB.

Former Member
In response to Former Member

‎09-25-2008 8:29 PM

0 Kudos

> 

> 
> SD and MM would not take as much time as FI.

Of course, that will depend a fair bit on your business processes.....though I agree that there is usually less SOD in SD or MM. I have had clients where their business risk was focussed in SD and the resultant control & SOD framework reflected that. It tool longer than 2 weeks to address though!