on 11-06-2009 1:52 PM
I would like to find out how are companies which have set up Global Roles and then decided to add/delete t-codes from these Roles after GRC is already implemented deal with the SoD issue. T-codes are constantly being added because the organizational structure differs from country to country; in addition to statutory regulations. Therefore, our SoD analysis become obsolete each time adjustments are made to Global Role. The derived roles, localized for country, takes on the exact t-codes in the Global Roles.
Hi Sanders,
Once GRC is implemented, an SoD analysis will be run for all the Global roles. Based on the conflicts, mitigation or role-redesign exercise will be taken up as an one time activity for clean up of the SoD Conflicts.
Once this is complete whenever a new t-code is added or existing t-codes are deleted - use simulation for the risks and identify the mitigation or provide no access to the role
Hence in your case the SoD conflicts should not be an obsolete as Risk is always a risk even at various company levels.
If you want to avoid SoD conflicts for the various org levels you can develop the Org level risks to avoid false positives between the organizations.
I have a question for you If the risk is applicable for the Global role why can't it be applicable to the Derived roles?
Please let me know if you need any further information or clarifications
Thanks and Best regards,
Srihari.K
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello.,
Thanks for your reply. You are right that the change in Global Roles automatically affects the Derived Roles. One of the solutions that I was exploring was to use a Request-Based strategy i.e. instead of making changes to Global Roles, suggest creating new roles specifically to address the unqiue situation in that location. This way, the change will not the other countries that are already in full implementation and did not require those additional t-codes.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.