SoD rules maintenance: in DEV, QAS or PRD

former_member233977 · ‎06-10-2010

Hello colleagues,

Could you please help with recommendations for SoD rules maintenance process?

Where to maintain SoD rules: in DEV AC system, QAS (and then transfer to PRD) or directly in PRD AC?

Thanks,

Anton.

koehntopp · ‎06-10-2010

Anton,

I would advise to always maintain rules in DEV and test them there, then transport (export) to PRD.

Some reasons:

- as long as rules have not been properly tested, you want to make sure the results don't end up in management reports or prevent CUP role assignment

- you might want to make sure you have controls available for new risks that you generate

Frank.

former_member233977 · ‎06-10-2010

Hi Frank,

Thank you for response!

In case rules are exported from DEV and then imported ro PRD then we lose history of function change.

May be you have any additional recommendations for AC usage :

1. Which department is usually responsible for SoD rules transporting for Production: e.g. Risk Department, Basis?

2. How does usually SoD rules change management process set up? Risk Department often does not know authorization model of SAP in details (especially for certain SAP Module), implementation or support team usually does not take care of SoD risks. Normal situation is when SAP ERP was implemented several years ago and now Risk Department is established with some business knowledge but without detail understanding of SAP security model (authorization objects, fields, etc.)

Thanks in advance,

Anton.