- SAP Community
- Products and Technology
- Additional Q&A
- Role methodology for AC implementation
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Role methodology for AC implementation
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 02-08-2011 10:01 AM
Hi ,
We have requested for Access control implementation which will commence soon, as a security team I would like to know whether we should go ahead and upload the existing roles or we should create new roles from scratch during the imp cycle. As we know the current role structure is not the best in terms of design and SOD conflicts.
Accepted Solutions (0)
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Semeer, We have AC implemented with RAR and SPM modules for about the last 2 years. We are large company with not a lot of IT resources and roles that were created years ago by numerous people/groups with no consideration for SODs. We ended up having to do a phased approach as rebuilding roles was not something that could happen in a reasonable amount of time. We started with cleaning roles with violations (only concentrating on highs) AFTER a full customization of the RAR rule set was performed. I'll list steps below:
1) Determine all tcodes launched in the last 2 years, those would be the ones that we would risk rate either low, med or high
We worked with various BSG (Business groups), IT and Internal Audit together to get this mass risk rating done.
2) Once these tcodes were rated, they were in put in RAR.
3) Then we would focus on any roles that had high risk sod violations associated with them. While in the middle of this process, Internal Audit assisted by helping to tie any manual mitigating controls to any risks that related to roles. So our focus was to only clean roles that had no manual mitigation tied to the risks they related to. BSGs later could clean the roles that had high risk violations but were mitigated but this wasn't a priority for Internal Audit, only high risk violations tied to roles that did not have any mitigation.
4) Also, we have only dived down to tcode (action) level, not object (permisson). This is also something that needs to be considered as it's the next level of granularity to be taken if you want to be sure you are looking at all access, but based on the size our user base, we could only do this in realistic phases.
5) Last step for sucessful GRC implemetation is user mitigation. We have not gotten to this point yet, because we need to get through permission level monitoring of high risk sods first.
So, depending on how large the installation is would determine if you want to do complete role rebuilt or try and clean up and focus on priorities that can be achieved.
Hope that helps!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Advanced Returns Management for Supplier Returns in Spend Management Blogs by SAP
- Mastering Procurement Analytics: Essential Strategies and Safeguards for Success in Spend Management Blogs by SAP
- Supporting Multiple API Gateways with SAP API Management – using Azure API Management as example in Technology Blogs by SAP
- SAP Sustainability for Financial Services - Portfolio and Solutions in Financial Management Blogs by SAP
- Enhanced RISE with SAP Methodology with clean core quality checks in Enterprise Resource Planning Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.