How to resolve intra role conflicts

Former Member · ‎04-02-2014

Deal All,

Need your help on approach that needs to be taken to remediate the intra role SOD conflicts arising for users in the system,

I have explained them the details on how they can resolvewhich requires redesign of roles but client is not at all willing to do a redesign of roles because they have invested a lot in their current auth design.

Can you help on how do we go on removing these risks,

Thanks,

Uttam

Former Member · ‎04-03-2014

well if the risk is in the role itself, then you have only two choices: mitigate the role (awkward) or redesign the role as you suggested. If soD is important to your client then they should move to a task-based approach where roles provide only SoD-free tasks. Whenever users or job functions require multiple tasks (or tcodes) assigned, stop adding Tcodes to SAP roles and instead add role assignments to users or create virtual composites of task roles in an identity system to achieve this consistently (if you have one). Then the risks properly move up to the user level where they can be mitigated. Mitigating role definitions is not advisable as it can hide real SoD at user level and gets confusing.

OttoGold · ‎04-04-2014

Hello.

Last time I heard about this problem, the problem went away after the number of GRC rules used for the check was lowered from all their millions of rules to the most important ones that pose a real risk. There are companies where it is not possible to do anything about it, because they're too small. And these companies are still in business. Even if you clear the conflicts on the role level, you can land with the same problem on the user assignment level.

Can you maybe elaborate on these conflicts? How serious are they? How many roles and users are / can be affected? What is the module / area that it is touching?

Cheers Otto