SAST has defined SoD control mechanisms in its package. These principles are based on the verification standards used by leading audit firms. They therefore cover all the necessary monitoring requirements. However, each of the clients using SAST can also adapt their internal requirements and implement them into their own matrix.

In today's article, we will discuss what SoD is and how to strengthen its control in an organization using the example of a permission conflict at the BASIS level

What is SoD?

Segregation of Duties – separation of responsibilities, which means that certain tasks within a given business process should not be performed by the same person or organizational unit in accordance with:

• Legal regulations
• Audit recommendations
• The need to protect data for use by the relevant departments

SAST Authorization Management andSAST Risk and Compliace Management allows us to prepare a matrix of permissions conflicts not only at the transaction level, but also we have the ability to add dependent authorization objects.

Let's use an example of a permission conflict at the BASIS level, where users can manage users and modify roles in SAP at the same time.

EXAMPLE OF A CONFLICT AT THE BASIS LEVEL

1. Defining critical authorizations for a process BC_AUTH_ADMIN

Each critical authorization has a unique ID (Authorization ID).

The authorization ID list is shown in the table.

Each critical authorization defines dependent transactions and authorizations.

• BC_PROFILE_CHANGE - BC-USR - create/maintain/generate profiles

• BC_ROLE_CREATE - BC-USR - Profile Generator create roles SAST BC_ROLE_CREATE
  
• BC_ROLE_UPD_OR_GEN - BC-USR - Profile Generator roles change/generate

• BC_TCD_AUTH_SWITCH_O - AUTH_SWITCH_OBJECTS: Deaktivate authorization objects

• BC_TCD_CRM_ROLE_COPI - Role Copier (Portal Administration)

• BC_TCD_CRM_ROLE_MAP - Admin Tools: Role Mappings Adder

• BC_TCD_SU03 - SU03: Maintain Authorizations

• BC_TCD_SU20 - SU20: Maintain Authorization Fields

• BC_TCD_SU21 - SU21: Maintain Authorization Objects

• BC_TCD_SU22 - SU22: Modify Authorization Object Check for Transactions

• BC_TCD_SU24 - SU24: Auth. Obj. Check Under Transactions

• BC_TCD_SU25 - SU25: Upgrade Tool for Profile Generator

• BC_TCD_SU26 - SU26: Upgrade Tool for Profile Generator

• BC_TCD_SUPC - SUPC: Role Profiles

2. Defining critical authorizations for a process BC_USER_ADMIN

Each critical authorization has a unique ID (Authorization ID).

The authorization ID list is shown in the table.

Each critical authorization defines dependent transactions and authorizations.

• BC_TCD_EWZ5 - BC: User lock and unlock with EUR-tools

• BC_TCD_EWZ6 - BC: User lock and unlock with EUR-tools

• BC_TCD_SU01 - Administration of User master Data

• BC_TCD_SU01_PW - BC-USR - V_T681F: RevAccDeter - Allowed Flds

• BC_TCD_SU01_PW_SUPER - BC-USR - User Maintenance

• BC_TCD_SU10 - SU10: User Mass Maintenance

• BC_TCD_SU12 - SU12: Mass Changes to User Master Records

• BC_USER_CHANGE_RFC - BC-USR - Create or change user via RFC (Group SUSK)

• BC_USER_CHANGE_RFC_2 - BC-USR - Create or change user via RFC (Group SU_USER)

We describe the resulting conflict, which we will be able to add to the SoD Authorizations Matrix

4. We prepare a description of the risk, where it is contained, which are among others: identifier, level of criticality, title, reason for the risks

SUMMARY

In order toremoval of SoD conflict in a role, we must eliminate one process.
The role must be modified enough to get rid of transactions and dependent authorization objects from one process.

The tool provided by Akquinet which is SAST helps customersstrengthen SoD control in your organization. This product allows todetect, analyze, monitor and build risks.
Automates access control for critical transactions contained in SAP roles.

Author: Marek /Sast Team Polska/

ALSO WORTH READING:

• What Should the SAP Entitlement Concept Contain?
• SAP User Monitoring
• Authorization Concepts in the SAP System
• Too High SAP User Authorizations
• What Rights do Employees Have for SAP
• SAP Dictionary of Terms
• SAP Authorization Reorganization
• What is SoD?
• SAP System