In a previous blog (see SAP struggle) we saw that SAP access control is technically and organisationally complex and often not in order. Reviewing SAP roles is the first step to improvement. This blog is about designing or redesigning SAP roles with introducing new SOD (Segregation Of Duties) conflicts.

A role is a bundling of a number of related authorizations that can be linked to an employee in one go. SAP-ERP systems can involve so-called composite roles that in turn consist of a number of single roles.

A single role gives access to one or more program components. For example, a screen to enter invoices or a screen to start the payout. In addition, all kinds of refinements are possible. This way you can split a single role into a role that only gives access to the Dutch invoices and one that gives access to the foreign invoices. A SAP authorisation that can make modifications can be changed into an authorisation for only viewing certain data. Furthermore, the single role determines by means of a menu structure how the user can start the transactions.

Number of roles

Technically, both a composite and a single role can be linked to one user. System administrators sometimes also link transactions directly to a management user (by linking so-called default profiles, such as SAP_ALL, to one user). Technically, it is better to only link composite roles to users.

Important starting points are: reducing the number of SAP roles per employee (preferably only one role per employee) and checking whether a role does not contain SOD (Segregation Of Duties) conflicts.

Role design

The (re)design of the SAP roles can best be approached per department. First you have to check which functions are available within a department and which functions you should ideally perform separately, in order to prevent fraud and abuse.

Particularly in the case of small departments, separation of duties is sometimes not possible. In that case additional risk mitigating measures are necessary. This way, critical authorizations can only be assigned temporarily. The manager can also make an extra check – after a critical authorization – so that any abuse can be detected immediately.

When all functions are clear, these functions are converted into SAP roles. In order to limit the complexity of roles, roles must be combined as much as possible. If, for example, two roles are similar, it is better to have one role that has all the rights. However, this is not always possible.

Finally, the role design must be analysed and tested. This results in a report of all potential segregation of duty conflicts. The report can be a reason to adjust the role design. Navaio can tell you more about this.