Many organisations have put effort to manage Segregation of Duties Conflict as solution to SAP Access Risk Management. This is very welcomed effort from Risk Management point of view. Unfortunately, other aspects of security have not received similar kind of attention. Is display really display? Are activity values correctly maintained? Is *-value used in wrong place? Is there organisational value leakage?
In solutions where e.g. several organisational changes have been implemented over the years, it appears that the checks are not always working as they should. Reasons could be that maintenance has been done whiteout sufficient competence and the *-values are used or same object can be used for any authorisation check if it is in the user buffer and it overwrites the original object. This increases the risks and vulnerability of the system.
It is always quite easy to list and describe the problems but how to solve the problem?
Naturally, the basis must be in place:
- Authorisation Concept in place and followed
- The organisational levels in SAP are systematically designed and built but as well assigned to users
- Roles and responsibilities agreed
- Best practises are followed e.g. SU24
GRC Nordic service Object Scanner provides easy access to monitor what objects are in place to ensure that the strategies descript in Authorisation Concept are valid continuously. With Object Scanner is easy to make queries by defining the key restrictions in the tool. The results do give information to correct the wrong settings. Once the decided objects are in place the Object scanner supports the system maintenance when its used frequent monitoring of objects to avoid any deviations.
Book a demo to familiarise in detail with GRC Nordic Object Scanner service! Contact Mikko Syrjänen