Detect Cross-System SoD Risks Between ECC, SAP S/4HANA, and Master Data Governance

  • by Nibha Kumari, SAP Security Expert, Cintas Corporation
  • Gary Prewett, Security Practice Lead, NIMBL
  • March 14, 2017
Seventeen percent of segregation of duties (SoD) risks involve master data maintenance. These risks will not be detected by an out-of-the box SAP system rule set if your organization implements Master Data Governance (MDG). If you want to get a complete picture of SoD risks, then you need to modify the rule set accordingly to detect cross-system risks associated with material, customer, and vendor master data maintenance in the MDG system.
Learning Objectives

Reading this article, you will learn:

  • How to modify your SAP Access Control GRC configuration to detect cross-system risks
  • How to modify your GRC rule set to map Master Data Governance (MDG) functionality to a GRC function
  • How to pull it all together to detect cross-system risks between your MDG and other systems using SAP Access Control Access Risk Analysis (ARA) reports
Key Concept

There are very few standard functional risks executable within Master Data Governance (MDG) itself. There may be customer requirements around dual approvals for critical fields (such as bank account information), but these are not standard SAP system risks identified today in the SAP-delivered GRC risks. GRC SAP-delivered SoD risks that are master data related involve access to other, non-MDG business functions (such as invoice entry). The challenge is that when an SAP user migrates to MDG, these SoD issues are no longer detectable – unless cross-system risks are configured to be detectable. The technical risks the SAP system uses to detect Basis SoD issues still function as expected.

As SAP landscapes have proliferated, maintaining consistency of your master data across your ERP Financials, Customer Relationship Management (CRM), Supply Chain Management (SCM), and other systems becomes increasingly challenging. SAP’s Master Data Governance (MDG) solution was designed to centrally manage and distribute (or syndicate) this data to the affected systems. Centrally managing your customer, vendor, and material masters helps to ensure master data consistency and auditability through all your SAP (and non-SAP) landscapes.

The challenge from an SAP Access Control and GRC perspective is that a broad swath of currently defined SAP system risks involves master data. Of the 248 SAP-delivered SAP Access Control risks, 43 (17 percent) specifically address segregation of duties (SoD) issues with master data maintenance and another business function. The challenge for SAP MDG users is that once MDG or another master data maintenance tool is implemented, detecting master data-related SoD risks with single-system analysis becomes impossible.

The good news is that SAP Access Control can be modified to detect and manage cross-system risks associated with master data maintained in an MDG landscape. We walk you through the steps needed to make cross-system MDG risk detection happen in your SAP Access Control 10.0 or 10.1 landscape.

Nibha Kumari

Nibha Kumari is an SAP security subject matter expert currently working in Cintas Corporation. She has managed and implemented several ERP solutions with IBM for clients in the Finance, Pharmaceutical, Airlines, Manufacturing, Retail, and Service sectors globally and has gained vast experience over the last 14 years working closely with various clients. Nibha has concentrated on SAP security/GRC implementations for 11 years now and she combines her highly technical, analytical, and excellent communication skills with a strong customer service orientation to implement client-tailored security solutions in accordance with SAP best practices. She mainly focuses on SAP security for ECC, MDG, Fiori, SAP HANA, BI/BOBJ, CRM, PI, and GRC. Nibha has attended and presented at multiple SAP security conferences and has been a very enthusiastic and committed member of the SAP community. She has been engaged in a wide range of business domains including consultancy, sales, project management, customer training, and implementation and knowledge transfer, and has won multiple accolades throughout her career.

See more by this author

Gary Prewett

Gary Prewett is the security practice lead for NIMBL, North America’s SAP Technologists. An active SAP security thought leader and author with more than 12 years of ERP implementation experience and 15 years of information security focus, Gary has driven and delivered technical and process-based controls on multiple complex SAP implementations. He has worked with clients in implementing security strategy essential to operating in high risk environments, and has implemented comprehensive information security initiatives encompassing SAP solutions for clients in the financial services, energy, manufacturing, and service sectors.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.