Detect Cross-System SoD Risks Between ECC, SAP S/4HANA, and Master Data Governance
- by Nibha Kumari, SAP Security Expert, Cintas Corporation
- Gary Prewett, Security Practice Lead, NIMBL
- March 14, 2017
Seventeen percent of segregation of duties (SoD) risks involve master data maintenance. These risks will not be detected by an out-of-the box SAP system rule set if your organization implements Master Data Governance (MDG). If you want to get a complete picture of SoD risks, then you need to modify the rule set accordingly to detect cross-system risks associated with material, customer, and vendor master data maintenance in the MDG system.
Reading this article, you will learn:
- How to modify your SAP Access Control GRC configuration to detect cross-system risks
- How to modify your GRC rule set to map Master Data Governance (MDG) functionality to a GRC function
- How to pull it all together to detect cross-system risks between your MDG and other systems using SAP Access Control Access Risk Analysis (ARA) reports
There are very few standard functional risks executable within Master Data Governance (MDG) itself. There may be customer requirements around dual approvals for critical fields (such as bank account information), but these are not standard SAP system risks identified today in the SAP-delivered GRC risks. GRC SAP-delivered SoD risks that are master data related involve access to other, non-MDG business functions (such as invoice entry). The challenge is that when an SAP user migrates to MDG, these SoD issues are no longer detectable – unless cross-system risks are configured to be detectable. The technical risks the SAP system uses to detect Basis SoD issues still function as expected.
As SAP landscapes have proliferated, maintaining consistency of your master data across your ERP Financials, Customer Relationship Management (CRM), Supply Chain Management (SCM), and other systems becomes increasingly challenging. SAP’s Master Data Governance (MDG) solution was designed to centrally manage and distribute (or syndicate) this data to the affected systems. Centrally managing your customer, vendor, and material masters helps to ensure master data consistency and auditability through all your SAP (and non-SAP) landscapes.
The challenge from an SAP Access Control and GRC perspective is that a broad swath of currently defined SAP system risks involves master data. Of the 248 SAP-delivered SAP Access Control risks, 43 (17 percent) specifically address segregation of duties (SoD) issues with master data maintenance and another business function. The challenge for SAP MDG users is that once MDG or another master data maintenance tool is implemented, detecting master data-related SoD risks with single-system analysis becomes impossible.
The good news is that SAP Access Control can be modified to detect and manage cross-system risks associated with master data maintained in an MDG landscape. We walk you through the steps needed to make cross-system MDG risk detection happen in your SAP Access Control 10.0 or 10.1 landscape.
Would you like to see this full item?