Ensuring SoD Library Quality

  • by Mari Hurskainen, Authorization Global Concept Owner, Nokia Siemens Networks
  • September 9, 2011
Learn how to get the SAP user and approver community truly involved in reviewing segregation of duties (SoD) risk rules.
Key Concept
Companies using SAP BusinessObjects Access Control are ultimately responsible for the thoroughness of their segregation of duties (SoD) library, even though SAP delivers a baseline ruleset (see SAP Note 986996 [GRC Access Control — Best Practice for Rules and Risks]). To have trust that SoD rules are complete and accurate for a certain environment, that rule set needs to be reviewed. The IT department needs to deploy, and to some extent support, the risk analysis and remediation tool (RAR) and the SoD library. However, most of the users benefiting from effective monitoring of SoD risks are on the business side. It may prove difficult to make business users see the benefits of the SoD principle and devote enough time and energy to SoD risk review. Only when the correct people are involved in creating and updating the SoD risk rules, and committed to the task, will the SoD library be valuable and actually help in protecting the company data and operations.

For the segregation of duties (SoD) library review to be thorough, the SAP user and approver community needs to have motivation, competence, and time to partake in the process. If any of the three prerequisites are lacking in quality or quantity, the SoD library review will be incomplete. For the SAP approver community to be motivated to review the SoD risk rules, they first need to understand the importance of the SoD principle.

Ensuring SoD Library Review Quality

Reviewing the SoD risk rules is not easy. Some training to pump up the competence is needed before anyone can do it. There are not many people who have intimate knowledge on end-to-end processes, let alone on parallel or possibly even overlapping processes. In matrix organizations, where people not only work for a unit but also a region or process, it is always better to have too many than too few people do the review. This way, different viewpoints are utilized.

When I refer to matrix organizations, I mean companies where there are units and processes, both having responsible people (heads of …). Sometimes this kind of responsibility split results in gray areas where it is not clear who should take action or act as an owner

For the selected reviewers to have time for the review, it is paramount for companies to nominate correct people as reviewers. Reviewers should not act as “rubber stamps,” that is,  just approve anything suggested to them by SAP Notes or by IT teams to keep on top of their too numerous and varied tasks. When a possible risk rule reviewer is located, it may be a good idea to nominate someone from his or her team instead of the first person who comes to mind. That person will get the needed support from the person one level higher.

Mari Hurskainen

Mari Hurskainen (master of science, economics) studied personnel management and information technology at the Turku School of Business and Economics in Finland and the University of Linz, Austria, in the early 1990s. She started her career by coordinating international scientific conferences, but soon moved to fixed line telephony where she worked as a product line manager. She got her first IT experiences by working as a data steward and business owner while Cognos was deployed by the Elisa group. She has worked with SAP Security since 2007, and was part of the team deploying Compliance Calibrator at Nokia Siemens Networks in 2008. Currently, she works as Authorization Global Concept Owner of the Finance and Control module and enjoys helping IT and business understand each other.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.