How to Detect BPC Risk in SAP Access Control
- by Gary Prewett, Security Practice Lead, NIMBL
- July 31, 2014
Discover how to detect cross-system risk between SAP ERP and SAP Business Planning and Consolidation (BPC). See how BPC task profiles map to business functions and understand how to create cross-system connector groups and assign appropriate connectors to that group.
By reading this article you will learn how to:
- Configure cross-system segregation of duties risk detection in SAP Access Control
- Create custom functions in SAP Access Control
- Use transaction codes in SAP Access Control to ensure that rule set modifications work as expected
Cross-system groups logically define what connectors are involved in cross-system risk analysis. Task profiles correspond to activity levels within the BPC application.
Many companies use the SAP Business Planning and Consolidation (BPC) environment to generate financial statements of record. For those companies with Sarbanes-Oxley obligations, this means materiality of the financial statements can be affected by a lack of sufficient controls in the BPC environment.
Specifically, BPC allows for top-side journal entries to be entered. Whether these flow back to the financials system, top-side journal entries can significantly affect the materiality of financials. Consequently, high-risk segregation of duties (SoD) conflicts can exist across the ERP and BPC environments, specifically around the ability to modify general ledger (G/L) master data within the SAP ERP Central Component (ECC) environment and the ability to make top-side journal entries within the BPC environment.
I explain the key steps needed to configure your SAP Access Control environment and your BPC environment to detect cross-system risk between your ERP and BPC environments.
I assume that you’ve already followed the instructions in the pre- and post-SAP Access Control implementation guides and are able to run single-system Access Risk Analysis (ARA) analyses in your existing ERP and SAP Business Warehouse (SAP BW) systems, including BPC environments.
An Overview of BPC
Companies with ERP, BPC, and SAP Access Control deployed can leverage their SAP Access Control investment to systematically detect, identify, and manage cross-system SoD risk associated with creating top-side journal entries in BPC. The systems in scope for this process are:
- SAP R/3 4.6C to SAP ERP 7.0 (up to SAP NetWeaver 7.31)
- BPC for SAP NetWeaver version 10.x
- SAP Access Control 10.x
- The SAP Access Control 10.x Plugin installed on back-end systems to be scanned, including in the BPC for SAP NetWeaver landscape
Generally speaking, BPC access is controlled via task and data profiles. Depending on the activity, task profiles are what allow users to affect the materiality of data.
Would you like to see this full item?