How to Detect BPC Risk in SAP Access Control

  • by Gary Prewett, Security Practice Lead, NIMBL
  • July 31, 2014
Discover how to detect cross-system risk between SAP ERP and SAP Business Planning and Consolidation (BPC). See how BPC task profiles map to business functions and understand how to create cross-system connector groups and assign appropriate connectors to that group.
Learning Objectives

By reading this article you will learn how to:

  • Configure cross-system segregation of duties risk detection in SAP Access Control
  • Create custom functions in SAP Access Control
  • Use transaction codes in SAP Access Control to ensure that rule set modifications work as expected
Key Concept

Cross-system groups logically define what connectors are involved in cross-system risk analysis. Task profiles correspond to activity levels within the BPC application.

Many companies use the SAP Business Planning and Consolidation (BPC) environment to generate financial statements of record. For those companies with Sarbanes-Oxley obligations, this means materiality of the financial statements can be affected by a lack of sufficient controls in the BPC environment.

Specifically, BPC allows for top-side journal entries to be entered. Whether these flow back to the financials system, top-side journal entries can significantly affect the materiality of financials. Consequently, high-risk segregation of duties (SoD) conflicts can exist across the ERP and BPC environments, specifically around the ability to modify general ledger (G/L) master data within the SAP ERP Central Component (ECC) environment and the ability to make top-side journal entries within the BPC environment.

I explain the key steps needed to configure your SAP Access Control environment and your BPC environment to detect cross-system risk between your ERP and BPC environments. 

I assume that you’ve already followed the instructions in the pre- and post-SAP Access Control implementation guides and are able to run single-system Access Risk Analysis (ARA) analyses in your existing ERP and SAP Business Warehouse (SAP BW) systems, including BPC environments.

An Overview of BPC 

Companies with ERP, BPC, and SAP Access Control deployed can leverage their SAP Access Control investment to systematically detect, identify, and manage cross-system SoD risk associated with creating top-side journal entries in BPC. The systems in scope for this process are:

  • SAP R/3 4.6C to SAP ERP 7.0 (up to SAP NetWeaver 7.31)
  • BPC for SAP NetWeaver version 10.x
  • SAP Access Control 10.x
  • The SAP Access Control 10.x Plugin installed on back-end systems to be scanned, including in the BPC for SAP NetWeaver landscape

Generally speaking, BPC access is controlled via task and data profiles. Depending on the activity, task profiles are what allow users to affect the materiality of data. 

Gary Prewett

Gary Prewett is the security practice lead for NIMBL, North America’s SAP Technologists. An active SAP security thought leader and author with more than 12 years of ERP implementation experience and 15 years of information security focus, Gary has driven and delivered technical and process-based controls on multiple complex SAP implementations. He has worked with clients in implementing security strategy essential to operating in high risk environments, and has implemented comprehensive information security initiatives encompassing SAP solutions for clients in the financial services, energy, manufacturing, and service sectors.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.