Mitigating GRC risks for SAP systems
Optimise trace analysis
Authorization tools in the SAP GRC Suite ensure that every company can design a highly automated compliance management system that fits exactly. The majority of German companies with an SAP system do not yet use authorization tools. However, the use of SAP authorization tools is a great advantage for many companies. The extent to which the use of authorization tools makes sense depends on the size of a company.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
So much information... how can you keep it so that you can find it again when you need it? Scribble Papers is a "note box" that makes this very easy.
Before you can start upgrading the suggestion values and roles, you need to consider a few things. SAP Note 1539556 lists all questions and answers about the administration of proposed values. Already at the start of the transaction SU25 you will be alerted in a pop-up window to the SAP notice 440231 (upgrade preparation for the profile generator). This note provides information on recommended revisions for certain SAP base versions and recommendations for additional guidance, which are listed in the Annexe.
How to analyze roles and authorizations in the SAP system
In the FIORI environment, there are basically two different types of access via a tile. One is the transactional tiles and the other is the native or analytical tiles :
Unlike the EWA, the SOS is able to list users that require extensive permissions. So you can maintain a whitelist. We recommend that you deal with the results of the SOS as follows: Verify that all identified users require critical permission. Complete the users who need this permission in the whitelist. Remove this permission from other users.
The possibility of assigning authorizations during the go-live can be additionally secured by using "Shortcut for SAP systems".
If your other source systems differ only in the second place of the system ID, the profile name does not indicate from which system the profiles originate.
On this basis, determine which organisational characteristics (organisational levels, but also cost centres, organisational units, etc.) represent which parts of the organisation.