Professional Documents
Culture Documents
Authorization Concept
As loose as possible but as restrictive
as necessary
SAP Authorization Concept
Critical
Non- Data
critical
Data
Critical &
non-
critical Tx
Personnel Area
1100 Client
Personnel Operating
Subarea 1110 Concern 1041
Personnel Controlling
Subarea 1120 Area 1000
Company
Code 1000
Enterprise relevant structure (What units are to be protected?)
Dist. Channel
Company
Code
Production
Plant
Sales
Organization
Controlling
Area
• etc
The risk categories
• Regulatory risk: Possible violation with underlying laws that
unsatisfied customers
The risk levels
• High risk: Task requiring extremely high protection. Are
conducted prior to execution of the business processes, and not
only after their results are known.
• Median risk: Task requiring median protection. The expected
damage amount is noticeable for the enterprise.
• Low risk: Task requiring low protection. Are posed by all
business processes that do not entail critical workflows or
results for the enterprise.
The risk valuation
Risk Business Risk Category Risk Level Annual Amount of Annual Amount
proccess Likehood of loss (Occurrences x
occurrence Amount of loss)
A Purchasing Operational Median Occurrences $ $
… … … … … … …
Control categories (3th. Step)
• Authomatic controls
• Configurable controls
• Reporting controls
• Guidelines
• Instructions
Control types (3th. Step)
• Preventive controls
has started.
• Detective controls
guidelines
Project Setup