Security Mapping

Overview

The Power of Integration

 What Are The Objectives of the Security Role
Mapping Workshop?

• Familiarize Management and Super-users with Security Concepts

• Review Global One Template Security Design
• Discuss Expectations of Mapping sessions
•Review Role to SAP Position Mapping
•Determine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User Access
and Issue Resolution
• Discuss Segregation of Duties as it Relates to Security
• Next Steps

The Power of Integration

 Business Process Controls Umbrella

Risks Risks
Risks
Risks
Control Techniques Risks

SAP
SAP configured Non-SAP

Authorization
SAP standard

Monitoring

Manual
Business Processes

The Power of Integration

 What Are The Objectives of the Security Role
Mapping Workshop?

• Familiarize Management and Super-users with Security Concepts

• Review Global One Template Security Design
• Discuss Expectations of Mapping sessions
•Review Role to SAP Position Mapping
•Determine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User Access and
Issue Resolution
• Discuss Segregation of Duties as it relates to Security
• Next Steps

The Power of Integration

 Why Have Security?

• Helps Users Perform Their Daily Responsibilities

• Provides Accountability of User Actions
• Limits Access to Certain Update Activities
• Restricts Ability to View Sensitive Information
• Supports Audit Trails of Activities
• Protects Systems from Misuse
• Helps to Provide Data Integrity

The Power of Integration

 What defines a Security Role?

• Matches what a user does with where they are in the organization
• Access to Perform Tasks Based on Responsibilities
•The Customer Service Representative has access to certain tasks
•These tasks are known as transaction codes - VA01 - create sales order
• Access to Data Based on Organizational Responsibilities
•The Customer Service Representative has the access to create, change
or view data related to only their organizational responsibilities
•Example of organizational restriction: the Customer Service
Representative has the access to create or change a sales order (VA01 &
VA02) only for Argentina Company Code (AR1), but may be able to display
more data (VA03).

The Power of Integration

 Observation 3

Security Design Approach

SAP
Transaction(s)
VA01
Roles are mapped to SAP positions
which are then mapped to users.

Role(s)
“Change Sales Order”

SAP transaction(s) are SAP Position

assigned to roles but a “Customer
transaction should only be Service”
assigned to one role.

The Power of Integration

 What Are The Objectives of the Security Role
Mapping Workshop?

• Familiarize Management and Super-users with Security Concepts

• Review Global One Template Security Design
• Discuss Expectations of Mapping sessions
•Review Role to SAP Position Mapping
•Determine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User Access and
Issue Resolution
• Discuss Segregation of Duties as it relates to Security
• Next Steps

The Power of Integration

Global One Security Template

20
%
Design security for ch
an
Global One ge
f ro
m Wave One
No
rth
Am
er
North American security ica
foundation Wave Two

80% Localize
Final Global Global
Template Template
North America security Wave Three
design as the
baseline
Wave Four

Minor changes to Global Template Security can be accommodated

within reason. (e.g. new transaction codes and new SAP Positions)

The Power of Integration

 Observation 3

Security Design Approach

SAP
Transaction(s)
VA01
Roles are mapped to SAP positions
which are then mapped to users.

Role(s)
“Change Sales Order”

SAP transaction(s) are SAP Position

assigned to roles “Customer
Service”

The Power of Integration

 The Enterprise Structure (Hierarchy) Drives...

 How data is defined in the system

 How SAP functionality can be designed to meet Global
business requirements
 How transactional data is registered and recorded in the
system
 The ability to use standard delivered reports/inquiries
 How cross-company processing takes place
 The complexity of data input
 How roles and users operate within the system, both from a
security access perspective as well as from a location and
organizational model perspective

The Power of Integration

 Organizational Structure Options and Localization
– Instance
– Worldwide SAP System
– Country-Specific SAP System
– Client
– Global Company
– Business Unit
– Company
– Legal Entity
– Country
– Business Unit
– Business Unit Segment
– Profit Center
– Business Unit
– Country
– Market Segment
– Product Line
– Product Category
– Operating Concern – Distribution Channel
– Global Company – Sales Channel
– Sales Organizations
– Market Segments – Plant
– Controlling Area – Manufacturing Site
– Warehouse
– Global Company – Distribution Center
– Country – Cost Center
– Cost Center – Physical Building
– Stockroom
– Department (Budget Center)
– Plant – Storage Location
– Work Station – Stock Room
– Credit Control Area – Warehouse
– Global Company
– Plant -Defined
– Country – Purchasing
– Sales Organization Organization
– Business Unit – Company worldwide
– Company
– Country
– Company Code
– Market Segment
– Purchasing Group
– Entire Purchasing Org
– Division – Buyer
– Product Line
– Business Unit
– Warehouse
– Storage Type
– Storage Bin
The Power of Integration
Scope of Organizational Hierarchy for Global One
Finance Forecast to Stock
 Company Code  Plant
 Chart of Accounts  Purchasing Organization
 Controlling Area  Purchasing Group
 Profit Center  Storage Location
 Cost Center  Warehouse

Order to Cash
 Sales Area
 Sales Organization
 Distribution Channel
 Division
 Sales Office
 Sales Group
 Sales Employee

The Power of Integration

 What Are The Objectives of the Security Role
Mapping Workshop?

• Familiarize Management and Super-users with Security Concepts

• Review Global One Template Security Design
• Discuss Expectations of Mapping sessions
•Review Role to SAP Position Mapping
•Determine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User Access and
Issue Resolution
• Discuss Segregation of Duties as it relates to Security
• Next Steps

The Power of Integration

 Role Example

User

Jian Min Carlos Françoise Jorge

Strategic
SAP Plant Buyer
Position Purchasing

Create/Change Purch Req Create/Change Purchase

Display Purchasing Display Master Data
Order
GM_XXX_FTS_CHG_PUR_REQ GM_XXX_FTS_DIS_PURCHASNG GM_XXX_MDT_GEN_DISPLAY GM_XXX_FTS_CHG_PO

Role

Create Change Display Create Purchase Change Purchase

Purchase Req Purchase Req Display Materials
Purchase Req Order Order
(ME52) (ME53) (MM03)
(ME51) (ME21N) (ME22N)

Transaction

The Power of Integration

 Transactions by roles

Role Transaction Role/Transaction Description

GM_XXX_FTS_CHG_PO MASTER CREATE/CHANGE PO
ME21N Purchase Order
ME22N Purchase Order
GM_XXX_FTS_CHG_PUR_REQ MASTER CREATE/CHANGE PURCHASE REQ
ME52N Modify Existing Generated Purchase Requisitio
ME56 Assign Source to Purch. Requisition
ME57 Assign and Process Requisitions
ME58 Ordering: Assigned Requisitions
ME51 Create Purchase Requisition
ME52 Change Purchase Requisition
ME51N Create Purchase Requisition
GM_XXX_FTS_DIS_PURCHASNG MASTER PURCHASING DISPLAY AND REPORTING
MD04 Display Stock/Requirements Situation
ME03 Display Source List
ME43 Display Request For Quotation
ME48 Display Quotation
ME4B RFQs by Requirement Tracking Number
ME53 Display Purchase Requisition
ME4L RFQs by Vendor
ME4M RFQs by Material
ME4N RFQs by RFQ Number
ME4S RFQs by Collective Number
ME53N Display Purchase Requisition
GM_XXX_MDT_GEN_DISPLAY Master Data General Display
MM03 Display Material &
CS03 Display Material BOM
CS09 Display Allocations to Plant
CS11 Display BOM Level by Level
CS12 Multi-level BOM
CS14 BOM Comparison
XD03 Display Customer (Centrally)
ZMPR Production Readiness Online Report

The Power of Integration

 Master and Derived roles
Master Role Derived Role
GM_XXX_FIN_DIS_FINANCE
GD_AME_FIN_DIS_FINANCE
GD_AR_FIN_DIS_FINANCE
GD_CL_FIN_DIS_FINANCE
GD_GBL_FIN_DIS_FINANCE
GD_PY_FIN_DIS_FINANCE
GD_UY_FIN_DIS_FINANCE
GM_XXX_OTC_CHG_PICKING_WAVES
GD_AME_OTC_CHG_PICKING_WAVES
GD_AR_OTC_CHG_PICKING_WAVES
GD_CL_OTC_CHG_PICKING_WAVES
GD_PY_OTC_CHG_PICKING_WAVES
GD_UY_OTC_CHG_PICKING_WAVES
Description
MASTER DISPLAY FINANCIAL DOCUMENTS
DRV DISPLAY FINANCIAL DOCUMENTS - SCL
DRV DISPLAY FINANCIAL DOCUMENTS - AR1
DRV DISPLAY FINANCIAL DOCUMENTS - CL1
DRV DISPLAY FINANCIAL DOCUMENTS - ALL
DRV DISPLAY FINANCIAL DOCUMENTS - PY1
DRV DISPLAY FINANCIAL DOCUMENTS - UY1
MASTER CHANGE PICKING WAVES
CHANGE PICKING WAVES - AME
CHANGE PICKING WAVES - AR
CHANGE PICKING WAVES - CL
CHANGE PICKING WAVES - PY
CHANGE PICKING WAVES - UY
The Power of Integration
 List of SAP Positions
Process
Area SAP Position Role Transaction
FTS PLNTBUYER Plant Buyer
GM_XXX_FTS_CHG_PO_PROD
ME21N
ME22N
GM_XXX_FTS_CHG_PUR_REQ
GM_XXX_FTS_CHG_VDR_EVAL
GM_XXX_FTS_DIS_PURCHASNG
GM_XXX_FTS_MRP_EVAL
GM_XXX_FTS_MRP_SINGLE
GM_XXX_FTS_MTN_CONT
GM_XXX_FTS_MTN_INFO_REC
GM_XXX_FTS_MTN_QUOTA_ARR
GM_XXX_FTS_MTN_SCH_AGREE
GM_XXX_FTS_MTN_SRC_LST
FTS STRATPURCH Strategic Purchasing
GM_XXX_FTS_CHG_COND
GM_XXX_FTS_CHG_PUR_REQ
ME51
ME51N
ME52
ME52N
ME56
ME57
ME58
GM_XXX_FTS_CHG_VDR_EVAL
GM_XXX_FTS_DIS_PURCHASNG
GM_XXX_FTS_MRP_EVAL
GM_XXX_FTS_MRP_SINGLE

The Power of Integration

 What Are The Objectives of the Security Role
Mapping Workshop?

• Familiarize Management and Super-users with Security Concepts

• Review Global One Template Security Design
• Discuss Expectations of Mapping sessions
•Review Role to SAP Position Mapping
•Determine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User
Access and Issue Resolution
• Discuss Segregation of Duties as it relates to Security
• Next Steps

The Power of Integration

 Who Are The Data Owners?

•There should be a defined “Data Owner” for all areas of the business
(FTS, FIN, OTC).
•These should be the people consulted to determine if users from another
business area or region should be allowed access.
•We recommend that Senior Management identify the names of these
data owners for each area of the business.
•The Data Owner for a business area or region may choose to delegate
this responsibility to other staff:
•Financial data requests, to person X
•Forecast to Stock data requests, to person Y
•Order to Cash data requests, to person Z
•Once approved, the local security administrators can then grant the
requested access.

The Power of Integration

 Security Access Approvers – Data Owners
EXAMPLE 1 -
A Finance User works in Argentina; has access to view or modify Argentina data in SAP:
- The Finance User wants access to view and update US information. The User needs to request approval from the US Data
Owner. This should be the US Finance Data Owner.
- Request should also be approved by the Finance Data Owner of the country the person works for, prior to being issued access.
i.e. two approvals, one from Argentina and one from the US

Global

Southern Cluster North America

CL UY PY AR US CA

The Power of Integration

 Security Access Approvers – Data Owners
EXAMPLE 2
A Plant User works in Argentina plant 4100; has access to view or modify plant 4100 data in SAP:
• The User wants access to view and modify data in the Paraguay Plant and should request approval from the Paraguay Plant
Data Owner.
• Request should also be approved by the Argentina Plant Data Owner prior to being issued access.

Global

Southern Cluster

AR CL PY UY

The Power of Integration

 What Are The Objectives of the Security Role
Mapping Workshop?

• Familiarize Management and Super-users with Security Concepts

• Review Global One Template Security Design
• Discuss Expectations of Mapping sessions
•Review Role to SAP Position Mapping
•Determine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User Access and
Issue Resolution
• Discuss Segregation of Duties as it relates to Security
• Next Steps

The Power of Integration

 Segregation of Duties – Security Team Approach

• Tailor the specific Segregation of Duties table (SAAT) for the

functionality being implemented.
•Segregation of duties should be considered as roles are designed.
• Ensure all roles are reviewed with segregation of duties and
sensitive transactions being taken into account.
•Review the role definitions to ensure that any segregation of duties conflicts, at the
transaction level, are properly resolved. (no conflict should exist in a single role).
• Ensure all positions are reviewed with segregation of duties and
sensitive transactions being taken into account.
•Review the positions to ensure all segregation of duties and sensitive access have been
identified and the appropriate authorization given if any conflicts are to remain in place.
• Ensure all mapped users are reviewed with segregation of
duties and sensitive transactions being taken into account.
•Review any conflicts with the relevant manager and ensure a risk acceptance decision
has been taken before go live.

The Power of Integration

 What Are The Objectives of the Security Role
Mapping Workshop?

• Familiarize Management and Super-users with Security Concepts

• Review Global One Template Security Design
• Discuss Expectations of Mapping sessions
•Review Role to SAP Position Mapping
•Determine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User Access and
Issue Resolution
• Discuss Segregation of Duties as it relates to Security
• Next Steps

The Power of Integration

 Next Steps

• Data Owners will approve and sign-off on the following:

•Role to SAP Position Mapping
•SAP Position to User Mapping
•SOD Conflicts and Compensating Controls

The Power of Integration

Questions?

The Power of Integration