Professional Documents
Culture Documents
Security Mapping: The Power of Integration
Security Mapping: The Power of Integration
Overview
Risks Risks
Risks
Risks
Control Techniques Risks
SAP
SAP configured Non-SAP
Authorization
SAP standard
Monitoring
Manual
Business Processes
• Matches what a user does with where they are in the organization
• Access to Perform Tasks Based on Responsibilities
•The Customer Service Representative has access to certain tasks
•These tasks are known as transaction codes - VA01 - create sales order
• Access to Data Based on Organizational Responsibilities
•The Customer Service Representative has the access to create, change
or view data related to only their organizational responsibilities
•Example of organizational restriction: the Customer Service
Representative has the access to create or change a sales order (VA01 &
VA02) only for Argentina Company Code (AR1), but may be able to display
more data (VA03).
SAP
Transaction(s)
VA01
Roles are mapped to SAP positions
which are then mapped to users.
Role(s)
“Change Sales Order”
20
%
Design security for ch
an
Global One ge
f ro
m Wave One
No
rth
Am
er
North American security ica
foundation Wave Two
80% Localize
Final Global Global
Template Template
North America security Wave Three
design as the
baseline
Wave Four
SAP
Transaction(s)
VA01
Roles are mapped to SAP positions
which are then mapped to users.
Role(s)
“Change Sales Order”
Order to Cash
Sales Area
Sales Organization
Distribution Channel
Division
Sales Office
Sales Group
Sales Employee
User
Strategic
SAP Plant Buyer
Position Purchasing
Role
Transaction
•There should be a defined “Data Owner” for all areas of the business
(FTS, FIN, OTC).
•These should be the people consulted to determine if users from another
business area or region should be allowed access.
•We recommend that Senior Management identify the names of these
data owners for each area of the business.
•The Data Owner for a business area or region may choose to delegate
this responsibility to other staff:
•Financial data requests, to person X
•Forecast to Stock data requests, to person Y
•Order to Cash data requests, to person Z
•Once approved, the local security administrators can then grant the
requested access.
Global
CL UY PY AR US CA
Global
Southern Cluster
AR CL PY UY