Segregation of Duties in a nutshell
In every company, there is an organizational structure where the roles (they call them business roles) of all types of employees are described. These roles are, for example, account manager, marketing specialist, administrator, cleaner, etc. Most companies also have documents, where every business role is associated with certain actions: create payment order, approve payment order, create vendor, delete user, etc. Each action is associated with a particular transaction in the SAP system (or sometimes with transaction and authorization values).
If a company has this information (it usually hires one of the Big Four enterprises to create the organizational structure and the role model, naming conventions, etc.), it creates technical roles in the SAP system, maps business roles and actions for technical roles and transactions. Then the company assigns technical roles to user accounts in SAP so that every user has a single technical role. Sounds pretty simple, but in real life, there are many issues with that. The main one is to keep the system secure after each change.
Why do you need continuous Analysis Segregation of Duties?
Even if a company has a clear organizational structure and all transactions are properly assigned to users, there is no guarantee that everybody will follow those rules later. This is where SOD tools come into action. SOD tools check if users can execute critical transactions to avoid financial or information fraud.
So, before a company can benefit from any SOD tool, it should create an organizational structure and then configure a template. When this is done, the tool can identify users with critical transactions that they do not need (configured in one template), or the users that do not have a combination of two or more critical transactions that they do need.
How can ERPScan help with detecting SOD conflicts?
There are a lot of SOD tools on the market, and you know that for sure. What can we offer here? While the most important advantages of ERPScan is a combination of SOD, Vulnerability Management, Threat Detection and Customization protection (code scanning) in one platform and correlated results, SOD module itself has some great benefits against other tools. First of all, SOD module works with preconfigured files for almost any industry, module or system without any configuration of SAP. How is that possible? Here’s how:
- First type (Critical Access). Simply select one of our templates with the list of critical transactions in a particular area (HR, Financial, Administration), and the tool will show the users who can run these critical transactions.
- Second type (Quick SOD). Quick SOD analysis is provided by a template called Top 20 SOX SOD Conflicts that you can run out of the box, and it will show the users who can do twenty most dangerous transaction combinations.
- Third type (Custom SOD). You select 2 templates. The first template describes business roles, actions, and transactions, and the second describes what kind of business roles should not be assigned to one user and estimates the risk of it. We have a pre-configured template – best practices from SAP and the Big Four companies, which consists of 60 business roles and 600+ actions.
The benefits of ERPScan’s Segregation of Duties module
- Pre-configured dashboards
- Support of many industries and systems
- Non-intrusive analysis
- N-dimensional conflicts detection
- Cross-system conflicts detection