Tip Doctor, Insider Learning Network.
The following tip has been taken from Brian Ocampo’s presentation “Expert Techniques to rapidly identify, assess, and mitigate high-risk SoD Violations” which took place at the GRC 2011 conference in Las Vegas, March 8-11.
Many companies today have implemented SAP BusinessObjects Access Control, and are utilizing the risk analysis and remediation (RAR) functionality. Check out the below tip on how to customize the technical components of your RAR rule set.
How to customize the technical components of the your rule set
- After the risk assessment process, and the functional blueprint of the rule sets have been established, the technical blueprint of the rule set can then be designed
- Map functions to the technical application landscape (consider defining logical systems for applications where common rules are expected to be applied)
- Evaluate custom functionality within each application for SoD relevance
- If there are relevant custom t-code functionality, add the transactions to the rule sets, as necessary
- Disable (not delete) rules that are not applicable to preserve audit trail and for potential future use
- Perform final quality review of the technical rules s
ets. Some checks to consider:
- Are there t-codes (and supporting objects) that are conflicting with themselves?
- Are there t-codes which do not have any underlying objects defined?
- Can object level rules be added using your USOBT table?
- Are all activity fields enabled where they are applicable?
- Are there display values enabled in activity fields that should be turned off?
- Implement changes to the technical rule set
More SAP BusinessObjects information, tips and advice are available on Insider Learning Network's SAP BusinessObjects Group.