This blog details the scoring results and answers to the SAP Authorizations IQ Quiz. Take the quiz here.
What? It’s already the third quarter? Yes, it is. We suddenly realized it ourselves, and wanted to make sure to remind you authorization managers and CISOs what you’ll be facing during this second half of the year. We’re assuming that these three things are already on your task list for Q3/Q4 (and if not, they should be), but we thought it would be nice to summarize them anyway.
Although the title of this blog refers to mothers, it’s really referring to anyone who’s not technically savvy. The people that, when you tell them that you’re the new authorization manager at your corporation will squint their eyes and say, “Well, I’m sure it’s great and everything, but what does that mean?” The family members who, when they want to show off to their friends, tell them how very talented you are and how you’re “doing something with computers.” Even your kid who embarasses you when he tells his 9th grade class that his father “fixes computers.” Then you realize that you have a problem giving a clear explanation of what you do.
“Conscious uncoupling,” (see goop) the fancy new age words that Gwyneth Paltrow and Chris Martin are using instead of the word “divorce” do feel a bit weird, but there is some truth to the approach that I think can actually highly benefit certain events the SAP world. In fact, without a “conscious uncoupling” approach to employees in the SAP world, a great deal of work might go to waste.
A customer from a large enterprise came to us and said, “Our company has an ‘open policy.’ We trust our employees, so we grant all of them SAP_ALL. We know that SAP_ALL includes all authorizations in the system but everything’s working fine and our authorizations are very easy to maintain, as you’d expect. But we need to spot the people who are taking advantage of this freedom and going beyond their permitted activities; those who are misusing their authorizations and, based on their job descriptions, going where they’re not allowed. For instance, we have a sneaking suspicion that some people in the warehouse are exploring payroll records.”
What’s really going on with your employees’ authorizations? Are they all in use, or should some be removed? Are you complying with SOX requirements? If you are like most people it’s just too much. Here's an eBook that will help you solve that problem. The link below will give you access to the free 50-page eBook about conducting a successful Authorization Review. It’s loaded with tons of knowledge, tips and tricks, and it’s based on years of our experience and experience from our customers.Continue reading
(This is the short version of an article regarding the most popular T-Code used to analyze SAP Authorizations. Download the full SUIM article including examples and screenshots).
When it comes to SAP audit time, auditors will direct security administrators to run a set of reports on User Information System using SAP Transaction, or T-Code, “SUIM”. This allows them to inquire on users’ SAP authorization data and sensitive objects.
If you’re like most CIOs, CISOs or internal auditors that work in a company that has implemented SAP, every day you have to contend with overloaded terms like “Profile,” “Authorization Role” and “Authorization Object” and quotes such as “This person can't access the company code because he doesn’t have BUKRS in his profile.” Don’t worry. You’re not the only one who feels like they speak a different language. Keep reading.
One of your accounting clerks just left on maternity leave (congratulations to Sally). Another employee is replacing her and thus has the new responsibility of performing Invoice Reconciliation (good luck to John). To perform this task, John needs to open a new request in the portal for the proper authorization. Then he must browse through the business process list and select Invoice Reconciliation, add an explanation for the request and submit it. The financial top-user receives the request and approves/disapproves it. Upon approval, John is automatically assigned the required authorization role, and even receives and email indicating this.
|Auditor:||How in the world was activity FS02 (Change G/L Account) not marked as high risk?!|
|Risk Manager:||Well… it was marked… but then John told me to remove it…|
|Auditor:||Can you show me the email from John?|
|Risk Manager:||Well… it should be here somewhere… let me try and find it…|