Risk
Users have access privileges beyond those necessary to perform their assigned duties, which may create improper segregation of duties.
Control Description
Dedicate approvers approve the nature and extent of user-access privileges for new and modified user access, including standard application business catalogues / business roles, critical financial reporting transactions, and segregation of duties.
Background
Assigning the correct authorizations to the right user is a key element in the segregation of duties – and therefore a cornerstone in the auditing process.
In S/4 HANA Cloud, authorizations are collected in so-called ‘Business Catalogue IDs” which are assigned to ‘Business roles” which can be assigned to users. These business roles give access to underlying applications. The access to company codes and within company codes can be restricted in roles.
How to obtain the populations (Please remember that the process might change with later releases)
To obtain the population of users created during the audit period navigate to ‘Identity & Access Management’ > ‘Maintain Business Users’ > ‘Display Changes’, select the date range and check the selection box ‘Created Users’.
Note 1: By clicking on the user, it is possible to receive the following information:
Note 2: By clicking on the Business Role ID, you can identify the authorizations from the role as well as the Business Catalogues assigned to the role.
To obtain the population of users with Business roles assignment changes during the audit period navigate to ‘Identity & Access Management’ > ‘Maintain Business Users’ > ‘Display Changes’, select the date range and check selection box ‘Business Roles Changed’.
Note 3: Entries with "Authorizations have been reorganized/optimized due to technical reasons" can be ignored as these indicate SAP system internal reorganizations and do not necessarily indicate authorization changes.
Note 4: Business users require creation of an employee, but not all employees need to have a business user.
To obtain a listing of changes made to roles during the testing period navigate to ‘Identity & Access Management’ > ‘Maintain Business Roles’ -> 'Display Changes'.
Engage with us
To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.”
Or contact us on LinkedIn.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
9 | |
6 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 |