Introduction: Segregation of Duties (SoD) is a critical control mechanism to prevent fraud and errors in business processes. However, as organizations operate across multiple systems, managing SoD risks becomes more complex. This blog explores best practices for defining, mitigating, and monitoring SoD risks across interconnected systems.
Understanding Cross-System SoD Risks: Cross-system SoD risks arise when users have access to conflicting functions across multiple applications. For example, if an organization uses SAP S/4HANA for finance and SAP Ariba for procurement, a cross-application risk could occur if a user has both "Invoice Approval" in S/4HANA and "Purchase Order Approval" in Ariba.
Managing Cross-System Risks: To manage cross-system segregation of duties across various applications, the following activities should be undertaken:
1. Cross-System Risk Definition:
IAG seamlessly integrates with a variety of on-premise and cloud applications, each with its own unique authorization model. To enable effective SoD analysis, IAG standardizes these diverse authorization concepts into a unified framework for access evaluation.
Here is a list of actions that can be considered when defining rulesets and extracting authorizations from different IAG-monitored applications:
| Application Type | Action Type | Type |
| ARIBA | Ariba Group | ARIBA |
| AZURE | Microsoft Azure | AZURE |
| BTP_ABAP | SAP BTP ABAP Environment | BABAP |
| C4C | SAP Sales Cloud and SAP Service Cloud | C4C |
| CLOUDFOUNDRY | SAP Cloud Foundry Role | CFRL |
| | SAP Cloud Foundry | CF |
| CONCUR | SAP Concur Role | CONCR |
| | SAP Concur Entitlement | CONCE |
| FIELDGLASS | SAP Field Glass | FGLAS |
| IAS2 | SAP Identity Authentication Service | IAS |
| LDAP | Lightweight Directory Access Protocol Group | LDAP |
| SAPERP / S4HANA | Transaction Code | TCD |
| | WebDynPro Application | WDY |
| | OData Service | SVC |
| S4HANACLOUD / SAPIBP / SAPMKT | Fiori Catalog Group | FGRP |
| | Fiori Catalog | FCAT |
| | Fiori Application | FAPP |
| | OData Service | SVC |
| SAC | SAP Analytics Cloud | SAC |
| SCP | SAP Cloud Platform | SCP |
| SFEC | SAP SuccessFactors | SFEC |
Additionally, you can integrate with any application that supports the SCIM protocol, allowing you to map its authorization structure to SAP Cloud Identity Access Governance and assess access risks effectively.
2. Mitigation Control Assignments:
Mitigation control assignments involve identifying, documenting, and managing compensating mitigating controls for users who have conflicting access rights that could pose a risk of fraud or error. These assignments are typically necessary when a user requires access to conflicting roles or transactions due to business needs.
Control assignments can be applied either directly to the user with the SoD violation or to the specific access (roles or business role) that led to the violation.
3. Control Monitoring:
Regularly check the effectiveness of implemented controls and ensure they are functioning as intended. Every control is defined with test plan which can be executed by control monitor in a specified frequency and confirm the effectiveness of control.
4. Risk Remediation:
Risk remediation involves resolving identified Segregation of Duties (SoD) conflicts by adjusting or eliminating the access that creates the conflict. This may include refining the user access, revoking excess permissions, or restructuring access rights to eliminate the risk.
Refining user access involves generating proposals that either eliminate conflicting access or suggest alternative access options. These proposals are based on actual usage patterns and aim to maintain necessary functionality while ensuring risk-free access.
The sample below illustrates the cross-system risk between Concur and S/4HANA Cloud applications:
| Risk ID | Concur Function | S/4HANA Cloud Function | Description of Risk | Risk Level |
| CONXS405 | CONEXP02: Concur - Create and submit expense reports and cash advances | S4CPS01: Project Master Data | Create and submit expense reports on a project and maintain project master data | High |
| CONXS406 | CONINV07: Concur - Create and submit invoices | S4CPS01: Project Master Data | Create and submit expense invoice on a project and maintain project master data | High |
| Function ID | Description of Function | Action | Type |
| CONEXP02 | CONEXP02: Concur - Create and submit expense reports and cash advances | EXP_USER | CONCR |
| CONINV07 | CONINV07: Concur - Create and submit invoices | INV_PMT_USER | CONCR |
| S4CPS01 | S4CPS01: Project Master Data | SAP_PSM_BC_MD_BDGTRESP_PC | FCAT |
| S4CPS01 | S4CPS01: Project Master Data | SAP_PSM_BC_MD_BDGTSP_PC | FCAT |
Tips for Managing Cross-System SoD Risks in SAP Cloud IAG
- To help customers streamline their implementation, SAP delivers industry standard ruleset for specific applications that can be customized to meet specific requirements. SAP Note 2782388: IAG - How to load default standard ruleset explains how you can request that standard rulesets be loaded into SAP Cloud Identity Access Governance.
- When defining cross-system risks, the recommendation is to first define the application-specific ruleset for each involved application and then define or load the cross-system ruleset.
- To account for the combination of applications in cross-system risk analysis, you need to create a business function group with the 'Cross Application' type for those applications. While you can group all relevant applications into a single business function group that may pose cross-application business risks, each identified risk must involve at least two applications as a subset of the group.
- In a bridge scenario where SAP Access Control is connected, you can perform the ‘Risk Definition Synchronization’ as a one-time job. Any further updates should be managed within SAP Cloud Identity Access Governance including cloud application and cross system ruleset.
- When mitigating cross-system risks, you can either apply mitigation to a specific application or across all applications for a particular user. Additionally, mitigation can be applied indirectly when a user causes a violation due to specific access or business role assignment.
Conclusion: Effective cross-system SoD management is not a one-time task but a continuous process requiring proactive governance, real-time monitoring, and periodic risk reviews. By leveraging automated controls and best practices, organizations can stay compliant and secure in an evolving IT landscape.
Author
- Senthil Chinnathambi – Product Manager
