Access control forms a very important part of the overall control framework in any ERP environment. In SAP R/3 segregation of incompatible functions is a major control point. Assessing whether incompatible functions are assigned to SAP users can be a tedious task. So how does one go about addressing such incompatibility issues. Let me explain using an example of the accounts payable process in SAP. Ideally, in A/P segregation of duties should exist between purchasing, goods receiving, invoice processing and cash disbursement functionalities. Below, I have given a 7 step process for SOD segregation of duties in SAP A/P.

Step 1 - Document the entire process of payables. This would include Raising Purchase requisition, releasing purchase requisition, raising a purchase order PO, releasing purchase order, goods receipt, invoice entry, and finally processing payments.

Step 2 - For each of the sub-process identified above, identify the relevant transaction code in SAP. This can be done using the standard menus in SAP.

Step 3 - Identify the key control points within the process. In our example above, key control points would be raise PO, goods receipt, enter invoice, create and changing vendor master records.

Step 4 - Identify if there are any other incompatible duties. One such incompatible function would be payment processing and vendor master maintainence.

Step 5 - Identify the transaction codes in SAP which allow access to these incompatible functions. Now in SAP the relevant transaction codes would be: XK01 / XK02 - Create Vendor / Change Vendor details, ME21 - Create PO, ME28 - Release PO, MB01 - Goods Receipt, MIRA / MIRO - Invoice Entry. The incompatible functions relevant for segregation of duties would be

- XK01 / XK02 and ME28
- ME21 and ME28
- ME28 and MB01
- XK01 / XK02 and MIRA / MIRO

Step 6 - Identify employees within the organization who have access to such incompatible functions. This can be done using SUIM, data analysis tools. If required analysis can be even done at the authorization profile level.

Step 7 - Once users with access to incompatible functions are identified, access to such functions should be restricted. This should be done by the BASIS person who is responsible and knowledgeable enough to carry out such task.

Related Posts

SAP R/3 Authorization Basics
SAP R/3 Profile Generator
Securing Customized Transactions in SAP R/3
How to Deactivate SAP* User ID