Skip to Content
Author's profile photo Former Member
Former Member
May 23, 2016 1 minute read

SRM rule set (alternative)

SAP Supplier Relationship Management (SRM) is developed to purchase predefined items from approved suppliers using an online catalogue. Selected items are put in a shopping cart.

SAP also provides a rule set for SRM which can be used to run risk analysis on users and identify access violations. However you will have to redesign the rules in order to prevent false positives and negatives when running a risk analysis from the standard SAP rule set.

For your convenience I have designed a new SAP SRM rule set with new access rules that is focused on permission level (the relevant authorization objects and values) instead of action level (webdynpro applications/transactions). This rule set can be used direclty to start the remediation of access violations and/or to document compensating controls.

Please find below an example of a SoD matix based on SRM functions defined in the alternative SRM rule set. There are many more SoD-conflicts within the Requisition to Pay process involving SRM activities but for clarity purposes I did not add them.

/wp-content/uploads/2016/05/srm_959109.jpg

Attached as text files is the technical content of SRM rule set

I am aware that there is no one-size-fits-all rule set, but I am confident that the rule set attached will help you making your own specific one.

Please also check my other blogs on SDN

http://scn.sap.com/community/grc/blog/2016/05/18/include-approval-levels-and-prevent-false-positives-with-sap-grc-supplementary-rules

http://scn.sap.com/community/grc/blog/2016/01/18/risk-terminator

Assigned Tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Thanks for sharing Tiede.

      Regards,

      Manju

      Author's profile photo Colleen Hebbert
      Colleen Hebbert

      Hi Tiede-Jan

      Nice sharing. Are you able to provide a summary of what functionality is in scope in your system to provide some context on the rules that you devised? It might help explain why you set the risk that way and what you haven't considered

      Regards

      Colleen

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hi Colleen,

      The classic SRM scenario (enterprise buyer) is utilized. In SRM the shopping cart is the 'equivalent' of the ECC purchase requisition. The creation of all purchase documents start with the creation of the shopping cart. Changes to shopping carts are also handled in SRM. This implies that no individual should have create or update purchase document access (e.g. ME22N, ME31K) in the ECC backend. After all shopping cart process steps are followed and all approval steps (total value/legal) the Purchase order is created automatically in the backend system.

      classic srm.gif

      As the bidding process involving request for quotation, approve request for quotation, submit quotation and accept quotation (bid response) plays an important role in SRM and from a risk perspective should be separated additional rules have been developed.

      The SRM shopping cart approval function is linked through GRC supplementary rules to the positions with authority limits.

      Most SRM GRC functions have been set up as critical permissions (BBP_BD* objects)

      Author's profile photo Rakesh Ram
      Rakesh Ram

      Hello Tiede-Jan,

      Nice Sharing.

      Great job.

      Regards,

      Rakesh Ram M

      Author's profile photo Yatin Phad
      Yatin Phad

      Hello Tiede-Jan,

      Thank you for sharing the thoughts and ideas. This is really helpful.

      I was looking for the template text files for the technical content of the SRM rule set but doesnt seem to be available to download.

      Regards,

      Yatin Phad