Skip to Content

SAP Supplier Relationship Management (SRM) is developed to purchase predefined items from approved suppliers using an online catalogue. Selected items are put in a shopping cart.

SAP also provides a rule set for SRM which can be used to run risk analysis on users and identify access violations. However you will have to redesign the rules in order to prevent false positives and negatives when running a risk analysis from the standard SAP rule set.

For your convenience I have designed a new SAP SRM rule set with new access rules that is focused on permission level (the relevant authorization objects and values) instead of action level (webdynpro applications/transactions). This rule set can be used direclty to start the remediation of access violations and/or to document compensating controls.

Please find below an example of a SoD matix based on SRM functions defined in the alternative SRM rule set. There are many more SoD-conflicts within the Requisition to Pay process involving SRM activities but for clarity purposes I did not add them.

/wp-content/uploads/2016/05/srm_959109.jpg

Attached as text files is the technical content of SRM rule set

I am aware that there is no one-size-fits-all rule set, but I am confident that the rule set attached will help you making your own specific one.

Please also check my other blogs on SDN

http://scn.sap.com/community/grc/blog/2016/05/18/include-approval-levels-and-prevent-false-positives-with-sap-grc-supplementary-rules

http://scn.sap.com/community/grc/blog/2016/01/18/risk-terminator

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Colleen Hebbert

    Hi Tiede-Jan

    Nice sharing. Are you able to provide a summary of what functionality is in scope in your system to provide some context on the rules that you devised? It might help explain why you set the risk that way and what you haven’t considered

    Regards

    Colleen

    (0) 
    1. T. de Jong Post author

      Hi Colleen,

      The classic SRM scenario (enterprise buyer) is utilized. In SRM the shopping cart is the ‘equivalent’ of the ECC purchase requisition. The creation of all purchase documents start with the creation of the shopping cart. Changes to shopping carts are also handled in SRM. This implies that no individual should have create or update purchase document access (e.g. ME22N, ME31K) in the ECC backend. After all shopping cart process steps are followed and all approval steps (total value/legal) the Purchase order is created automatically in the backend system.

      classic srm.gif

      As the bidding process involving request for quotation, approve request for quotation, submit quotation and accept quotation (bid response) plays an important role in SRM and from a risk perspective should be separated additional rules have been developed.

      The SRM shopping cart approval function is linked through GRC supplementary rules to the positions with authority limits.

      Most SRM GRC functions have been set up as critical permissions (BBP_BD* objects)

      (0) 

Leave a Reply