Segregation Of Duty (SoD) Monitoring

Having more than one person to complete a given task is an effective way of preventing misuse and monitoring the observance of this concept therefore paramount to auditing.

Risk

Users have access privileges beyond those necessary to perform their assigned duties, which may create improper segregation of duties.

Control Description

Segregation of duties is monitored, and conflicting access is either removed or mapped to mitigating controls, which are documented and tested.

Background

A set of sensitive functions is defined as a baseline for segregation of duties. Usual examples for such sensitive functions involve payment runs, an employee should not be able to put money into their own pocket. The creation and / or change of supplier accounts is another example, where – again – malicious actions by employees must be prevented, for example to change bank account information. Hence these scenarios are protected by segregation of duties, i.e., more than one person is necessary to complete those tasks, and consequently proper roles and authorizations are created.

In SAP S/4HANA Cloud, public edition, the smallest entity that can be assigned to business users are business catalogs. Business catalogs are SoD free and the ISAE3000 report available through the SAP Trust Center provides proof for that.

The customer's IAM key user assigns UIs and authorizations to users by bundling business catalogs into business roles and assigning those to users. It is essential that the key user understands what a certain business catalog includes and how it relates to other catalogs. Consequently, assigning business roles poses a risk to create SoD conflicts.

This blog post does not cover SAP Identity and Access Governance (IAG), which can be used for SoD analysis. Instead, the focus lies on SAP S/4HANA Cloud, public edition, and its means to analyze segregation of duties violations.

Note that it is in the sole responsibility of the customer to define, which authorizations are in combination conflicting and what the impact on the Internal Control System might be. Based on the impact, mitigating controls to review and monitor the users with conflicting authorizations should be implemented.

In a first step, business roles must be assessed. As written above, it is the responsibility of the customer’s IAM key users to create and assign business roles based on the organizations’ structure. To ensure all business roles are free of SoD conflicts, a download of all business catalogs that are included in all business roles is necessary to check that those business roles do not contain conflicting business catalogs. Such a download can be done with SAP Fiori app IAM Information System (2450).

Download business catalogs with SAP Fiori app IAM Information System (F2450)

The analysis of the list needs to be done – as mentioned – manually by the customer based on the impact on the internal processes and controls in case SAP Identity and Access Governance is not used.

From a year-end audit perspective, especially the business catalogues with access category “write” are critical. From a data protection perspective, access category “read” might be critical as well.

In a second step, it is necessary to check that users do not have multiple business roles assigned, where a combination of such business roles would also lead to SoD conflicts. For such a check the required list can be downloaded with SAP Fiori app Maintain Business Users (F1303). The analysis of the list needs to be done – as mentioned – manually by the customer in case SAP Identity and Access Governance is not used.

In a third step it needs to be identified, if users have conflicting authorizations assigned. If this is the case, mitigating controls might be necessary. The user role assignments can be identified by using the SAP Fiori app Maintain Business Users (F1303) and downloading user role assignments:

Download User Role Assignments with SAP Fiori app Maintain Business Users (F1303)

Privileged Access Level

Privileged users need to perform (technical) tasks in almost any system. Often, these tasks require an extensive set of authorizations. Nevertheless, those authorizations should be restricted wherever possible.

Risk

Users have access privileges beyond those necessary to perform their assigned duties, which may create improper segregation of duties.

Control Description

Privileged level access (for example for security administrators) is authorized and appropriately restricted.

Background

To obtain the population of users with privileged access, system data that is available through SAP Fiori app IAM Information System (F2450) is necessary.

In a first step, navigate to Business Role - Application and download the report.

Identify business roles that provide access to selected applications with SAP Fiori app IAM Information System (F2450)

Set a pivot table with a filter on, for example, the following applications: Business Catalogs, Business Role Templates, Display Business Role Changes after Upgrade, Display Technical Users, Maintain Business Roles, Maintain Business Users, Maintain Communication Users, Maintained Deleted Business Users.

Note that privileged access needs to be defined by the customers based on the impact of the authorization on their internal control system.

Identify business roles that provide access to selected applications.

In a second step, navigate to Business Role - Restriction and apply the above identified business roles as filter. Generate a report and apply 'write' as the filter on column 'Access Category' and identify business roles with write access.

Apply above identified business roles as filter in SAP Fiori app IAM Information System (F2450)

Lastly, again in SAP Fiori app IAM Information System (F2450), navigate to Business Role - Business User and apply identified business roles with write access from the second step. Download a report of business users with identified business roles.

Apply identified business roles with write access in SAP Fiori app IAM Information System (F2450)

Engage with us

To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.”

Or contact us on LinkedIn.