The Power of Integration
Security Mapping Overview
The Power of Integration
What Are The Objectives of the Security Role Mapping Workshop?
• Familiarize Management and Super-users with Security Concepts Familiarize Management and Super-users with Security Concepts
• Review Global One Template Security Design Review Global One Template Security Design
• Discuss Expectations of Mapping sessionsDiscuss Expectations of Mapping sessions
•Review Role to SAP Position MappingReview Role to SAP Position Mapping
•Determine SAP Role to User MappingDetermine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User Access Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue Resolutionand Issue Resolution
• Discuss Segregation of Duties as it Relates to SecurityDiscuss Segregation of Duties as it Relates to Security
• Next StepsNext Steps
The Power of Integration
Control Techniques
Business Process Controls Umbrella
Risks
RisksRisks
Risks
Risks
Non-SAP
Business Processes
SA
P s
tand
ard
SA
P c
onfi
gure
d
Aut
hori
zati
on
Mon
itor
ing
Man
ual
SAP
The Power of Integration
What Are The Objectives of the Security Role Mapping Workshop?
• Familiarize Management and Super-users with Security Concepts Familiarize Management and Super-users with Security Concepts • Review Global One Template Security Design Review Global One Template Security Design
• Discuss Expectations of Mapping sessionsDiscuss Expectations of Mapping sessions
•Review Role to SAP Position MappingReview Role to SAP Position Mapping
•Determine SAP Role to User MappingDetermine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User Access and Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue ResolutionIssue Resolution
• Discuss Segregation of Duties as it relates to SecurityDiscuss Segregation of Duties as it relates to Security
• Next StepsNext Steps
The Power of Integration
Why Have Security?
• Helps Users Perform Their Daily Responsibilities
• Provides Accountability of User Actions
• Limits Access to Certain Update Activities
• Restricts Ability to View Sensitive Information
• Supports Audit Trails of Activities
• Protects Systems from Misuse
• Helps to Provide Data Integrity
The Power of Integration
What defines a Security Role?
• Matches what a user does with where they are in the organization
• Access to Perform Tasks Based on Responsibilities•The Customer Service Representative has access to certain tasks
•These tasks are known as transaction codes - VA01 - create sales order
• Access to Data Based on Organizational Responsibilities•The Customer Service Representative has the access to create, change
or view data related to only their organizational responsibilities
•Example of organizational restriction: the Customer Service Representative has the access to create or change a sales order (VA01 & VA02) only for Argentina Company Code (AR1), but may be able to display more data (VA03).
The Power of Integration
Security Design Approach
Observation 3
Role(s)“Change Sales
Order”
SAP Position
“Customer Service”
SAP transaction(s) are assigned to roles but a transaction should only be assigned to one role.
SAP Transaction(s)
VA01 Roles are mapped to SAP positions which are then mapped to users.
The Power of Integration
What Are The Objectives of the Security Role Mapping Workshop?
• Familiarize Management and Super-users with Security Concepts Familiarize Management and Super-users with Security Concepts
• Review Global One Template Security Design Review Global One Template Security Design • Discuss Expectations of Mapping sessionsDiscuss Expectations of Mapping sessions
•Review Role to SAP Position MappingReview Role to SAP Position Mapping
•Determine SAP Role to User MappingDetermine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User Access and Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue ResolutionIssue Resolution
• Discuss Segregation of Duties as it relates to SecurityDiscuss Segregation of Duties as it relates to Security
• Next StepsNext Steps
The Power of Integration
Global One Security Template
Wave One
Wave Two
Wave Three
Wave Four
North America security design as the
baseline
Design security forGlobal One
Final Global Template
Final Global Template
LocalizeGlobal
Template
LocalizeGlobal
Template
North American security foundation
80%
20% change from North America
Minor changes to Global Template Security can be accommodated within reason. (e.g. new transaction codes and new SAP Positions)
The Power of Integration
Security Design Approach
Observation 3
Role(s)“Change Sales
Order”
SAP Position
“Customer Service”
SAP transaction(s) are assigned to roles
SAP Transaction(s)
VA01 Roles are mapped to SAP positions which are then mapped to users.
The Power of Integration
How data is defined in the system How SAP functionality can be designed to meet Global
business requirements How transactional data is registered and recorded in the
system The ability to use standard delivered reports/inquiries How cross-company processing takes place The complexity of data input How roles and users operate within the system, both from a
security access perspective as well as from a location and organizational model perspective
The Enterprise Structure (Hierarchy) Drives...
The Power of Integration
Organizational Structure Options and Localization
– Instance– Worldwide SAP System– Country-Specific SAP System
– Client– Global Company – Business Unit
– Company– Legal Entity– Country– Business Unit– Business Unit Segment
– Profit Center– Business Unit– Country– Market Segment– Product Line– Product Category
– Operating Concern– Global Company– Sales Organizations– Market Segments
– Controlling Area– Global Company – Country
– Cost Center– Department (Budget Center)– Plant– Work Station
– Credit Control Area– Global Company– Country
– Sales Organization– Business Unit – Country– Company Code– Market Segment
– Division– Product Line– Business Unit
– Distribution Channel– Sales Channel
– Plant– Manufacturing Site– Warehouse– Distribution Center– Cost Center– Physical Building– Stockroom
– Storage Location– Stock Room– Warehouse– Plant -Defined
– Purchasing Organization
– Company worldwide– Company
– Purchasing Group– Entire Purchasing Org– Buyer
– Warehouse– Storage Type– Storage Bin
The Power of Integration
Scope of Organizational Hierarchy for Global One
Finance Company Code Chart of Accounts Controlling Area Profit Center Cost Center
Order to Cash Sales Area Sales Organization Distribution Channel Division Sales Office Sales Group Sales Employee
Forecast to Stock Plant Purchasing Organization Purchasing Group Storage Location Warehouse
The Power of Integration
What Are The Objectives of the Security Role Mapping Workshop?
• Familiarize Management and Super-users with Security Concepts Familiarize Management and Super-users with Security Concepts
• Review Global One Template Security Design Review Global One Template Security Design
• Discuss Expectations of Mapping sessionsDiscuss Expectations of Mapping sessions
•Review Role to SAP Position MappingReview Role to SAP Position Mapping
•Determine SAP Role to User MappingDetermine SAP Role to User Mapping• Discuss Data Owners, Who Will Be Responsible for Local User Access and Discuss Data Owners, Who Will Be Responsible for Local User Access and
Issue ResolutionIssue Resolution
• Discuss Segregation of Duties as it relates to SecurityDiscuss Segregation of Duties as it relates to Security
• Next StepsNext Steps
The Power of Integration
Display Purchasing
GM_XXX_FTS_DIS_PURCHASNG
Role Example
Role
Transaction
CreatePurchase Req
(ME51)
SAP Position
ChangePurchase Req
(ME52)
DisplayPurchase Req
(ME53)
Display Materials(MM03)
Create Purchase Order
(ME21N)
Change Purchase Order
(ME22N)
Jian Min Carlos JorgeFrançoise
Strategic
Purchasing Plant Buyer
Create/Change Purch Req
GM_XXX_FTS_CHG_PUR_REQ
Display Master Data
GM_XXX_MDT_GEN_DISPLAY
User
Create/Change Purchase Order
GM_XXX_FTS_CHG_PO
The Power of Integration
Role Transaction Role/Transaction DescriptionGM_XXX_FTS_CHG_PO MASTER CREATE/CHANGE PO
ME21N Purchase Order
ME22N Purchase Order
GM_XXX_FTS_CHG_PUR_REQ MASTER CREATE/CHANGE PURCHASE REQME52N Modify Existing Generated Purchase Requisitio
ME56 Assign Source to Purch. Requisition
ME57 Assign and Process Requisitions
ME58 Ordering: Assigned Requisitions
ME51 Create Purchase Requisition
ME52 Change Purchase Requisition
ME51N Create Purchase Requisition
GM_XXX_FTS_DIS_PURCHASNG MASTER PURCHASING DISPLAY AND REPORTINGMD04 Display Stock/Requirements Situation
ME03 Display Source List
ME43 Display Request For Quotation
ME48 Display Quotation
ME4B RFQs by Requirement Tracking Number
ME53 Display Purchase Requisition
ME4L RFQs by Vendor
ME4M RFQs by Material
ME4N RFQs by RFQ Number
ME4S RFQs by Collective Number
ME53N Display Purchase Requisition
GM_XXX_MDT_GEN_DISPLAY Master Data General DisplayMM03 Display Material &
CS03 Display Material BOM
CS09 Display Allocations to Plant
CS11 Display BOM Level by Level
CS12 Multi-level BOM
CS14 BOM Comparison
XD03 Display Customer (Centrally)
ZMPR Production Readiness Online Report
Transactions by roles
The Power of Integration
Master and Derived roles
Master Role Derived Role DescriptionGM_XXX_FIN_DIS_FINANCE MASTER DISPLAY FINANCIAL DOCUMENTS
GD_AME_FIN_DIS_FINANCE DRV DISPLAY FINANCIAL DOCUMENTS - SCLGD_AR_FIN_DIS_FINANCE DRV DISPLAY FINANCIAL DOCUMENTS - AR1GD_CL_FIN_DIS_FINANCE DRV DISPLAY FINANCIAL DOCUMENTS - CL1GD_GBL_FIN_DIS_FINANCE DRV DISPLAY FINANCIAL DOCUMENTS - ALLGD_PY_FIN_DIS_FINANCE DRV DISPLAY FINANCIAL DOCUMENTS - PY1GD_UY_FIN_DIS_FINANCE DRV DISPLAY FINANCIAL DOCUMENTS - UY1
GM_XXX_OTC_CHG_PICKING_WAVES MASTER CHANGE PICKING WAVESGD_AME_OTC_CHG_PICKING_WAVES CHANGE PICKING WAVES - AMEGD_AR_OTC_CHG_PICKING_WAVES CHANGE PICKING WAVES - ARGD_CL_OTC_CHG_PICKING_WAVES CHANGE PICKING WAVES - CLGD_PY_OTC_CHG_PICKING_WAVES CHANGE PICKING WAVES - PYGD_UY_OTC_CHG_PICKING_WAVES CHANGE PICKING WAVES - UY
The Power of Integration
Process Area SAP Position Role Transaction
FTS PLNTBUYER Plant BuyerGM_XXX_FTS_CHG_PO_PROD
ME21NME22N
GM_XXX_FTS_CHG_PUR_REQGM_XXX_FTS_CHG_VDR_EVALGM_XXX_FTS_DIS_PURCHASNGGM_XXX_FTS_MRP_EVALGM_XXX_FTS_MRP_SINGLEGM_XXX_FTS_MTN_CONTGM_XXX_FTS_MTN_INFO_RECGM_XXX_FTS_MTN_QUOTA_ARRGM_XXX_FTS_MTN_SCH_AGREEGM_XXX_FTS_MTN_SRC_LST
FTS STRATPURCH Strategic PurchasingGM_XXX_FTS_CHG_CONDGM_XXX_FTS_CHG_PUR_REQ
ME51ME51NME52ME52NME56ME57ME58
GM_XXX_FTS_CHG_VDR_EVALGM_XXX_FTS_DIS_PURCHASNGGM_XXX_FTS_MRP_EVALGM_XXX_FTS_MRP_SINGLE
List of SAP Positions
The Power of Integration
What Are The Objectives of the Security Role Mapping Workshop?
• Familiarize Management and Super-users with Security Concepts Familiarize Management and Super-users with Security Concepts
• Review Global One Template Security Design Review Global One Template Security Design
• Discuss Expectations of Mapping sessionsDiscuss Expectations of Mapping sessions
•Review Role to SAP Position MappingReview Role to SAP Position Mapping
•Determine SAP Role to User MappingDetermine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue ResolutionAccess and Issue Resolution
• Discuss Segregation of Duties as it relates to SecurityDiscuss Segregation of Duties as it relates to Security
• Next StepsNext Steps
The Power of Integration
Who Are The Data Owners?
•There should be a defined “Data Owner” for all areas of the business (FTS, FIN, OTC).
•These should be the people consulted to determine if users from another business area or region should be allowed access.
•We recommend that Senior Management identify the names of these data owners for each area of the business.
•The Data Owner for a business area or region may choose to delegate this responsibility to other staff:
•Financial data requests, to person X•Forecast to Stock data requests, to person Y•Order to Cash data requests, to person Z
•Once approved, the local security administrators can then grant the requested access.
The Power of Integration
ARUYCL CAUS
Southern Cluster North America
Global
EXAMPLE 1 -
A Finance User works in Argentina; has access to view or modify Argentina data in SAP:
- The Finance User wants access to view and update US information. The User needs to request approval from the US Data Owner. This should be the US Finance Data Owner.
- Request should also be approved by the Finance Data Owner of the country the person works for, prior to being issued access.
i.e. two approvals, one from Argentina and one from the US
PY
Security Access Approvers – Data Owners
The Power of Integration
Security Access Approvers – Data Owners
PYCLAR
Southern Cluster
Global
EXAMPLE 2
A Plant User works in Argentina plant 4100; has access to view or modify plant 4100 data in SAP:
• The User wants access to view and modify data in the Paraguay Plant and should request approval from the Paraguay Plant Data Owner.
• Request should also be approved by the Argentina Plant Data Owner prior to being issued access.
UY
The Power of Integration
What Are The Objectives of the Security Role Mapping Workshop?
• Familiarize Management and Super-users with Security Concepts Familiarize Management and Super-users with Security Concepts
• Review Global One Template Security Design Review Global One Template Security Design
• Discuss Expectations of Mapping sessionsDiscuss Expectations of Mapping sessions
•Review Role to SAP Position MappingReview Role to SAP Position Mapping
•Determine SAP Role to User MappingDetermine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User Access and Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue ResolutionIssue Resolution
• Discuss Segregation of Duties as it relates to SecurityDiscuss Segregation of Duties as it relates to Security• Next StepsNext Steps
The Power of Integration
Segregation of Duties – Security Team Approach
• Tailor the specific Segregation of Duties table (SAAT) for the functionality being implemented.
•Segregation of duties should be considered as roles are designed.
• Ensure all roles are reviewed with segregation of duties and sensitive transactions being taken into account.
•Review the role definitions to ensure that any segregation of duties conflicts, at the transaction level, are properly resolved. (no conflict should exist in a single role).
• Ensure all positions are reviewed with segregation of duties and sensitive transactions being taken into account.
•Review the positions to ensure all segregation of duties and sensitive access have been identified and the appropriate authorization given if any conflicts are to remain in place.
• Ensure all mapped users are reviewed with segregation of duties and sensitive transactions being taken into account.
•Review any conflicts with the relevant manager and ensure a risk acceptance decision has been taken before go live.
The Power of Integration
What Are The Objectives of the Security Role Mapping Workshop?
• Familiarize Management and Super-users with Security Concepts Familiarize Management and Super-users with Security Concepts
• Review Global One Template Security Design Review Global One Template Security Design
• Discuss Expectations of Mapping sessionsDiscuss Expectations of Mapping sessions
•Review Role to SAP Position MappingReview Role to SAP Position Mapping
•Determine SAP Role to User MappingDetermine SAP Role to User Mapping
• Discuss Data Owners, Who Will Be Responsible for Local User Access and Discuss Data Owners, Who Will Be Responsible for Local User Access and Issue ResolutionIssue Resolution
• Discuss Segregation of Duties as it relates to SecurityDiscuss Segregation of Duties as it relates to Security
• Next StepsNext Steps
The Power of Integration
Next Steps
• Data Owners will approve and sign-off on the following:•Role to SAP Position Mapping •SAP Position to User Mapping•SOD Conflicts and Compensating Controls
The Power of Integration
Questions?