Risks of Excessive Authorizations in an SAP-Based Environment (Part-1)

SAP access rights have always remained an area of curiosity in the SAP community. At the time of implementation, the SAP consultants concentrate mainly on establishing various business processes and assigning roles according to their understanding. In general, excessive roles are assigned to the core team members as they take cross-functional training during the implementation journey. During implementation, this becomes the least important area from a business perspective since it doesn’t directly impact the business. Therefore, it is difficult that roles and authorizations get stable at the time of SAP implementation.

A review of access rights is triggered when qualified Auditors come into the picture and highlight various types of gaps and punching of transactions by unknown persons not qualified to perform a transaction in a particular domain. The practical problem in setting up roles and authorization is that functional consultants provide access rights based on their interaction and the type of explanation supplied by the business users. However, Auditors think differently and always see potential risks involved in providing a particular type of transaction. It becomes an endless exercise when it comes to stabilizing a particular authorization in a department. Change management becomes a big issue when authorizations are withdrawn to clear roles, and the user community starts blaming IT for their actions.

There are multiple areas where restrictions are imposed. Access rights are fixed initially at a transaction code assignment level and subsequently controlled at the object level when things get stable. Access rights must be reviewed periodically to reduce irrelevant transaction codes in SAP, and cleaning could be done in every role.

It is a regular practice that general instructions are given to the SAP team to assign similar rights to a particular person. Excessive rights are assigned to a person due to these instructions, and it is realized at a later stage when that person processes an incorrect entry to meet his/her timelines. This area is one of the riskiest areas as it can impact financials directly.

For example, if a person has the authorization to perform Physical Inventory document creation (MI01/MI02), Inventory count (MI04/MI05), and financial adjustments (MI07), then the stock can be adjusted by him very quickly. The warehouse team should not have authorizations for financial adjustments in such circumstances. This will help in bringing more operational efficiencies to the system.

Since SAP is an integrated environment and multiple modules are configured as per business requirements, authorization of one module directly impacts other transactions. When multiple locations are configured in SAP, plant-level controls need to be activated so that users don’t have irrelevant authorization to make changes out of their responsibility area. Multiple controls should be considered while setting up roles and authorization after SAP implementation. I will cover these aspects in my next articles for better understanding.

If you have any suggestions or differ with me on a particular point, please feel free to provide your comments so that we make this platform more useful with our experience.