SAP Supplier Relationship Management (SRM) is developed to purchase predefined items from approved suppliers using an online catalogue. Selected items are put in a shopping cart.
SAP also provides a rule set for SRM which can be used to run risk analysis on users and identify access violations. However you will have to redesign the rules in order to prevent false positives and negatives when running a risk analysis from the standard SAP rule set.
For your convenience I have designed a new SAP SRM rule set with new access rules that is focused on permission level (the relevant authorization objects and values) instead of action level (webdynpro applications/transactions). This rule set can be used direclty to start the remediation of access violations and/or to document compensating controls.
Please find below an example of a SoD matix based on SRM functions defined in the alternative SRM rule set. There are many more SoD-conflicts within the Requisition to Pay process involving SRM activities but for clarity purposes I did not add them.
Attached as text files is the technical content of SRM rule set
I am aware that there is no one-size-fits-all rule set, but I am confident that the rule set attached will help you making your own specific one.
Please also check my other blogs on SDN
http://scn.sap.com/community/grc/blog/2016/01/18/risk-terminator
5 Comments
