Users have access privileges beyond those necessary to perform their assigned duties, which may create improper segregation of duties.

Control Description

Dedicate approvers approve the nature and extent of user-access privileges for new and modified user access, including standard application business catalogues / business roles, critical financial reporting transactions, and segregation of duties.

Background

Assigning the correct authorizations to the right user is a key element in the segregation of duties – and therefore a cornerstone in the auditing process.

In S/4 HANA Cloud, authorizations are collected in so-called ‘Business Catalogue IDs” which are assigned to ‘Business roles” which can be assigned to users. These business roles give access to underlying applications. The access to company codes and within company codes can be restricted in roles.

How to obtain the populations:

(Please remember that the process might change with later releases)

• User created during the audit period (former USR02)

To obtain the population of users created during the audit period navigate to ‘Identity & Access Management’ > ‘Maintain Business Users’ > ‘Display Changes’, select the date range and check the selection box ‘Created Users’.

Note 1: By clicking on the user, it is possible to receive the following information:

• User validity (prior table USR02)
• User Lock indicator (prior table USR02)
• Role assignments (prior report RSUSR002)

Note 2: By clicking on the Business Role ID, you can identify the authorizations from the role as well as the Business Catalogues assigned to the role.

• Business roles assignment changes during audited period (former RSUSR100N):

To obtain the population of users with Business roles assignment changes during the audit period navigate to ‘Identity & Access Management’ > ‘Maintain Business Users’ > ‘Display Changes’, select the date range and check selection box ‘Business Roles Changed’.

Note 3: Entries with “Authorizations have been reorganized/optimized due to technical reasons” can be ignored as these indicate SAP system internal reorganizations and do not necessarily indicate authorization changes.

Note 4: Business users require creation of an employee, but not all employees need to have a business user.

• Role changes during audited period (role change documents)

To obtain a listing of changes made to roles during the testing period navigate to ‘Identity & Access Management’ > ‘Maintain Business Roles’ -> ‘Display Changes’.

Engage with us

To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.”

Or contact us on LinkedIn.