There are a few approaches you can take.
SAP Job Description: For each job (highest level role. composite, etc) we have a description that describes in Business Speak what that job allows a user to do. It avoids as much SAP jargon as possible. Any person from the business could look at the description and get a picture of what that person should be doing on SAP. This is what gets signed off at the highest level and it is the security, functional and internal audit guys that are responsible to ensure that the role meets this spec.
Transaction Breakdown: For Internal Audit Management the job is broken down into it's constituent transactions and Internal Audit (and usually Functional Team) will look at this at a high level to ascertain that the required functionality is being met by transactional access. Where sensitive transactions are identified the granular breakdown is used.
Granular Breakdown: This is the level at which restrictions are reported. It is here that object level restrictions are documented. Any transactions that are deemed sensitive will have information pertaining to the restrictions included here.
In Practice this is all contained within one document, any changes to the roles are contained within this document.
A point to make is that by listing transactions to your management team, you will not give them an accurate indication of users access by giving them a list of transactions!
If you want to get lists of transactions you can use the following tables.
AGR_USERSAGR_TCODES
AGR_1252 (Lists Org Levels)
AGR_1251
No comments:
Post a Comment