Redesign SAP Roles: ECC or Post-Migration to S/4HANA | ToggleNow

1. Case Study: Analyzing Custom Transaction Codes and Updating the Risk Ruleset

2. Business Challenge • With these custom developments came heightened security risks, particularly around Segregation of Duties (SoD) violations, unauthorized data access, and insufficient controls in the existing risk ruleset. Their SAP Governance, Risk, and Compliance (GRC) solution was configured primarily for standard SAP roles and lacked visibility into these customized T-codes. • Key issues included: • Incomplete risk coverage due to unregistered custom transactions. • False negatives in SoD reports—critical conflicts were not being flagged. • Increased audit findings due to lack of clarity around control effectiveness. • Complexity in role redesign due to outdated risk ruleset configurations. • Objectives • Identify and assess all custom T-codes in the SAP environment. • Map these transactions to their underlying functionality. • Determine the risk implications of each custom transaction. • Update the GRC risk ruleset to reflect actual business risks accurately. • Improve SoD monitoring and access controls for future resilience.

3. Approach and Methodology • Inventory and Discovery • Extracted a comprehensive list of all custom T-codes using SAP TSTCT and TSTC tables. • Mapped each custom transaction to associated programs, function modules, and standard T-codes (if applicable). • Risk Impact Assessment • Collaborated with business process owners and functional teams to understand the intent and use of each custom transaction. • Assessed risks based on actions performed (e.g., posting, changing master data, executing reports). • Benchmarked against standard SAP functionality to align risk classification. • Ruleset Enhancement • Modified the existing GRC Access Control ruleset to include newly identified custom T-codes. • Categorized risks under Conflicting Activities, Critical Actions, and Sensitive Transactions. • Ensured the rules reflected actual process risks, not just theoretical mappings.

4. Testing and Validation • Performed SoD simulation analysis post-ruleset update. • Validated results with internal audit and compliance teams. • Corrected role assignments and removed excessive privileges based on simulation outcomes. • Sustainable Governance • Implemented a custom T-code governance policy, requiring risk analysis for any new custom development. • Trained internal teams on maintaining the ruleset. • Scheduled periodic reviews to align with evolving business processes and regulatory changes.

5. Outcomes and Benefits • Enhanced Risk Visibility: The updated ruleset uncovered 23 previously undetected SoD violations, allowing timely remediation. • Reduced Audit Findings: The internal audit team reported a 40% decrease in access control-related audit issues. • Improved Compliance: Enabled better alignment with SOX, GDPR, and internal compliance frameworks. • Operational Efficiency: The new process reduced manual review efforts for access requests by 60%. • Future-Ready Framework: Established a scalable and adaptive ruleset capable of incorporating future system changes.

6. Lessons Learned • Customization Requires Continuous Oversight: Every custom T-code must be evaluated with the same rigor as standard transactions. • Cross-functional Collaboration is Key: Involving IT, business users, compliance, and audit teams led to a more holistic and accurate risk assessment. • Tools Matter: Leveraging SAP GRC effectively demands proper configuration, regular updates, and alignment with business realities.

7. CONTACT US https://togglenow.com/ Level 2-4, 49, Shakthi Nilayam, Silicon Valley Society, Madhapur, Hyderabad 500084, India THANK YOU