Chapter 6. Access Control and the Role of Roles

In Chapter 5, we discuss how fraud can occur where duties are not clearly segregated. To minimize fraud, companies need to wisely segregate the duties of employees. And to segregate duties, companies rely on roles and access control.

The concepts behind these terms are simple. Everyone in the company should have a well-defined role that minimizes the opportunity for fraud. And when an employee needs to access a computer system, access controls need to be in place that allow the employee to access only what he needs to do to perform his job: nothing more, nothing less. In this chapter, we look at these concepts in-depth. We also discuss how roles can wind up being much more complicated and difficult to manage than you might expect. We also take a look at the SAP solutions for access control.

Understanding Access Control and Roles

Employees perform their duties once they are logged into the system, but it's also vital to monitor how they get there. Most companies have thousands of users. Each user has one or more role. Each role has access to a certain number of transactions in the system. Many companies have more than one system to which users have access. Each of these systems have hundreds of screens, with multiple transactions. All this adds up to a massive number of places where segregation of duties violations can occur — hundreds of thousands, in fact.

Access control is a gatekeeper function that patrols system access, ensuring that ...

Get SAP® GRC For Dummies® now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.