Question:
In our current design what we have right now are the following:
1. List of User
2. Tcode that will be assigned by the user
3. Organizational values that users should be restricted (e.g. Company code)
4. Some specific values that users should be restricted (e.g. Cost center)
Question is: considering the above data for our matrix, when we start creating the roles in SAP, we have realized that there are a lot of authorization object values that are still missing in our matrix. Kindly share your experience on how you normally start creating your authorization matrix? Is there a third party tool now available for builing the authorization matrix?
Thanks for your reply.
Answer:
I prefer to start with the identification of business roles, map the processes and tasks to those, and final the transactions and reports used to them.
This way it is far easier to base your design on risk and take into account SOD, reporting & security controls from early in th design
Answer:
I agree.
You should now group your users to the business roles they perform.
Split the business roles to business tasks/processes and this will give you a guide as to what transactions are needed and also what these transactions are required to do - i.e. the authorisations.
You won't get it exactly right first time so make sure the prototype Roles are tested thoroughly.
One other thing, is this a new installation ? If so SAP may well bring abilities that the business didn't have before - like e.g. parking an invoice, does the business want this. In other words don't only map what the business is doing now but recognise the possibility to add some value to the processes.
Best of luck
_________________
Best Regards
Bazza