Top 30 SAP GRC SoD Risks Every Security Consultant Must Know - SAP SECURITY

SAP SECURITY

Practical SAP Security & GRC Tutorials | S/4HANA | SU24 | SU25 | Fiori | GRC

Top 30 SAP GRC SoD Risks Every Security Consultant Must Know

by


 In enterprise environments using SAP Governance, Risk, and Compliance, Segregation of Duties (SoD) is a critical control that prevents fraud, financial manipulation, and operational errors.

An SoD conflict occurs when a user has access to two or more transactions that should not be performed by the same person. These risks are usually detected using Access Risk Analysis in SAP Access Control within systems like SAP S/4HANA.

Below are 30 common SoD risks that every SAP Security and GRC consultant should understand, along with practical examples.

Vendor Management Risks

1. Create Vendor & Pay Vendor

Transactions:
XK01 / BP + F110

Risk:
User can create a fake vendor and process payment.

2. Maintain Vendor & Post Vendor Invoice

Transactions:
XK02 + FB60

Risk:
User could modify vendor bank details and post invoices.

3. Maintain Vendor & Process Manual Payment

Transactions:
XK02 + F-53

Risk:
Unauthorized payments could be executed.

4. Create Vendor & Maintain Vendor Bank Details

Transactions:
XK01 + FK02

Risk:
Fraudulent vendor bank accounts could be created.

5. Vendor Master Change & Payment Run

Transactions:
FK02 + F110

Risk:
Bank details could be modified before payment processing.

Customer Management Risks

6. Create Customer & Post Customer Credit Memo

Transactions:
XD01 + FB75

Risk:
User could create fake customers and issue credit memos.

7. Maintain Customer & Post Customer Invoice

Transactions:
XD02 + FB70

Risk:
Incorrect billing manipulation.

8. Customer Creation & Cash Receipt Processing

Transactions:
XD01 + F-28

Risk:
Misuse of customer records for financial manipulation.

9. Customer Maintenance & Sales Order Processing

Transactions:
XD02 + VA01

Risk:
Unauthorized sales activities.

10. Customer Credit Limit Maintenance & Order Processing

Transactions:
FD32 + VA01

Risk:
Unauthorized credit approval.

Procurement Risks

11. Create Purchase Order & Approve Purchase Order

Transactions:
ME21N + ME29N

Risk:
User could create and approve their own purchase orders.

12. Maintain Vendor & Create Purchase Order

Transactions:
XK02 + ME21N

Risk:
Purchase orders could be issued to fraudulent vendors.

13. Create Purchase Order & Post Goods Receipt

Transactions:
ME21N + MIGO

Risk:
Fake purchases could be recorded.

14. Create Purchase Order & Post Invoice

Transactions:
ME21N + MIRO

Risk:
Unauthorized payments for fictitious purchases.

15. Approve Purchase Order & Post Invoice

Transactions:
ME29N + MIRO

Risk:
Purchase approvals and invoicing handled by same user.

Inventory Risks

16. Create Material & Maintain Material

Transactions:
MM01 + MM02

Risk:
Unauthorized material changes.

17. Maintain Material & Goods Movement

Transactions:
MM02 + MIGO

Risk:
Incorrect inventory movement.

18. Post Goods Receipt & Post Goods Issue

Transactions:
MIGO + MB1A

Risk:
Inventory manipulation.

19. Create Material & Purchase Order Creation

Transactions:
MM01 + ME21N

Risk:
Fake material purchasing.

20. Inventory Adjustment & Goods Movement

Transactions:
MI07 + MIGO

Risk:
Stock manipulation.

Financial Posting Risks

21. Post Journal Entry & Reverse Journal Entry

Transactions:
FB50 + FB08

Risk:
Financial manipulation without oversight.

22. Post Vendor Invoice & Process Payment

Transactions:
FB60 + F110

Risk:
Unauthorized invoice payments.

23. Post Customer Invoice & Issue Credit Memo

Transactions:
FB70 + FB75

Risk:
Revenue manipulation.

24. Maintain G/L Account & Post Journal Entry

Transactions:
FS00 + FB50

Risk:
Unauthorized financial postings.

25. Create Asset & Post Asset Retirement

Transactions:
AS01 + ABAVN

Risk:
Asset value manipulation.

System and Security Risks

26. Create User & Assign Roles

Transactions:
SU01 + PFCG

Risk:
Unauthorized access creation.

27. Maintain Roles & Transport Roles

Transactions:
PFCG + SE10

Risk:
Uncontrolled role deployment.

28. Execute Programs & Modify Programs

Transactions:
SA38 + SE38

Risk:
Unauthorized code execution.

29. Maintain Tables & Execute Reports

Transactions:
SM30 + SE16

Risk:
Direct data manipulation.

30. Firefighter Access & User Administration

Transactions:
/EAM + SU01

Risk:
Uncontrolled emergency access.

How SAP GRC Detects These Risks

In SAP Access Control, SoD conflicts are detected through:

  1. Risk analysis ruleset

  2. Role-level risk analysis

  3. User-level risk analysis

  4. Access request risk evaluation

The system compares user access against the SoD rules matrix.

How Security Consultants Resolve SoD Risks

Typical resolution strategies include:

1. Remove conflicting access
Remove one role or transaction.

2. Role redesign
Split roles based on job functions.

3. Organizational restrictions
Limit access by company code, plant, or sales organization.

4. Mitigation control
Allow risk but monitor through periodic review.

5. Firefighter access
Provide temporary emergency access.

Conclusion

Understanding SoD risks is essential for SAP Security consultants working with SAP Governance, Risk, and Compliance environments. Identifying and resolving these conflicts ensures compliance, prevents fraud, and strengthens internal controls.

By mastering these 30 common SoD risks, consultants can efficiently analyze access conflicts and implement secure role designs across SAP systems.

By

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)