Business System Analysts (BSAs) will carry out the following tasks as part of their GRC-related responsibilities:
Assist the Role Owner and Risk Owner with:
o Analysis of changes to risks due to changes in roles or user/role assignments
o Redesign of Roles in terms of business-relevant information and Single vs Composite role design
o Understanding the Risk – i.e. what the SAP access allows and if there are any additional technical
features which are being used , or can be used, to reduce / mitigate the risk – this includes
configuration settings, MIT enhancements, additional access security.
When there are new “Z” transactions, the BSA will assist in categorizing to the closest standard SAP
action. The GRC Admin group will add these to the ruleset in the same place as that standard SAP action.
Assist the BA to document the new / changed role design and communicate it to the SAP R/3 Security
Admin group. Potentially assist in the initial role testing.
REPORTS PROCESS
05 Roles by Role Name 1
06 User to Role Relationship 1
07 Role Relationship with User - User Group 1
08 Users by User ID 1
09 Count Authorizations for Users 1
10 Action Usage by User Role and Profile 1
11 Mitigation Control Report 2
12 User Level 1, 2
13 User Level Simulation 1, 2