Rulesets for your GRC Solution
Used to monitor risks, a ruleset is the basis for carrying out a risk analysis in the SAP system. Based on the ruleset, critical authorizations, and conflicts of segregation of duties (SoD) can be checked and cleaned regularly or on a case-by-case basis through critical combinations of authorizations.
Keep a close eye on your risks!
Given the constantly growing requirements and risks in SAP, challenges arise in terms of creating and maintaining custom-made rules for the respective GRC solutions. For analyzes, reports and processing of authorizations and system settings, a constantly updated and well-maintained ruleset ensures a secure administration in the SAP system.
With the help of our services, we evaluate the requirements individually and, depending on the catalog of requirements and legal regulations, we can build up the basic knowledge and the necessary know-how. We support you in identifying which risks are relevant for you and together we can define the right ruleset for your GRC solution. If you already have a ruleset in use, we will help you ensure that your current ruleset is up to date, identify potential for optimization and establish best practice approaches.
Building a ruleset is not a one-time task. A ruleset must be constantly checked, expanded, or adapted. Changed processes mean changed risks and consequently different rules. So, what are the most common problems, why is there no ruleset or why does this no longer meet the requirements? Our experience shows that it is often one of the following reasons:
Our approach always pursues an overall view of the risks. These are mapped in a global ruleset and always reduced to the most critical authorizations in order to keep complexity low and to make rules transparent. Our ruleset takes into account the changes made with SAP S/4HANA (including Fiori apps) and customer-specific in-house developments. Together with you, we decide where and which rules are relevant for your organization.
We first analyze the requirements that will be placed on the new ruleset. For this purpose, we record, for example, compliance requirements from a regulatory and ICS perspective and review your possibly existing ruleset. In the next step, we check your in-house development to identify missing or incorrect authorization checks and correct them.
In addition, the maintenance of the SU24 default values plays a central role, which allows the critical authorizations relevant for the ruleset to be assigned to a transactional context. In the last step, we create the final rulesets for you and validate the results so that the ruleset is not only professionally but also technically clean. We support you with the implementation in the productive environment to monitor and control the authorizations for your processes so that the rules are established, maintained, and accepted on the long term.
Xiting Compliance Services
We support you on your way from creating awareness about compliance to defining and implementing a ruleset for the XAMS CRAF solution, SAP GRC Access Control and SAP IAG, among others. No matter if it is the creation of a coordinated, final ruleset, or support in developing a ruleset with “ECS meets XAMS”. In any case, our aim is to be your competent and reliable partner for risk management.