The document discusses the objectives and process of a security role mapping workshop for an SAP system implementation called Global One. The workshop aims to familiarize management and users with security concepts, review the template security design, discuss role and user mappings, data ownership, and segregation of duties. Key steps include mapping roles to SAP positions and users, identifying data owners responsible for approving access, and ensuring segregation of duties conflicts are addressed.

1. Security Mapping Overview

3. Control Techniques Business Process Controls Umbrella Non-SAP Business Processes SAP standard SAP configured Authorization Monitoring Manual SAP Risks Risks Risks Risks Risks

7. Security Design Approach Observation 3 SAP Position “ Customer Service” SAP transaction(s) are assigned to roles but a transaction should only be assigned to one role. Roles are mapped to SAP positions which are then mapped to users. Role(s) “ Change Sales Order” SAP Transaction(s) VA01

9. Global One Security Template Wave One Wave Two Wave Three Wave Four North America security design as the baseline Final Global Template Localize Global Template North American security foundation 80% 20% change from North America Minor changes to Global Template Security can be accommodated within reason. (e.g. new transaction codes and new SAP Positions) Design security for Global One

10. Security Design Approach Observation 3 SAP Position “ Customer Service” SAP transaction(s) are assigned to roles Roles are mapped to SAP positions which are then mapped to users. Role(s) “ Change Sales Order” SAP Transaction(s) VA01

15. Role Example Display Purchasing GM_XXX_FTS_DIS_PURCHASNG Role Transaction Create Purchase Req (ME51) SAP Position Change Purchase Req (ME52) Display Purchase Req (ME53) Display Materials (MM03) Create Purchase Order (ME21N) Change Purchase Order (ME22N) Jian Min Carlos Jorge Françoise Strategic Purchasing Plant Buyer Create/Change Purch Req GM_XXX_FTS_CHG_PUR_REQ Display Master Data GM_XXX_MDT_GEN_DISPLAY User Create/Change Purchase Order GM_XXX_FTS_CHG_PO

16. Transactions by roles

17. Master and Derived roles

18. List of SAP Positions

21. AR UY CL CA US Southern Cluster North America Global EXAMPLE 1 - A Finance User works in Argentina; has access to view or modify Argentina data in SAP: - The Finance User wants access to view and update US information. The User needs to request approval from the US Data Owner. This should be the US Finance Data Owner. - Request should also be approved by the Finance Data Owner of the country the person works for, prior to being issued access. i.e. two approvals, one from Argentina and one from the US PY Security Access Approvers – Data Owners