Segregation of Duties

Hi all,

We are using a dedicated Segregation of Duties dashboard to analyze cases where two activities are processed by the same person (e.g. Creation of PO and Releasing the PO). In this dashboard, the viewer selects two activities, which shall not be performed by the same user to see in how many cases there is a violation. See here the PQL statement:

avg (case
when PU_first(EKPO,"_CEL_P2P_ACTIVITIES".“USER_NAME”, “_CEL_P2P_ACTIVITIES”.“ACTIVITY_EN” = ‘<%=From%>’ AND “_CEL_P2P_ACTIVITIES”.“USER_TYPE” <> ‘B’) = PU_first(EKPO,"_CEL_P2P_ACTIVITIES".“USER_NAME”, “_CEL_P2P_ACTIVITIES”.“ACTIVITY_EN” = ‘<%=To%>’)
then 1.0
else 0.0
end) * 100

By checking the violations in detail, I’ve recognized that there are cases where Person A creates a PO, Person B approves the PO and afterwards Person A changes some field in the PO (e.g. Net Order Price). Due to this change, the release indicator is AUTOMATICALLY changed from “B” (release) to “R” (not released). This case is shown as a violation in the segregation of duties dashboard, since user A is changing the release indicator (not actively, but only by changing some other SAP field for this PO) and thus considered to be approving this PO even though the user is doing exactly the opposite.

Any idea how to solve this issue?

Thanks,
Oli

Hi Oli,

From what I gather, you have an activity in your eventlog for “Change Release Indicator” that looks for any change to the release indicator and you are using this activity as your “To” activity to signify the PO Release. If my assumption is correct, I would recommend you make your activity definition in your eventlog more specific so that anytime the release indicator changes to ‘B’ the activity is called “PO Released” and anytime the release indicator is changed to “R” or something else the activity is called something like “Release Indicator Changed” or “PO Un-Released” (up to you how to name that). Once you have an activity for “PO Released” that is specifically looking for the release indicator to change to ‘B’, you can use that activity as your “To” activity and isolate the user who is specifically releasing the PO (changing the release indicator to ‘B’).

Hope that helps!
-Tyler

1 Like

Thanks Tyler!

That sounds indeed reasonable and I’ve contacted our IT department with the suggestion to split the activity “Change Release Indicator in PO” to “Release PO” and “Change PO Release Indicator”.

Thanks, Oli