Skip to content

Business Process Conflicts Matrix Report

The Business Process (BP) Conflicts Summary report is a business-friendly report that provides summaries of risk in the system along with high-level usage information that can be used to drive decisions. Those decisions will then be used by the more technical users and teams to start making changes.

Scheduling the BP Conflicts Matrix Report

When scheduling the BP Conflicts Summary report, the fields that need to be populated are:

  • Report Name - Defaults to the report type and date/time but can be customized.

  • Signature - If you choose to include a signature on the report, generally if you are providing to external auditors for completeness and accuracy, there will not be the standard pivot tables.

  • Live Utilizations - If selected, the system will run a new utilization extract for any months missing within the period selected to include. Keep in mind that SAP stores this data for three months by default, so you will most likely get blank extracts for months beyond those three.

  • Selected Utilizations - Includes all available extracts from the last 12 months; however, you can include more or less depending on what is available in the system.

  • Report Type - This allows you to select if you want to use a previously completed analysis file or the raw data file that compares user access to the rulebook, or if you want to run a new one. The options are:

    • Historical Data - You will be provided a list of previously completed analysis files to choose from.

    • New Data - You will run the analysis as part of the reporting job. The additional fields in here are:

      • Email When Done - Email will be sent to this user once the job completes. This will default to the person who is running the job.

      • Security Extract - Select whether to use a new security extract or run the analysis from an existing extract.

      • Rulebooks - Select what rulebook(s) to include in the analysis.

      • Risk Ratings - Select what risks to include in the analysis based on the risk rating.

      • Business Processes - Select what risks to include in the analysis based on the business process.

Viewing the BP Conflicts Matrix Report

The different tabs of this Excel report are the following:

Risk Overview Tab

The Risk Overview tab is like the User Risks by Rating report on the dashboard and shows all the risks in the environment broken down by the risk rating defined in the rulebook and then separated by the utilization of the users with access to those risks. The different colored buckets of the graph are:

  • Not Executed - A risk where the user has access to all business functions defined for that risk (one for a sensitive access risk and two, or more, for an SoD risk) but has not executed transactions from any of those functions.

  • Partially Executed - A risk where the user has access to all business functions associated with an SoD risk and has executed transaction codes associated with some, but not all, of the business functions.

  • Fully Executed - A risk where the user has access to all business functions associated with an SoD risk and has executed transaction codes from all of the business functions.

  • Sensitive Access Utilized - A sensitive access risk. This requires access to only one function where the user has executed transaction codes associated with that function.

Use Case

This summary level report is often used by managers or business owners to get insight into users who pose the most risk to the business. They can view the different levels of risk and see which users have that access on additional tabs of this report. This can help to determine if the expected users have access to the risks that might be expected of them, and then they can use that information to determine if they should remediate the risk or apply mitigating controls.

Risk Summary Tab

The Risk Summary tab breaks down all the risks within the environment and then separates them by the risk rating. It also includes summary details around how many users have access to that risk and then separates those users into the different columns based on their utilization.

Use Case

This report is used to focus on the risks that you are most interested in. If you are addressing the easiest to remediate risks, you might look at those that don't have users in the Fully Executed section so you can focus on finding ways to take away the unused access. If you want to focus on those risks that may be acted upon, you can look for risks with the most users in the Fully Executed section to then use other reports to remediate by cleaning up roles or changing processes internally.

User Conflict Summary Tab

The User Conflict Summary tab is a breakdown of the risk in the system. This will give proportions of risk being executed to overall risk and some additional identifiers. This report can be used to provide key risk indicators (KRIs) to management.

Conflicts Tab

The Conflicts tab gives you the most detailed view of the users who have access to the risks, along with some additional data points to help drive decision making. The other information you can see on this tab of the report includes Risk Rating, Rule Name, User Group, Utilization Bucket, Recommendation on how to approach the risk, any mitigating controls in place, and summary-level utilization count for each of the business functions.

Use Case

The conflicts tab is the main portion of this report that business owners will use to make their decision on how to approach remediation. The Recommendation column helps the business process owner approve removal of access, in the case of a Not Executed or Partially Executed risk. Or it can be used to identify a scenario where remediation is impossible since the user must perform both sides of the risk and they can then discuss mitigating controls that are in place. The approval to remove access would be provided to the security team to identify how that it can be removed, either by removing unused roles or by cleaning up roles.

Reference Tabs

The additional tabs on the report are for reference purposes. These include:

  • Properties - Shows the information that was used to create the report. This includes the account information, user who scheduled the snapshot, the rulebook used, along with the dates and times of the security and utilization extracts.

  • Risk Descriptions - Shows the risks, risk rating, and description that is defined in the rulebook.

  • Mitigating Controls - Shows the mitigating controls in the system along with the objective and description defined for those mitigating controls. This is used as a reference when you want to know more information about the mitigating control in place for a risk/user since most reports just show the mitigating control code.

  • User Info - Shows additional information about the users that is pulled in from the USER_ADDR table in SAP. This includes cost center, department, company, and any other information defined in SAP and pulled in with that table.