BASIS - SAP Basis
Create and maintain SAP users and roles
Assigning broad roles without least privilege
Goal: secure and least-privilege system access.
Typical stakeholders: security admin, basis consultant, process owner.
KPIs to watch: critical auth findings, access request lead time, segregation-of-duties conflicts.
A new AP specialist needs to post invoices but should not maintain pricing or release payments.
Consultant note: Grant a role focused on AP posting/reporting only; avoid broad composite roles by default.
Problem: User receives too-broad access after urgent onboarding request.
Diagnosis: Compare requested activities with job scope and identify SoD risk objects in assigned roles.
Resolution: Use minimum required composite/single roles, document temporary access expiry, and run periodic access review.