Is Accepting SOD Violations in Security Roles Ever Justified?
An important policy issue with strong corporate governance implications in SAP-enabled enterprises is whether to permit the design of security roles containing embedded Segregation of Duties (SOD) violations. SAP best practice clearly recommends against it, and most companies prohibit the practice, believing it signals a lack of control. This paper agrees that SAP best practice is always the starting point for a sound SOD control. However, it also makes the case that under some circumstances, when carefully documented and monitored, permitting the design of roles with embedded SOD violations can be a valid way to reduce and control risk. It explores the issues involved and consider under what circumstances this unusual practice should be allowed.