Hello,
I respectfully ask for your guidance as I am unable to find the necessary documentation needed to support a request for our auditors. Currently, we utilize a derived role methodology with organizational definition restriction within the child roles. The Compliance Director has taken measures to reduce the level of access issued to the SAP Security team.
Given some of the role changes and activity within the company lately, the Security team has started reviewing the role status to ensure all roles are generated within Production. (PFCG, Utilities, Overview Status). We are seeing a high number of roles that are going into an ungenerated state and are not sure why. Due to our restricted access level, our team is unable to re-generate/re-derive a role(s) within Production which means it requires a transport, change management request, approval, etc. Our auditors are now requesting proof that nothing changed when the role(s) are regenerated. This is a an easy task when it is just a child role that is re-generated. When a Parent {and its child/ren} require re-generation and re-deriving the change logs show activity which our Compliance team 'see's' as change. No changes are being made to the role other than the parent being re-derived to the child roles. Although this is what has been explained, it had been noted that it will be written up as a finding.
We have been explaining this for weeks now and are still on square one. Can someone point me in the right direction of documentation that this is the process. We have already addressed the access issue and have been told, rather emphatically, no changes will be made.
I appreciate your time and consideration.