45 pre-built SAP SoD rules for Indian manufacturing companies — ready on day one.
Built for SAP ECC 6.0 and S/4HANA. Mapped to Companies Act 2013 IFC control objectives. Covering FI, MM, SD, PP, CO, and QM — the six modules IFC auditors test. No consultant required. No rule-building phase.
Everything your IFC audit requires. Available on day one.
Mid-size and large manufacturing and distribution companies in India operate complex SAP ECC environments spanning procurement, sales, production, service operations, and financial management. Under the Companies Act 2013, management is required to demonstrate that access controls in SAP are governed in a way that prevents any single individual from executing a complete financial transaction without independent authorization.
The challenge most organizations face when implementing SoD controls in SAP is the cold-start problem: they know they need SoD rules, but mapping the relevant SAP transaction codes, identifying which role combinations create genuine fraud risk, and connecting each rule to a specific control objective is a months-long exercise that requires deep SAP and audit expertise working in combination.
The OpenIAM SoD Accelerator for SAP eliminates this cold-start entirely. Organizations receive a pre-built library of 45 SoD rules across six SAP modules — Financial Accounting, Sales & Distribution, Materials Management, Production Planning, Controlling, and Quality Management — ready to load into OpenIAM on day one. Each rule reflects the operational reality of manufacturing and distribution businesses and maps directly to the control objectives that internal and external auditors test under India's Internal Financial Controls framework. This is the Manufacturing Edition — focused on the six core operational modules. Separate rule sets are available for SAP Basis, HR/Payroll, and Plant Maintenance.
| Capability | Detail |
|---|---|
| Total rules in this edition | 45 rules across 6 SAP ECC modules — Manufacturing Edition |
| Critical risk rules | 15 rules — the role conflicts that appear most often in audit findings |
| High risk rules | 20 rules — significant financial reporting risk, actively tested in audit |
| Medium risk rules | 10 rules — best practice controls, important for a mature compliance program |
| SAP ECC version support | SAP ECC 6.0 — all transaction codes and authorization objects validated for ECC 6.0 |
| S/4HANA compatibility | Yes — the rule set is compatible with SAP S/4HANA. See the S/4HANA compatibility section below for detail. |
| Time to first violation scan | Hours from connection — no consultant engagement, no rule-building phase required |
| Regulatory framework alignment | Companies Act 2013 internal controls, ICAI auditing standards, IFC (Internal Financial Controls) requirements |
| Other module rule sets | SAP Basis, HR/Payroll, and Plant Maintenance are covered by separate OpenIAM SoD rule sets — available as additional modules |
Why SoD rules matter for Indian manufacturing companies
The Regulatory Context
Under Section 143(3)(i) of the Companies Act 2013, auditors are required to report on whether the company has adequate internal financial controls and whether such controls are operating effectively. For companies of this scale and complexity, this places a direct obligation on management to demonstrate that access controls in SAP are governed in a way that prevents any single individual from executing a complete financial transaction without a second person's involvement.
The Reserve Bank of India's IT governance frameworks and SEBI's internal controls requirements for listed group companies further reinforce this obligation. Auditors — whether from a Big 4 or leading Indian audit firm — test SAP access controls as part of their IFC assessment. SoD violations found during an audit become reportable deficiencies. Material weaknesses can affect the company's financial statements and the auditor's opinion.
The SAP access control challenge
SAP ECC's role-based authorization model is powerful but does not natively prevent SoD violations. Roles are assigned based on job function, and over time — through promotions, temporary access grants, and emergency access that is never revoked — users accumulate role assignments that individually are appropriate but in combination create dangerous conflicts.
In a manufacturing and distribution context, the most common SoD risks arise in three areas:
- Procure-to-pay: a user who can create a vendor in SAP and also approve the payment run creates an opportunity to introduce a fictitious supplier and approve payment to that supplier without any independent check.
- Order-to-cash: a user who can create a customer order and also issue a credit memo can manipulate revenue by issuing unauthorized credits to customers or related parties.
- Financial reporting: a user who can both post and approve journal entries, or who can maintain general ledger master data and post transactions to it, can manipulate the company's financial statements without detection.
An SoD violation found by an auditor is not merely a compliance finding — it requires remediation evidence, a management response in the audit report, and potential re-testing in subsequent audit cycles. For a group company of this profile, an IFC deficiency finding can have implications across the group's consolidated financial reporting. Identifying and remediating violations before the auditor finds them — using OpenIAM's pre-built rule set — is significantly less costly than responding to an audit finding after the fact.
The Rule Set Framework
Every rule in the OpenIAM SoD Accelerator is built to the same six-field standard. This consistency means that the output of every violation scan is formatted as audit evidence — not an IT report that needs to be translated before an auditor can use it.
| Rule field | Purpose and content |
|---|---|
| Rule ID | A unique identifier following the convention [VERTICAL]-[MODULE]-[NNN] — e.g. MFG-FI-001, MFG-MM-001. The ID is the permanent reference used in remediation documentation and audit workpapers. |
| Rule name | Plain language description of the role conflict — e.g. “Create vendor master + Execute payment run”. Written so a finance or audit professional can understand the risk without SAP technical knowledge. |
| Conflict detail | The specific SAP transaction codes (T-codes) on each side of the conflict, with the full SAP transaction name. This is the technical definition that OpenIAM uses to detect the conflict in the live SAP environment. |
| Risk level | Critical, High, or Medium. Critical rules map to conflicts that have appeared in actual IFC audit findings at peer organizations. High rules represent significant financial reporting risk. Medium rules represent best practice controls. |
| Control objective | The internal financial control statement that this rule enforces — expressed in the language of IFC auditing. This is the evidence that management has addressed the control requirement that auditors test. |
| Remediation guidance | The recommended action when a violation is detected: the preferred role split approach, and the compensating control that can be applied where a role split is not operationally feasible. |
Risk level definitions
A role conflict that could result in financial fraud or a material misstatement. These are the first conflicts IFC auditors test and will be reported as significant deficiencies or material weaknesses if found without compensating controls.
All 15 Critical rules must be addressed before the next audit cycle.
A role conflict that creates significant financial reporting risk. These are actively tested in IFC audits. Unmitigated High-level violations are typically reported as control deficiencies requiring management response.
A role conflict that represents best practice SoD control. Medium-level rules may not be tested in every audit cycle but are important for the organization's long-term compliance posture and for demonstrating a comprehensive approach to access governance.
SAP Module Coverage
The Manufacturing Edition rule set covers the six SAP ECC modules that matter most for manufacturing and distribution operations in India. It is one of several purpose-built OpenIAM SoD rule sets — each focused on a specific functional domain. This edition covers Financial Accounting, Sales & Distribution, Materials Management, Production Planning, Controlling, and Quality Management. The module coverage reflects the business processes where SoD violations most commonly arise and where IFC auditors focus their testing.
This is the Manufacturing Edition — purpose-built for the six SAP modules that IFC auditors focus on in manufacturing and distribution environments.
|
In scope — this edition FI (Financial Accounting) • MM (Materials Management) • SD (Sales & Distribution) • PP (Production Planning) • CO (Controlling) • QM (Quality Management) |
Covered by separate rule sets SAP Basis (technical administration and privileged access) • HR/Payroll (personnel master data, payroll processing, and time management) • Plant Maintenance / PM (work orders, maintenance planning, and equipment master data) |
When comparing SoD rule set coverage across vendors, ensure the comparison is module-for-module. A vendor quoting 200+ rules across all SAP modules combined is not comparable to this edition. OpenIAM provides dedicated rule sets for Basis, HR/Payroll, and Plant Maintenance — each with the same IFC depth and audit alignment as this edition.
Financial Accounting
General ledger, accounts payable, accounts receivable, and payment processing. The highest-scrutiny module in every IFC audit.
Production Planning
Production orders, bill of materials, and goods confirmation. Covers production cost reporting and work-in-progress valuation.
Materials Management
Procurement, goods receipt, inventory management, and invoice verification. Covers the procure-to-pay cycle.
Controlling
Cost center management, internal orders, and profitability analysis. Protects management accounting integrity.
Sales & Distribution
Customer orders, pricing, billing, and credit management. Covers the order-to-cash cycle.
Quality Management
Inspection lots and usage decisions. Protects quality certifications, inspection records, and product release decisions.
Rule count by module and risk level
| Module | Module name | Risk level | Rules | Key process area |
|---|---|---|---|---|
| FI | Financial Accounting | Critical | 6 | Payment processing, GL integrity |
| FI | Financial Accounting | High | 3 | AP and AR management |
| FI | Financial Accounting | Medium | 1 | Bank master data |
| MM | Materials Management | Critical | 4 | Procure-to-pay cycle |
| MM | Materials Management | High | 4 | Goods receipt, invoice verification |
| MM | Materials Management | Medium | 2 | Inventory adjustments |
| SD | Sales & Distribution | Critical | 3 | Order-to-cash cycle |
| SD | Sales & Distribution | High | 3 | Customer master, pricing |
| SD | Sales & Distribution | Medium | 2 | Returns and credits |
| PP | Production Planning | Critical | 2 | Production order integrity |
| PP | Production Planning | High | 3 | BOM and routing management |
| PP | Production Planning | Medium | 2 | Goods confirmation |
| CO | Controlling | High | 4 | Cost center and internal orders |
| CO | Controlling | Medium | 2 | Profitability analysis |
| QM | Quality Management | High | 3 | Inspection and usage decisions |
| QM | Quality Management | Medium | 1 | Quality notifications |
| Total | 45 | 15 Critical / 20 High / 10 Medium | ||
The 15 Critical Rules - Full Detail
The following 15 rules represent the highest-priority SoD controls for SAP ECC and S/4HANA manufacturing environments in India. Each rule is presented with its complete technical definition and the specific business risk it addresses. These rules are the primary focus of the first OpenIAM violation scan and should be remediated before the next IFC audit cycle. .
Financial Accounting (FI) — 6 Critical Rules
Conflict
A user with access to both create or modify vendor master records and execute the automatic payment run can introduce a fictitious or modified vendor and approve payment to that vendor without any independent authorization.
|
T-codes FK01 / FK02 + F110 |
Auth objects F_LFA1_BUK + F_LFA1_GRP + F_BKPF_BUK (payment run) |
Control objective IFC Control AC-3: No individual should be able to both create the payee and authorize the payment. |
Business risk
Manufacturing companies process significant supplier payment volumes. A user with this conflict could create a fictitious vendor and divert payments. This is the most common procurement fraud vector in SAP environments and the first conflict tested by IFC auditors.
Recommended remediation
Split roles: remove F110 access from users who have FK01/FK02. Compensating control: mandatory dual approval on all payment runs with documented second-person review retained as audit evidence.
Conflict
A user who can both post vendor invoices and approve manual vendor payments can create an invoice for a fictitious or inflated amount and approve its payment without independent review.
|
T-codes FB60 / MIRO + F-53 / F-58 |
Auth objects F_BKPF_BUK (posting + payment activity) |
Control objective IFC Control AC-3: Invoice posting and payment approval must be performed by different individuals. |
Business risk
AP teams process invoices from hundreds of suppliers. Combining invoice posting with payment approval creates direct fraud exposure and is routinely flagged in IFC assessments.
Recommended remediation
Split roles: separate invoice posting from payment approval. Compensating control: automated three-way match enforcement and monthly independent review of payment postings.
Conflict
A user who can both create and approve their own journal entries can manipulate financial statement balances without any independent review.
|
T-codes FB50 / FB01 + FBS1 / FB08 |
Auth objects F_BKPF_BUK + F_BKPF_KOA (create + approve) |
Control objective IFC Control AC-4: Journal entry creation and approval must be performed by different individuals. Among the most commonly tested IFC controls. |
Business risk
Month-end close involves significant journal entry volumes for accruals, provisions, and inter-company adjustments. A single user posting and approving their own entries creates direct financial statement manipulation risk — a material weakness if found by auditors.
Recommended remediation
Split roles: implement a formal journal entry approval workflow where preparer and approver are always different individuals. Compensating control: monthly management review of all manually posted entries above a defined materiality threshold.
Conflict
A user who can both maintain general ledger account master data and post transactions to those accounts can create fictitious GL accounts, route transactions through them, and mask financial misstatements.
|
T-codes FS00 / FSP0 + FB50 / FB01 |
Auth objects F_SKA1_BUK (maintain) + F_BKPF_BUK (post) |
Control objective IFC Control AC-4: GL master data maintenance and transaction posting must be performed by different individuals. |
Business risk
For group companies, the integrity of the chart of accounts is critical for consolidated reporting. Combining master data access with posting access could allow manipulation of account categorizations affecting segment reporting and group consolidation.
Recommended remediation
Split roles: restrict GL master data maintenance to finance administration roles with no posting access. Compensating control: independent quarterly review of all GL master data changes.
Conflict
A user who can create or modify customer master records and also process billing can create a fictitious customer, generate an inflated invoice, and record revenue that does not represent a genuine transaction.
|
T-codes FD01 / FD02 + VF01 / VF04 |
Auth objects F_KNA1_BUK (create/change) + V_VBRK_FKA (create) |
Control objective IFC Control AC-6: Customer master management and revenue recognition must be performed by different individuals. |
Business risk
Revenue spans product sales, rental, spare parts, and services. Creating fictitious customer records and billing against them is a known revenue manipulation vector.
Recommended remediation
Split roles: restrict customer master creation to a master data team separate from billing. Compensating control: independent approval workflow for new customer creation with supporting documentation requirements.
Conflict
A user who can maintain bank account master data and also initiate bank transfers can redirect payment to a personal or fraudulent bank account and approve the transfer without independent review.
|
T-codes FI12 / FB70 + F-53 / FBZP |
Auth objects F_BVTYP (maintain) + F_BKPF_BUK (payment initiation) |
Control objective IFC Control AC-3: No individual should be able to both change bank account details and execute payments. |
Business risk
Bank redirection fraud is one of the most financially damaging fraud vectors in SAP environments globally. A single exploited instance could result in a material loss.
Recommended remediation
Split roles: bank master data maintenance restricted to treasury roles with no payment execution access. Compensating control: mandatory dual approval for any bank master data change, with an automated alert to the CFO or finance controller.
Materials Management (MM) — 4 Critical Rules
Conflict
A user who can both create and approve their own purchase orders can commit company funds to unauthorized purchases without independent authorization.
|
T-codes ME21N + ME28 / ME29N |
Auth objects M_BEST_BSA (create) + M_BEST_WFB (release) |
Control objective IFC Control AC-5: Purchase order creation and approval must be performed by different individuals. |
Business risk
Manufacturing companies procure significant volumes of raw materials, equipment, and services. A user who can create and release their own purchase orders can commit the organization to unauthorized procurement.
Recommended remediation
Split roles: implement a formal PO approval hierarchy where the requisitioner cannot also be the release approver. OpenIAM enforces this at the provisioning level.
Conflict
A user who can both raise a purchase order and confirm its receipt can fictitiously procure goods, confirm receipt, and trigger payment — completing the entire procure-to-pay cycle without independent verification.
|
T-codes ME21N + MIGO (GR type 101) |
Auth objects M_BEST_BSA (create) + M_MSEG_BWA (GR activity) |
Control objective IFC Control AC-5: Order, receipt, and invoice must be performed by different individuals to prevent fictitious procurement. |
Business risk
For spare parts and consumables at remote locations with limited staffing, combining order creation and GR posting creates significant fictitious procurement risk. Auditors routinely test this conflict.
Recommended remediation
Split roles: PO creators must not have GR posting access. Compensating control: GR postings above a defined value threshold require supervisory review before payment release.
Conflict
A user who can create vendor master records and also raise purchase orders can introduce a fictitious or related-party vendor and direct procurement spend without independent verification.
|
T-codes FK01 / MK01 + ME21N |
Auth objects F_LFA1_BUK / LFA1 (create) + M_BEST_BSA (create) |
Control objective IFC Control AC-5: Vendor creation and purchase order raising must be performed by different individuals to prevent fictitious vendor fraud. |
Business risk
Manufacturing companies work with large supplier networks. The ability to create a new vendor and immediately raise a PO against it is a direct conflict that enables procurement fraud.
Recommended remediation
Split roles: vendor master creation restricted to a master data function separate from procurement. Compensating control: new vendor creation triggers an independent approval workflow before the vendor can receive purchase orders.
Conflict
A user who can both confirm goods receipt and verify the supplier invoice can approve fictitious or inflated invoices by fabricating the goods receipt confirmation.
|
T-codes MIGO (GR) + MIRO / MIR7 |
Auth objects M_MSEG_BWA (GR) + M_RECH_BUK (IV create/verify) |
Control objective IFC Control AC-5: GR and invoice verification must be performed by different individuals to ensure the three-way match is independently confirmed. |
Business risk
In workshop operations where parts are received and immediately invoiced, combining GR posting and invoice verification eliminates the independent check the three-way match is designed to provide.
Recommended remediation
Split roles: GR posting and invoice verification must be held by different roles. Compensating control: supervisory countersignature for GR/IV transactions performed by the same user within a defined time window.
Sales & Distribution (SD) — 3 Critical Rules
Conflict
A user who can both create sales orders and issue credit memos can artificially inflate and reverse revenue, create fictitious credit notes, or manipulate customer account balances.
|
T-codes VA01 / VA02 + FB75 / VF01 (credit) |
Auth objects V_VBAK_AAT (create) + F_BKPF_BUK (credit memo) |
Control objective IFC Control AC-6: Sales order creation and credit memo issuance must be performed by different individuals. |
Business risk
Capital goods sales involve large transaction values. A user with this conflict can manipulate commission calculations, issue unauthorized discounts post-sale, or reverse revenue to meet period-end targets.
Recommended remediation
Split roles: credit memo authority restricted to a credit management function separate from sales. Compensating control: all credit memos above a defined threshold require dual approval with documented justification.
Conflict
A user who can create or modify pricing conditions and process billing can set artificially low prices for related parties and bill at those prices without independent review.
|
T-codes VK11 / VK12 + VF01 / VF04 |
Auth objects V_KONH_VKO (create/change) + V_VBRK_FKA (create) |
Control objective IFC Control AC-6: Pricing master data and billing execution must be performed by different individuals to prevent deliberate underpricing. |
Business risk
A user with pricing and billing access could manipulate prices below standard rates — a related-party transaction risk specifically addressed by the Companies Act 2013.
Recommended remediation
Split roles: pricing condition maintenance restricted to a pricing administration function separate from billing. All pricing changes should generate an automated notification to the sales manager and finance controller.
Conflict
A user who can both create a customer order and confirm its delivery can record fictitious deliveries, triggering billing and revenue recognition for transactions that never occurred.
|
T-codes VA01 + VL02N / VL01N |
Auth objects V_VBAK_AAT (create) + V_LIKP_VST (delivery confirm) |
Control objective IFC Control AC-6: Sales order creation and delivery confirmation must be performed by different individuals. |
Business risk
For large equipment deliveries — where a single delivery may represent several crores of revenue — fictitious delivery confirmation creates direct and material revenue overstatement risk.
Recommended remediation
Split roles: delivery confirmation performed by logistics or warehouse operations independent of the sales team. Compensating control: physical delivery documentation must be attached to every delivery confirmation in SAP.
Production Planning (PP) — 2 Critical Rules
Conflict
A user who can modify the bill of materials and also release the production order can substitute lower-quality or unauthorized components in work orders — creating quality control and warranty liability exposure.
|
T-codes CS02 / CS12 + CO02 / CO01 |
Auth objects C_STUE_BER (BOM change) + C_AFKO_AWK (release) |
Control objective IFC Control AC-8: BOM master data and production order release must be performed by different individuals to prevent unauthorized component substitution. |
Business risk
Unauthorized BOM modifications combined with production order release could result in non-compliant production, warranty claim rejections, and quality accreditation risk.
Recommended remediation
Split roles: BOM maintenance restricted to engineering roles separate from production planning. Compensating control: all BOM changes trigger an approval workflow requiring technical authority sign-off before the change takes effect.
Conflict
A user who can both create and confirm their own production orders can record fictitious labor and material consumption, inflating work-in-progress values and distorting cost accounting.
|
T-codes CO01 + CO11N / CO15 |
Auth objects C_AFKO_AWK (create + confirm) |
Control objective IFC Control AC-8: Order creation and completion confirmation must be performed by different individuals to ensure cost accuracy. |
Business risk
A planner who creates and confirms their own orders can inflate work-in-progress, distort margin reporting, and misstate costs allocated to specific products or contracts.
Recommended remediation
Split roles: production order creation and confirmation must be held by different roles. Compensating control: confirmations above a defined labor hours or cost threshold require countersignature from the workshop manager.
High and Medium Risk Rules - Summary
The following tables summarize the 20 High and 10 Medium risk rules in the Manufacturing Edition rule set. Full T-code and control objective detail for each rule is available in the OpenIAM platform and in the accompanying technical rule library document.
High Risk Rules (20)
| Rule ID | Rule name | Module | Key process area |
|---|---|---|---|
| MFG-FI-007 | Maintain AP account + Post vendor invoice | FI | Accounts payable master data |
| MFG-FI-008 | Post AR invoice + Apply cash receipts | FI | Accounts receivable |
| MFG-FI-009 | Create fixed asset + Post asset acquisition | FI | Fixed asset management |
| MFG-MM-005 | Create purchase requisition + Convert to PO | MM | Requisition-to-order |
| MFG-MM-006 | Maintain material master + Post inventory | MM | Inventory management |
| MFG-MM-007 | Post goods issue + Process customer return | MM | Returns management |
| MFG-MM-008 | Maintain info record + Create purchase order | MM | Purchasing conditions |
| MFG-SD-004 | Maintain customer credit limit + Release blocked order | SD | Credit management |
| MFG-SD-005 | Create customer master + Maintain credit limit | SD | Customer master data |
| MFG-SD-006 | Create sales order + Approve sales order discount | SD | Discount authorization |
| MFG-PP-003 | Maintain routing + Confirm production operation | PP | Work center management |
| MFG-PP-004 | Maintain work center + Create production order | PP | Resource management |
| MFG-PP-005 | Post goods issue to order + Confirm production | PP | Material consumption |
| MFG-CO-001 | Create cost center + Post to cost center | CO | Cost center management |
| MFG-CO-002 | Create internal order + Post to internal order | CO | Internal order management |
| MFG-CO-003 | Maintain settlement rule + Execute settlement | CO | Order settlement |
| MFG-CO-004 | Maintain cost element + Post primary cost | CO | Cost element management |
| MFG-QM-001 | Create inspection lot + Record inspection results | QM | Quality inspection |
| MFG-QM-002 | Record inspection results + Post usage decision | QM | Quality decision |
| MFG-QM-003 | Create quality notification + Complete notification | QM | Quality notifications |
Medium Risk Rules (10)
| Rule ID | Rule name | Module | Key process area |
|---|---|---|---|
| MFG-FI-010 | Maintain bank account + View bank statement | FI | Treasury — best practice |
| MFG-MM-009 | Conduct physical inventory + Post count difference | MM | Inventory count |
| MFG-MM-010 | Create service entry sheet + Approve service entry | MM | Service procurement |
| MFG-SD-007 | Create returns order + Post goods return receipt | SD | Returns processing |
| MFG-SD-008 | Maintain output condition + Process billing | SD | Output management |
| MFG-PP-006 | Create capacity plan + Confirm production order | PP | Capacity management |
| MFG-PP-007 | Maintain production version + Create production order | PP | Production version |
| MFG-CO-005 | Maintain allocation cycle + Execute allocation | CO | Cost allocation |
| MFG-CO-006 | Maintain planning version + Post actual costs | CO | Plan vs actual |
| MFG-QM-004 | Create sampling procedure + Create inspection lot | QM | Sampling management |
S/4HANA Compatibility & Additional Modules
S/4HANA compatibility
The OpenIAM SoD Accelerator rule set is fully compatible with SAP S/4HANA. When an organization migrates from ECC 6.0 to S/4HANA — whether to on-premise S/4HANA or SAP S/4HANA Cloud Private Edition — the rule set migrates with it without requiring a rebuild. This protects the organization’s compliance investment across the migration.
| Compatibility detail | Explanation |
|---|---|
| T-code continuity | The vast majority of transaction codes in the rule set exist in S/4HANA with identical names and functions. SAP has preserved ECC T-codes for backwards compatibility, and FI, MM, SD, PP, CO, and QM T-codes have particularly high continuity. |
| SAP Fiori equivalent mapping | Where S/4HANA introduces Fiori apps that replace specific T-codes, OpenIAM's S/4HANA connector maps SoD rules to the equivalent Fiori app permissions and authorization objects. The compliance control remains intact regardless of the user interface used to execute the transaction. |
| Authorization object continuity | SAP authorization objects — the underlying technical basis for SoD detection — are highly stable across ECC and S/4HANA. Core financial and logistics authorization objects (F_BKPF_BUK, M_BEST_BSA, V_VBAK_AAT, etc.) are unchanged. |
| Migration path | When you upgrade to S/4HANA, the rule set is updated in OpenIAM to reflect any T-code changes — this is a configuration update, not a rule rebuild. Existing violation history, remediation records, and audit evidence are preserved across the migration. |
Additional SAP module coverage — available as extensions
The following SAP modules are available as rule set extensions beyond the Manufacturing Edition core library. These modules may be relevant to specific operational areas and can be added as separate named extensions based on the organization’s SAP landscape.
| Module | Relevance and available rule coverage |
|---|---|
| SAP PM — Plant Maintenance | Directly relevant to manufacturing maintenance and service operations. PM rules cover work order creation and completion, maintenance plan management, and equipment master data — the technical compliance controls for workshop and field service operations. |
| SAP CS — Customer Service | Relevant to after-sales service and warranty management. CS rules cover service order creation and completion, warranty processing, and service contract management. Particularly important for OEM warranty compliance and service accreditation. |
| SAP EWM — Extended Warehouse Management | Relevant for organizations operating dedicated warehouses with SAP EWM. EWM rules extend MM procure-to-pay SoD coverage into warehouse transfer orders, stock movements, and physical inventory. |
| SAP TM — Transportation Management | Relevant to logistics operations for equipment delivery and spare parts distribution. TM rules cover freight order creation, carrier assignment, and transportation cost settlement. |
| SAP HR / HCM — Human Resources | Relevant for payroll and personnel administration governance. HR rules cover payroll posting, personnel master data management, and the access segregation between HR administration and payroll execution — an area of increasing audit focus for Indian companies. |
| Microsoft Active Directory / Entra ID | Where the SAP access governance program is extended to cover the full IT landscape, OpenIAM governs Microsoft Active Directory and Entra ID using the same platform, connectors, and access certification workflow. Recommended as a follow-on phase once the SAP SoD program is established. |
How OpenIAM Delivers the Rule Set
The OpenIAM SoD Accelerator is not a consulting deliverable or a spreadsheet — it is a product capability that ships with the OpenIAM platform and connects directly to the customer's SAP ECC or S/4HANA environment. This section describes what the experience looks like from the moment OpenIAM is connected to SAP.
| Step | What happens |
|---|---|
| 1 Connect | Connect to SAP ECC — OpenIAM connects to your SAP ECC 6.0 or S/4HANA environment using the native SAP connector. The connector reads role assignments, authorization objects, and user master data — read-only, no changes to SAP during connection. |
| 2 Load | Load the manufacturing rule set — The 45-rule manufacturing SoD rule set is loaded into OpenIAM. Each rule is pre-mapped to the relevant SAP authorization objects and T-codes. No configuration is required for the standard rule set. |
| 3 Scan | Run the first violation scan — OpenIAM analyses the full population of SAP user assignments against all 45 rules. For a typical mid-market environment, the first scan completes within hours of connection. |
| 4 Review | Review the violation report — The report shows every detected conflict: rule ID, rule name, the specific user accounts affected, the conflicting roles, and the risk level. The report is formatted as audit evidence — it maps directly to the IFC control objectives auditors test. |
| 5 Prioritize | Prioritize remediation — Critical violations are highlighted first. For each violation, the report includes the recommended remediation — role split or compensating control — so the IT and compliance team can prioritize and assign remediation actions immediately. |
| 6 Monitor | Ongoing monitoring — After initial remediation, OpenIAM continuously monitors for new SoD conflicts as role assignments change. Any new violation triggers an alert and is added to the audit evidence trail. |
| 7 Certify | Access certification — OpenIAM's access certification module allows the organization to run regular (quarterly or annual) access reviews where business managers certify that their team members' SAP access is appropriate. The SoD rule set is applied during certification — any certifier who approves access that creates a SoD conflict is flagged. |
For organizations where Active Directory is also part of the access governance scope, OpenIAM governs Microsoft Active Directory and Microsoft Entra ID using the same platform that governs SAP — there is no separate tool required.
The recommended approach is to establish the SAP SoD program first, validate the rule set against your SAP environment, and then extend the governance scope to Active Directory in a follow-on phase. This allows the compliance team to demonstrate measurable SAP compliance improvement quickly, and then broaden the program with a proven operational model.
Next steps
Ready to run your first violation scan?
Review the 15 Critical rules
Review the Critical rules above with your SAP team and internal audit to confirm the rule set addresses the control objectives required for your IFC program.
Confirm the SAP ECC connection
OpenIAM's technical team will provide the connector configuration guide and the read-only authorization profile required for your SAP system.
Schedule a demonstration scan
OpenIAM connects to your SAP sandbox or test system, loads the manufacturing rule set, runs the first violation scan, and presents the output in the format your auditors will see.
Questions on specific rules?
For questions on any specific rule, the S/4HANA migration path, or the Active Directory extension, contact the OpenIAM team directly.
Common questions about SAP SoD compliance for Indian manufacturing companies
Segregation of Duties (SoD) in SAP is the principle that no single user should be able to execute a complete financial transaction — from initiation to approval — without a second person's independent involvement. In an SAP environment, SoD violations occur when a user's role assignments allow them to perform two conflicting functions: for example, creating a vendor master record and also approving the payment run, or posting a journal entry and also approving it.
For Indian manufacturing and distribution companies, SoD in SAP is a statutory requirement under Section 143(3)(i) of the Companies Act 2013, which requires auditors to report on whether the company has adequate internal financial controls (IFC) and whether those controls are operating effectively. SAP access controls — including SoD — are among the primary tests conducted by IFC auditors. An SoD violation found during an audit becomes a reportable deficiency, and a material weakness can affect the company's financial statements and the auditor's opinion.
SAP ECC's role-based authorization model is designed to control what a user can do — not to prevent combinations of access that individually are appropriate but together create a conflict. Roles are assigned based on job function, and over time — through promotions, temporary access grants, and emergency access that is never revoked — users accumulate role assignments that create dangerous conflicts SAP itself cannot detect.
SAP's native tooling has no mechanism to flag that a user holds both "create vendor" and "approve payment" access until a violation has already been assigned. Preventing SoD violations requires a dedicated governance layer that continuously analyses role combinations against a library of conflict rules — which is what the OpenIAM SoD Accelerator provides.
In SAP manufacturing and distribution environments, the highest-risk SoD violations cluster around three business processes. In the procure-to-pay cycle, the most dangerous conflict is a user who can both create a vendor master record (FK01/FK02) and execute the automatic payment run (F110) — enabling fictitious vendor fraud without independent authorization. In the order-to-cash cycle, the critical conflict is a user who can both create a customer order (VA01) and issue credit memos — enabling revenue manipulation. In financial reporting, the highest-risk conflict is a user who can both post and approve their own journal entries (FB50/FB01) — enabling direct financial statement manipulation.
These three conflict types are the first tests applied by IFC auditors under the Companies Act 2013 and are the source of the majority of significant deficiency and material weakness findings in mid-market SAP audits in India.
The OpenIAM SoD Accelerator for SAP — Manufacturing Edition is a pre-built library of 45 SoD rules purpose-built for manufacturing and distribution companies running SAP ECC 6.0 or S/4HANA in India. It ships as a product capability — not a consulting deliverable — and is ready to load on day one of an OpenIAM deployment.
The rule set covers six SAP modules: Financial Accounting (FI), Materials Management (MM), Sales & Distribution (SD), Production Planning (PP), Controlling (CO), and Quality Management (QM). Each rule is structured to the same six-field audit standard — Rule ID, Rule name, Conflict detail (with specific T-codes), Risk level, Control objective, and Remediation guidance — so that the output of every violation scan is formatted as audit evidence aligned to the Companies Act 2013 Internal Financial Controls framework.
For a typical mid-market SAP ECC 6.0 environment, the first violation scan completes within hours of connection — not days or weeks. The process involves three steps: connecting OpenIAM to the SAP environment using the native read-only SAP connector, loading the pre-built 45-rule manufacturing rule set, and running the scan against the full user population. No rule configuration is required for the standard rule set, and no changes are made to the SAP environment during connection. The connector reads role assignments, authorization objects, and user master data in read-only mode.
Each rule in the Manufacturing Edition is mapped to a specific Internal Financial Controls (IFC) control objective — expressed in the language that IFC auditors use when documenting findings under the Companies Act 2013. The rule set is aligned to ICAI auditing standards and reflects the control requirements that Big 4 and leading Indian audit firms test in SAP IFC assessments.
The rules were curated from ISACA guidance, PCAOB AS 2201, and SAP authorization documentation, and each control objective statement is written so that the output of a violation scan can be handed directly to an auditor as evidence — without requiring an IT-to-audit translation step. The 15 Critical rules specifically map to conflicts that appear most frequently in actual IFC audit findings at peer manufacturing and distribution organisations.
The Manufacturing Edition rule set is fully compatible with both SAP ECC 6.0 and SAP S/4HANA, including on-premise S/4HANA and S/4HANA Cloud Private Edition. SAP has preserved ECC transaction codes in S/4HANA for backwards compatibility, and the core financial and logistics authorization objects used by the rule set (F_BKPF_BUK, M_BEST_BSA, V_VBAK_AAT, and others) are unchanged across both platforms.
Where S/4HANA introduces Fiori apps that replace specific T-codes, OpenIAM's S/4HANA connector maps the SoD rules to the equivalent Fiori app permissions and authorization objects, so the compliance control remains intact regardless of which interface the user employs. When migrating from ECC 6.0 to S/4HANA, the rule set is updated as a configuration change — not a rebuild — and existing violation history and audit evidence are preserved.
Building a complete SoD rule set for a mid-market SAP ECC environment typically takes internal teams 3–4 months — assuming they have both the SAP module expertise to map relevant transaction codes and authorization objects, and the audit framework knowledge to connect each rule to a specific IFC control objective. Most teams have one or the other but not both.
The pre-built Manufacturing Edition rule set eliminates this cold-start entirely. The 45 rules are already mapped to SAP T-codes, authorization objects, and Companies Act 2013 IFC control objectives — ready to load on day one. The practical question is whether the next IFC audit is in this cycle or the next one: building from scratch means the first complete scan happens months from now; loading the pre-built rule set means it happens today.
SAP GRC Access Control governs access within your SAP environment. OpenIAM's SoD Accelerator is designed to work alongside GRC — not replace it — and extends your compliance coverage in two specific ways.
First, GRC does not govern systems outside SAP. Every system beyond the SAP boundary — Microsoft 365, Salesforce, ServiceNow, your SaaS applications — remains ungoverned by GRC. A SOX auditor does not stop at the SAP boundary, and IFC assessments increasingly include access controls across the full IT landscape. OpenIAM governs all connected systems from the same platform.
Second, OpenIAM's pre-built Manufacturing Edition rule set provides 45 IFC-aligned rules specifically structured for Indian manufacturing environments — with T-code level detection, Companies Act 2013 control objective mappings, and audit-formatted violation reports. If your GRC implementation lacks this depth of rule coverage or audit alignment, the SoD Accelerator addresses that gap directly without requiring GRC to be replaced.
The Manufacturing Edition covers the six SAP modules that IFC auditors focus on most in manufacturing and distribution environments: FI, MM, SD, PP, CO, and QM. These 45 rules address the process areas where SoD violations most commonly arise and where audit findings are most frequently issued.
Three additional module areas are covered by separate OpenIAM SoD rule sets, available as extensions: SAP Basis (technical administration and privileged access), HR/Payroll (personnel master data, payroll processing, and time management), and Plant Maintenance/PM (work orders, maintenance planning, and equipment master data). When comparing rule set coverage across vendors, it is important to ensure the comparison is module-for-module — a vendor quoting 200+ rules across all SAP modules combined is not directly comparable to a 45-rule set that covers a specific IFC-focused scope with the same depth and audit alignment.
Let’s Connect
Managing identity can be complex. Let OpenIAM simplify how you manage all of your identities from a converged modern platform hosted on-premises or in the cloud.
For 15 years, OpenIAM has been helping mid to large enterprises globally improve security and end user satisfaction while lowering operational costs.