Current Situation:
The GLCLIENTADMIN role currently includes access to multiple administrative configuration functions such as Ledger Management, Code Mapping, and Cost Centre Mapping. However, it also grants access to transactional capabilities, which introduces a Segregation of Duties (SoD) conflict.
Issue:
This setup allows technical users responsible for configuration to perform transactions, and conversely, business users who handle transactions can modify configurations. This overlap violates SoD principles and poses a risk to system integrity and compliance.
Proposed Solution:
To mitigate this risk, we should split the GLCLIENTADMIN role into two distinct roles:
Business User Role – Focused solely on transactional access, without any configuration privileges.
Support/Tech Role – Dedicated to configuration tasks, without access to transactional functions.
This separation will ensure clear boundaries between configuration and transaction responsibilities, aligning with SoD best practices.
