I'm coming from a background in the SAP S4/ABAP/Netweaver Java Security space where a major part of our provisioning of user access is focused on ensuring a user's access is checked for Segregation of Duties conflicts prior to assigning a new role.
We are going to implement Concur at our company and I'm curious if SAP Concur provides an out of the box 'SoD Matrix' of roles which should not be assigned to an individual. I scoured the User Admin guide and other documentation but I cannot find reference to it (I could be looking in the wrong place, I'm new 🤔).
Is this even something to worry about with Concur roles? I could definitely be going down the wrong path here, but want to pose the question to the experts for guidance.
I am interested to know a bit more of your concerns which seems a very interesting topic.
From my side I can tell you that within Concur system there are in automatic some segregation of duty, without the need to implement (e.g. an employee that is an expense approver within the system is not able to approve their own expenses reports, or a delegate to an approver is not allowed to approve their own expense), however there are many others.
I guess it wouldn't be a problem for your organization to contact Concur, as potential client, to know if they have a specific establish matrix, and wouldn't see a reason for not sharing it. Please let us know the outcome. thank you.
Thanks for your response Alessandro. One example scenario I can think of would be an Employee Administrator who also has the Expense Cash Advance Administrator role. Would this person be able to create a new employee AND authorize a cash advance for the new employee? I'm quite new to Concur so it is possible this scenario doesn't make sense, but it's things like these that I'm worried about.
Also, during your implementation you will assigned (if you haven't already) an implementation project manager from SAP Concur. They can assist with these types of questions and the various roles that should be used.
For fun though, I can tell you that the example you gave about Employee Administrator and Cash Advance Administrator would give the person the ability to create a new user profile and issue a cash advance to that user. 🙂
In the Concur Training pages, there is a Shared: User Administration user guide that describes the functions that can be set, what they control and how they can be limited. It's in the Concur Training Toolkit under the Learn to Administer section. This may help to decide how you would set administration up.