Excessive access control in SAP R/3
Excessive access control is one of common finding made by IS auditor when auditing SAP R/3 application. This finding is very easy to be found especially if the SAP implementation is quite new.
This is common to be founded since during early implementation, assurance and governance is not a major issue compare to application performance. So after this stage we can see a lot of access given to unauthorized user such as vendor and third party user account.
So its really recommended that every company, who already implemented the SAP to perform Post Implementation Review for the application integrity and access control management.
Do you have any experience about excessive access control in SAP R/3