In true Indiana Jones style, implementing Security and GRC can sometime feel like the holy grail quest, with more pitfalls than progress.

Lots of content on social media focuses on following a process and a “happy path” approach which is fine to a point. However, I’ve not seen many which call out some of the biggest pitfalls to avoid if you want to deliver a really effective solution.

Here’s just a few tips from my perspective to keep you on track.

Keep it simple

Process based single roles, built from a template and derived with whatever organisational controls you need. Do not try to get clever here – process based roles (i.e. sales order admin, AP invoicing) that are vertically aligned within a work stream is the way forward. Don’t try and include purchasing activities in a finance role.

Please, do not try and build a job role in a single role, you are heading for disaster (and costly rework).

Segregation of Duties (SoD)

The biggest issue I have seen during turnaround projects is the amount of SoD issues embedded within single roles – STOP DOING IT!!

Golden Rule – clean, SoD free, single roles. No exceptions to this rule or you are building a security model on shifting sands. You don’t need GRC for this, you need the business to tell you what their key risks / controls are and reflect the requirements in the roles.


For the sake of all humanity, test your roles properly. This is one of the biggest areas of failure in most projects. It’s a complete false economy to miss this stage as all you get is angry, frustrated end users raising issues once the roles are in production.

Number of roles

End Users are not bothered if they have 1 or 20 different roles, they just want to do their job. If you have built the roles properly and have a good UX strategy, the number of roles is irrelevant. Same applies for Fiori groups, spaces, pages etc. Build a robust security model, don’t put more than 20/30 apps in any one group and train the users how to organise their Fiori launchpad to suit their needs. Don’t get hung up on the number of active roles in your landscape.

These are just a few examples of how I see things, I would love to hear what your experiences are and what Pitfalls you always try to avoid.

If you want to chat more on this subject or find out how we can help you, contact the team today:

Andrew Noone – Access and Business Controls Lead at Aliter Consulting