GRC300 SAP BusinessObjects Access Control - Implementation and Configuration SAP Governance, Risk, and Compliance Date Training Center Instructors Education Website Participant Handbook Course Version: 84 Course Duration: 5 Day(s) Material Number: 50093010 An SAP course - use it to learn, reference it for work Copyright Copyright © 2010 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Trademarks • Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation. • IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation. • ORACLE® is a registered trademark of ORACLE Corporation. • INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered trademarks of Informix Software Incorporated. • UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group. • Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. • HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. • JAVA® is a registered trademark of Sun Microsystems, Inc. • JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. • SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies. Disclaimer THESE MATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE, INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTS CONTAINED HEREIN. IN NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY KIND WHATSOEVER, INCLUDING WITHOUT LIMITATION LOST REVENUES OR LOST PROFITS, WHICH MAY RESULT FROM THE USE OF THESE MATERIALS OR INCLUDED SOFTWARE COMPONENTS. g201033023223 About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. It is not suitable for self-study. Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used. Type Style Description Example text Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths, and options. Also used for cross-references to other documentation both internal and external. 2009 Example text Emphasized words or phrases in body text, titles of graphics, and tables EXAMPLE TEXT Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example SELECT and INCLUDE. Example text Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, and passages of the source text of a program. Example text Exact user entry. These are words and characters that you enter in the system exactly as they appear in the documentation. <Example text> Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries. © 2010 SAP AG. All rights reserved. iii About This Handbook GRC300 Icons in Body Text The following icons are used in this handbook. Icon Meaning For more information, tips, or background Note or further explanation of previous point Exception or caution Procedures Indicates that the item is displayed in the instructor's presentation. iv © 2010 SAP AG. All rights reserved. 2009 Contents Course Overview ............................................................................. vii Course Goals.................................................................................vii Course Objectives ...........................................................................vii Unit 1: Course Overview ......................................................................1 Course Overview ............................................................................. 3 Business Challenge and Solution .......................................................... 6 SAP BusinessObjects Access Control Overview....................................... 11 SAP BusinessObjects Access Control Authorizations ................................. 28 Unit 2: Risk Analysis and Remediation Overview .................................... 41 Risk Analysis and Remediation - Verification of Installation and Configuration .... 44 Introduction to the SoD Risk Management Process ................................... 48 Rule Building and Validation .............................................................. 53 Rule Reporting ............................................................................. 64 Risk Analysis ................................................................................ 73 Risk Remediation ........................................................................... 84 Definition of Process-Related Mitigation Controls ...................................... 98 Risk Analysis and Remediation Reporting ............................................. 113 Continuous Compliance .................................................................. 119 Unit 3: Compliant User Provisioning Overview ......................................127 Compliant User Provisioning Installation Verification and Configuration ........... 129 Compliant User Provisioning Functionality ............................................. 142 Compliant User Provisioning – Additional Functionality .............................. 163 Workflow-Based Reviews ................................................................ 173 Compliant User Management Life Cycle ............................................... 180 Unit 4: Superuser Privilege Management Overview.................................195 Superuser Privilege Management Installation Verification and Configuration ..... 196 Superuser Privilege Management Overview ........................................... 200 Unit 5: Enterprise Role Management Overview ...................................... 211 Enterprise Role Management Installation Verification and Configuration .......... 213 Enterprise Role Management Overview ................................................ 225 Enterprise Role Management Configuration Review ................................. 229 2009 © 2010 SAP AG. All rights reserved. v Contents GRC300 Enterprise Role Management Workflow Steps ........................................ 244 Unit 6: Access Control Integration ......................................................253 Integration Between Access Control Components .................................... 254 Compliance Reporting .................................................................... 261 vi © 2010 SAP AG. All rights reserved. 2009 Course Overview This course explains how SAP BusinessObjects Access Control (Risk Analysis and Remediation, Superuser Privilege Management, Compliant User Provisioning, and Enterprise Role Management) works in combination with SAP business processes. You will learn how to implement SAP BusinessObjects Access Control following best practices from SAP. Target Audience This course is intended for the following audiences: • SAP BusinessObjects Access Control consultants, administrators, and technical users Course Prerequisites Required Knowledge • • Previous working knowledge of SAP BusinessObjects Access Control 5.1 or 5.2 Authorization concepts for SAP ERP systems Course Goals This course will prepare you to: • Understand how SAP BusinessObjects Access Control can be implemented to support the risk and compliance management processes within your organization, and how it works in combination with SAP business processes Course Objectives After completing this course, you will be able to: • • • • 2009 Explain the components of SAP BusinessObjects Access Control, and give a brief overview of each Explain the post-installation steps for SAP BusinessObjects Access Control Explain the new features of SAP BusinessObjects Access Control 5.3 Show how the different components of SAP BusinessObjects Access Controls 5.3 integrate with each other © 2010 SAP AG. All rights reserved. vii Course Overview viii GRC300 © 2010 SAP AG. All rights reserved. 2009 Unit 1 Course Overview Unit Overview This unit gives an overview of SAP BusinessObjects Access Control. Unit Objectives After completing this unit, you will be able to: • • • • • • • • • • • • Explain how SAP BusinessObjects Access Control (Risk Analysis and Remediation, Superuser Privilege Management, Compliant User Provisioning, and Enterprise Role Management) works in combination with SAP business processes. Implement SAP BusinessObjcts Access Control following best practices from SAP List some typical challenges for SAP customers in the areas of access and authorization management Explain how SAP BusinessObjects Access Control can solve these issues List the main components of SAP BusinessObjects Access Control and their integration points Describe the functionality of Risk Analysis and Remediation and Risk Terminator Describe the functionality of Superuser Privilege Management Describe the functionality of Enterprise Role Management Describe the functionality of Compliant User Provisioning List the authorizations and roles used in the Java-based parts of SAP BusinessObjects Access Control Explain the UME role concept Access and use the UME administration tool Unit Contents Lesson: Course Overview ............................................................ 3 2009 © 2010 SAP AG. All rights reserved. 1 Unit 1: Course Overview GRC300 Lesson: Business Challenge and Solution ......................................... 6 Lesson: SAP BusinessObjects Access Control Overview...................... 11 Exercise 1: SAP BusinessObjects Access Control - Overview............ 25 Lesson: SAP BusinessObjects Access Control Authorizations................ 28 Exercise 2: SAP BusinessObjects Access Control – Authorizations ..... 33 2 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Course Overview Lesson: Course Overview Lesson Overview This course is designed to give a detailed overview of SAP BusinessObjects Access Control. We will cover each of the four components, from post-installation activities to configuration and functionality. Lesson Objectives After completing this lesson, you will be able to: • • Explain how SAP BusinessObjects Access Control (Risk Analysis and Remediation, Superuser Privilege Management, Compliant User Provisioning, and Enterprise Role Management) works in combination with SAP business processes. Implement SAP BusinessObjcts Access Control following best practices from SAP Business Example Management is concerned about compliance because of negative internal audit results, and asks your team to find out how compliance can be ensured by software support. The main issues are authorization rights and the business-process-related risks resulting from organizational fragmentation. The software should be able to link business process knowledge with provisioning of authorization rights. You want to find out whether SAP BusinessObjects Access Control is able to analyze, detect, and remediate risks. Mitigation of unavoidable risks or superuser functionality should be possible, and continuous compliance is another essential aspect. Consequently, you want to demonstrate how Compliant User Provisioning and Enterprise Role Management can support you in achieving these objectives. 2009 © 2010 SAP AG. All rights reserved. 3 Unit 1: Course Overview GRC300 Access and Authorization Management Figure 1: Access Control Overview - Compliance 4 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Course Overview Lesson Summary You should now be able to: • Explain how SAP BusinessObjects Access Control (Risk Analysis and Remediation, Superuser Privilege Management, Compliant User Provisioning, and Enterprise Role Management) works in combination with SAP business processes. • Implement SAP BusinessObjcts Access Control following best practices from SAP 2009 © 2010 SAP AG. All rights reserved. 5 Unit 1: Course Overview GRC300 Lesson: Business Challenge and Solution Lesson Overview This lesson provides an overview of some typical challenges in the area of access and authorization. Lesson Objectives After completing this lesson, you will be able to: • • List some typical challenges for SAP customers in the areas of access and authorization management Explain how SAP BusinessObjects Access Control can solve these issues Business Example A special topic in the audit report mentions a high risk in the area of authorization management because the IT department is responsible for both provisioning and approval at the same time. This leads to a wide range of authorizations because IT has no overview of the risks concerning the business processes. You want to find out whether it is possible to link the responsibilities of business lines and IT when access rights are provided. Access and Authorization Risks Without proper controls, accidental activities and intentional activities due to excessive access privileges can impact performance and reputation. Addressing regulatory mandates with manual activities and fragmented processes increases cost and complexity. Complexity impacts access and authorization management and makes it inefficient. Consequently, risks are not identified and managed in time. No proper remediation or mitigation is possible Managers cannot own the responsibility for segregation of duties. 6 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Business Challenge and Solution The current access and authorization approach leads to the following consequences: • • • IT does not own the responsibility for proper segregation of duties. However, they cannot pass the responsibility to the business side, as they lack the collaboration tools and language to effectively collaborate with the business owners. Line-of-business managers own the responsibility for segregation of duties (SoD), but they lack the technical depth to manage user access, so they rely on IT. Internal auditors are trying desperately to stay on top of the SoD issue. However, with manually maintained spreadsheets listing the access and authorizations of all employees, contractors, partners, and so on, they can only perform a very limited audit at a very high cost. Figure 2: Access and Authorization Risks 2009 © 2010 SAP AG. All rights reserved. 7 Unit 1: Course Overview GRC300 Access and Authorization Management Implementation of comprehensive risk-based access and authorization management: • • • Overcome fragmented authorization management processes Effective and efficient cleanup of SoD conflicts and excessive authorizations Prevent future violations via a risk-based approval process for new authorizations within the organization • Business assumes ownership: Who can access the data in my area? What kind of authorizations do I want to assign? Are all risks properly mitigated? Ensure the mitigation is effective. Figure 3: Access and Authorization Management Governance Corporate governance ensures ethical corporate behavior together with management practices in the creation of wealth for all stakeholders. It spells out the rules and procedures for making decisions about corporate affairs. IT governance helps to ensure the alignment of IT and enterprise objectives so that IT resources are used responsibly and its risks are properly managed. 8 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Business Challenge and Solution Risk Management Risk management identifies, classifies, documents, and reduces risks to an acceptable level. Risk is a result of three different parameters: • • • Existence of a threat for a business process Likelihood of occurrence Impact on the business process Compliance Corporate policies represent the corporate philosophy and strategic thinking on a high level. Low-level policies focus on the operational layer. Policies need to be in sync with the overall business strategy and legal requirements. National and international legal requirements: • • • Sarbanes-Oxley Act (U.S.) Data Protection Law (Germany) J-SOX (Japan) Figure 4: Access and Authorization Management 2009 © 2010 SAP AG. All rights reserved. 9 Unit 1: Course Overview GRC300 Lesson Summary You should now be able to: • List some typical challenges for SAP customers in the areas of access and authorization management • Explain how SAP BusinessObjects Access Control can solve these issues 10 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Overview Lesson: SAP BusinessObjects Access Control Overview Lesson Overview This lesson provides an overview of the four components that comprise the SAP BusinessObjects Access Control application. Lesson Objectives After completing this lesson, you will be able to: • • • • • List the main components of SAP BusinessObjects Access Control and their integration points Describe the functionality of Risk Analysis and Remediation and Risk Terminator Describe the functionality of Superuser Privilege Management Describe the functionality of Enterprise Role Management Describe the functionality of Compliant User Provisioning Business Example Management requires both detective and preventative controls to address currently existing risks. You need to check the different functions of SAP BusinessObjects Access Control to ensure its ability remove risks from your system and to keep it clean. SAP BusinessObjects Access Control Suite Components The SAP BusinessObjects Access Control application is a suite of four components that work together to provide a comprehensive and integrated, risk-based access and authorization management solution. These components are: • • • • Risk Analysis and Remediation (RAR) Compliant User Provisioning (CUP) Superuser Privilege Management (SPM) Enterprise Role Management (ERM) The figure below shows a high-level overview of the relationships between the various components. 2009 © 2010 SAP AG. All rights reserved. 11 Unit 1: Course Overview GRC300 Figure 5: SAP GRC Access Control Components As of SAP BusinessObjects Access Control 5.3, there is now one integrated launch pad to utilize any of the four Access Control capabilities. There is one single URL for the capabilities instead of four different URLs. 12 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Overview Figure 6: SAP BusinessObjects Access Control Launch Pad Note: The integrated launch pad supports single sign-on as provided by SAP NetWeaver Application Server, such as UME, Windows, SAP Logon ticket, X.509, Siteminder, and Netegrity. Access requests and password reset requests will continue to be initiated via the Compliant User Provisioning URL. Administrators and other access control users, such as role owners, can use either the single launch pad or the Compliant User Provisioning URL. Risk Analysis and Remediation: The Foundation The Risk Analysis and Remediation (RAR) component is a fully automated security audit and segregation of duties (SoD) analysis tool designed to identify, analyze, and resolve all SoD and audit issues related to regulatory compliance. It includes an expandable starter set of rules. Risks can be identified and created in a system that can be correlated with functions, and each function can be associated with a business process. Risk Analysis and Remediation produces SoD analytical reports (both summary and detail) for selected users, user groups, roles, and profiles. It also produces reports on critical actions, critical permissions, critical roles, and profiles. 2009 © 2010 SAP AG. All rights reserved. 13 Unit 1: Course Overview GRC300 Risk Analysis and Remediation provides comprehensive risk management functionality and powerful, easy to use, functionality to document risk mitigation controls. The SoD rule set created in this business scenario is used as the basis for all SoD analysis for the access control components. Figure 7: Risk Analysis and Remediation Compliant User Provisioning: The Workflow Engine The Compliant User Provisioning (CUP) component provides a new approach to provisioning that allows administrators of enterprise systems to automate the process, to manage the various types of business risks, and to reduce the workload for IT staff. It is the workflow engine for all of the SAP BusinessObjects Access Control components. With its configurable workflow capabilities, Compliant User Provisioning automates and expedites user provisioning throughout an employee’s life cycle. By integrating with the Risk Analysis and Remediation SoD rules, Compliant User Provisioning prevents SoD violations and helps to ensure corporate accountability and compliance with the Sarbanes-Oxley Act and other laws and regulations. 14 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Overview Figure 8: Compliant User Provisioning Overview Enterprise Role Management: Centralizing Role Documentation The Enterprise Role Management (ERM) component automates role definition and management of roles. This capability enables preferred practices to ensure that role definitions, development, testing, and maintenance are consistent across the entire enterprise, resulting in lower ongoing maintenance and painless knowledge transfer. It provides SAP security administrators, role designers, and role owners with a simplified means of documenting and maintaining important role information for better role management. 2009 © 2010 SAP AG. All rights reserved. 15 Unit 1: Course Overview GRC300 Figure 9: Enterprise Role Management Overview Superuser Privilege Management: Monitoring the Firefighter The Superuser Privilege Management (SPM) component tracks, monitors, and logs the activities that are performed by a superuser with a privileged user ID. In emergencies or extraordinary situations, Superuser Privilege Management enables users to perform activities outside their role under superuser-like privileges in a controlled, auditable environment. 16 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Overview Figure 10: Superuser Privilege Management Overview Integration Points in SAP BusinessObjects Access Control The components of BusinessObjects Access Control work together to provide seamless integration for maintaining compliance in your ERP landscape. Although Risk Terminator is configured only in SAP ABAP systems, it also works with Risk Analysis and Remediation to provide another tool to manage SoD violations as they occur during role development and user provisioning. 2009 © 2010 SAP AG. All rights reserved. 17 Unit 1: Course Overview GRC300 Figure 11: SAP BusinessObjects Access Control Integration Points By using the workflow engine from Compliant User Provisioning, approval for changes to roles can be initiated from Enterprise Role Management through Web services provided as part of SAP BusinessObjects Access Control. Role information that is uploaded into Compliant User Provisioning can be synchronized with the roles and the attendant role details in Enterprise Role Management. 18 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Overview Figure 12: Compliant User Provisioning and Enterprise Role Management Integration Compliant User Provisioning uses the SoD rules configured in Risk Analysis and Remediation to provide user analysis functionality at the time of user provisioning. Risk Analysis and Remediation can use the Compliant User Provisioning workflow functions for approval processes and change management of mitigation controls around business risks that are configured in Risk Analysis and Remediation. 2009 © 2010 SAP AG. All rights reserved. 19 Unit 1: Course Overview GRC300 Figure 13: Compliant User Provisioning and Risk Analysis and Remediation Integration Running risk analysis in Enterprise Role Management for role development uses the SoD rules configured in Risk Analysis and Remediation. 20 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Overview Figure 14: Risk Analysis and Remediation and Enterprise Role Management Integration When configured in an SAP ABAP system, Risk Terminator uses the SoD rules from Risk Analysis and Remediation during maintenance of roles (PFCG) and users (SU01) to analyze for risk violations. 2009 © 2010 SAP AG. All rights reserved. 21 Unit 1: Course Overview GRC300 Figure 15: Risk Analysis and Remediation and Risk Terminator Integration Just as with Risk Terminator, Superuser Privilege Management configuration happens in an SAP ABAP system. Superuser Privilege Management also uses the Risk Analysis and Remediation rules to analyze for SoD violations, and checks for critical actions use monitoring of superuser access. 22 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Overview Figure 16: Superuser Privilege Management and Risk Analysis and Remediation Integration SAP BusinessObjects Access Control has a central repository for access-based and authorization-based risks and controls. This repository: • • • 2009 Provides risk analysis for every process that can be covered by the solution Supports the creation and assignment of a mitigation control out of an approval workflow via the mitigation service Supports the role maintenance life cycle in Enterprise Role Management by using an event-driven, multilevel approval process © 2010 SAP AG. All rights reserved. 23 Unit 1: Course Overview GRC300 Figure 17: Management Takes Responsibility for Compliance Figure 18: SAP BusinessObjects Access Control: Solution Integration 24 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Overview Exercise 1: SAP BusinessObjects Access Control - Overview Exercise Objectives After completing this exercise, you will be able to: • Use the launch pad to access the different functionalities within SAP BusinessObjects Access Control • Navigate between the different tabs within all applications in SAP BusinessObjects Access Control Business Example To evaluate changes in the most recent version of SAP BusinessObjects Access Control compared to the older versions, you must log on and familiarize yourself with the launch pad and some elementary functionalities. Task: Log on to the application and familiarize yourself with the launch pad, access the four components and navigate to the different tabs in each one. 2009 1. Launch the SAP BusinessObjects Access Control 5.3 launch pad, and log on to the system. 2. Review the launch pad links to the various components 3. Review the Risk Analysis and Remediation component. 4. Review the Compliant User Provisioning component. 5. Review the Enterprise Role Management component. 6. Review the Superuser Privilege Management component. 7. Exit the application. © 2010 SAP AG. All rights reserved. 25 Unit 1: Course Overview GRC300 Solution 1: SAP BusinessObjects Access Control - Overview Task: Log on to the application and familiarize yourself with the launch pad, access the four components and navigate to the different tabs in each one. 1. 2. Launch the SAP BusinessObjects Access Control 5.3 launch pad, and log on to the system. a) Enter the SAP BusinessObjects Access Control training system URL (provided by your instructor) into a browser window and choose Go. b) Log on to the system with the user ID GRC300-xx (xx is your user number, and its provided by instructor) and password. Review the launch pad links to the various components a) 3. Review the Risk Analysis and Remediation component. a) 4. Choose Superuser Privilege Management. Click on each of the visible tabs: Reports and Configuration. Exit the application. a) 26 Choose Enterprise Role Management. Click on each of the visible tabs: Role Management, Informer, and Configuration. Review the Superuser Privilege Management component. a) 7. Choose Compliant User Provisioning. Click on each of the visible tabs: My Work, Informer, and Configuration. Review the Enterprise Role Management component. a) 6. Choose Risk Analysis and Remediation. Click on each of the visible tabs: InformerRule Architect, Mitigation, Alert Monitor, CCADstatus, BJstatus, and Configuration. Review the Compliant User Provisioning component. a) 5. Notice that all the links are activated. If the user does not have access to a specific component, does it still show? Exit the application by closing all browser windows or by choosing Log off. © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Overview Lesson Summary You should now be able to: • List the main components of SAP BusinessObjects Access Control and their integration points • Describe the functionality of Risk Analysis and Remediation and Risk Terminator • Describe the functionality of Superuser Privilege Management • Describe the functionality of Enterprise Role Management • Describe the functionality of Compliant User Provisioning 2009 © 2010 SAP AG. All rights reserved. 27 Unit 1: Course Overview GRC300 Lesson: SAP BusinessObjects Access Control Authorizations Lesson Overview This lesson explains the authorization concept of SAP BuinessObjects Access Control in the user management engine (UME). Lesson Objectives After completing this lesson, you will be able to: • • • List the authorizations and roles used in the Java-based parts of SAP BusinessObjects Access Control Explain the UME role concept Access and use the UME administration tool Business Example You are asked to evaluate the Java-based authorization concept within SAP BusinessObjects Access Control to ensure the correct technical implementation of roles and responsibilities and to be prepared for future audits. User Management Engine The user management engine (UME) is where users are assigned roles for the different SAP BusinessObjects Access Control products. During the installation of the SAP BusinessObjects Access Control products, the roles.txt file is imported. This generates the necessary roles for Risk Analysis and Remediation, Compliant User Provisioning, and Enterprise Role Management. 28 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Authorizations Figure 19: User Management Engine Import Screen After the roles text file is imported, you can choose the Identity Management button in the UME and begin creating users or assigning roles to users. Caution: When creating users, you should verify with your Basis team if the user data source has been set to UME, ABAP, or LDAP. If the user source is not UME, you will not be able to create the users in the UME. Figure 20: User Management Engine 2009 © 2010 SAP AG. All rights reserved. 29 Unit 1: Course Overview GRC300 Once in the UME, you can search for roles or users in the system. The concept of roles in the UME is based on actions. Actions are assigned to roles within the UME, and this makes up a role in the UME. The following roles are delivered with SAP BusinessObjects Access Control: • Compliant User Provisioning is comprised of three roles: AEAdmin, AESecurity, and AEApprover. All of these roles are made up of different actions. – • Some of the actions delivered with Compliant User Provisioning include: ViewAccessEnforcer, AE.ModifyBackgroundJobsConfiguration, and AE.ModifyChangeLogConfiguration. Risk Analysis and Remediation is comprised of four roles: VIRSA_CC_Administrator, VIRSA_CC_Report, VIRSA_CC_Security_Admin, and VIRSA_CC_Business_Owner. – • Some of the actions delivered with Risk Analysis and Remediation are com.virsa.cc.CreateRuleSet, com.virsa.cc.ChangeRuleSet, and com.virsa.cc.DeleteRuleSet. Enterprise Role Management is comprised of six roles: RE Admin, REBusinessuser, RERoleDesigner, RESecurity, RESuperuser, and REConfigurator. – • Some of the actions delivered with Enterprise Role Management are ViewConfiguration, RE.ViewRoleExpert, and RE.ViewRoleLibrary. Superuser Privilege Management is made up of one SAP role: FF_Admin. This is the administrator role and should only be used by the administrator. You can create additional roles by assigning some of the following actions: ViewreportsTab, ViewReaffirms, and SODReport. All of these roles are standard SAP-delivered roles. If you want to replicate or modify the roles, use a copy so the integrity of the SAP-delivered roles is maintained. 30 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Authorizations Figure 21: SAP BusinessObjects Access Control Roles in UME 2009 © 2010 SAP AG. All rights reserved. 31 Unit 1: Course Overview 32 GRC300 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Authorizations Exercise 2: SAP BusinessObjects Access Control – Authorizations Exercise Objectives After completing this exercise, you will be able to: • Explain the authorizations and rules used in the Java-based parts of SAP BusinessObjects Access Control • Explain how to access and use UME administration Business Example An internal auditor is part of your SAP BusinessObjects Access Control team. He is only interested in running reports and viewing authorizations. You need to create a user for him in the UME. Task: Use the UME to create users, create roles, and assign them to users. 2009 1. Log on to the UME using your user ID, GRC300-##. 2. Create the user and the role for the auditor in UME. Use the ID AUDIT-## and create and assign the reporting role CC.ReportingView.## to the user. Test the logon by logging into Risk Analysis and Remediation. © 2010 SAP AG. All rights reserved. 33 Unit 1: Course Overview GRC300 Solution 2: SAP BusinessObjects Access Control – Authorizations Task: Use the UME to create users, create roles, and assign them to users. 1. Log on to the UME using your user ID, GRC300-##. a) 2. Open a browser and enter http://servername:5<instance number>00, then choose User Management Engine. Create the user and the role for the auditor in UME. Use the ID AUDIT-## and create and assign the reporting role CC.ReportingView.## to the user. Test the logon by logging into Risk Analysis and Remediation. a) Choose Create user and enter the following information: Field Name Value Logon ID AUDIT## Define Password audit## Confirm Password audit## Last Name Bazemore First Name Molly Language English b) Choose Save. c) Create the role CC.ReportingView.##. d) Enter the following information: Field Name Value Unique Name CC.ReportingView# Description Role for Internal Auditors e) Choose Save. f) Choose Modify. Continued on next page 34 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: SAP BusinessObjects Access Control Authorizations g) Add the following five actions from the service/application com.virsa.cc and then save the role. Field Name Field Name Field Name UME com.virsa.cc RunAuditReports UME com.virsa.cc RunRiskAnalysis UME com.virsa.cc RunSecurityReport UME com.virsa.cc ViewInformer UME com.virsa.cc ViewMgmtReport h) Assign AUDIT-## to role CC.ReportingView.## and test the new user. i) Search for the user AUDIT-## in the UME. Select and modify AUDIT-## by assigning role CC.ReportingView.##. j) Log off from UME. k) Open a browser and enter http://servername:5<instancenumber>00/webdynpro/dispatcher/sap.com/grc~ccappcomp/ComplianceCalibrator. l) Enter the following data: m) Field Name Value User ID AUDIT-## Password audit## Enter and confirm a new password. What is the difference between GRC300-## and user AUDIT-##? AUDIT-## can only see the Informer, CCADstatus, and BJstatus tabs, while GRC300-## can see all of the other tabs. 2009 © 2010 SAP AG. All rights reserved. 35 Unit 1: Course Overview GRC300 Lesson Summary You should now be able to: • List the authorizations and roles used in the Java-based parts of SAP BusinessObjects Access Control • Explain the UME role concept • Access and use the UME administration tool 36 © 2010 SAP AG. All rights reserved. 2009 GRC300 Unit Summary Unit Summary You should now be able to: • Explain how SAP BusinessObjects Access Control (Risk Analysis and Remediation, Superuser Privilege Management, Compliant User Provisioning, and Enterprise Role Management) works in combination with SAP business processes. • Implement SAP BusinessObjcts Access Control following best practices from SAP • List some typical challenges for SAP customers in the areas of access and authorization management • Explain how SAP BusinessObjects Access Control can solve these issues • List the main components of SAP BusinessObjects Access Control and their integration points • Describe the functionality of Risk Analysis and Remediation and Risk Terminator • Describe the functionality of Superuser Privilege Management • Describe the functionality of Enterprise Role Management • Describe the functionality of Compliant User Provisioning • List the authorizations and roles used in the Java-based parts of SAP BusinessObjects Access Control • Explain the UME role concept • Access and use the UME administration tool 2009 © 2010 SAP AG. All rights reserved. 37 Unit Summary 38 GRC300 © 2010 SAP AG. All rights reserved. 2009 Unit Summary 39 GRC300 © 2010 SAP AG. All rights reserved. 2009 Unit Summary 40 GRC300 © 2010 SAP AG. All rights reserved. 2009 Unit 2 Risk Analysis and Remediation Overview Unit Overview As a business expert, you are responsible for organizing and supporting the risk-recognition and rule-building phases of the project in order to identify, classify, and document potential risks to your organization's processes. Furthermore, it is your task to evaluate the change management controls within the new solution. This unit will discuss the post installation steps of setting up Risk Analysis and Remediation, as well as business uses of this component. Unit Objectives After completing this unit, you will be able to: • • • • • • • • • • • • • 2009 List the required steps after installation of SAP BusinessObjects Access Control Risk Analysis and Remediation Explain how to connect Risk Analysis and Remediation to a back-end system Explain the possibility of exporting and importing configuration settings in order to perform transports from development to production List the main process in identifying and resolving SoD issues Describe the people involved in the process and their responsibilities Name each step of the process and explain the required activities in each phase Explain the key terminology related to risks within SAP BusinessObjects Access Control Create and maintain functions and risk, build the resulting rules, and explain the concept of organizational rules Discuss what is delivered in the delivered rule set List the systems for which a rule set is provided View or locate function change history View or locate risk change history Compare rule sets © 2010 SAP AG. All rights reserved. 41 Unit 2: Risk Analysis and Remediation Overview • • • • • • • • • • • • • • • • • • • • GRC300 Define the relevant management views Run a risk analysis at role level Run a risk analysis at user level List the relevant report types Explain the use of different report formats Schedule a risk analysis as a background job Perform simulations based on roles and users Explain the best approach for risk remediation and system cleanup Simulate cleanup activities in SAP BusinessObjects Access Control Perform cleanup activities in SAP ERP Explain how mitigation controls can support you in reducing access risks in your landscape Describe the difference between preventative and detective controls, and implement mitigation controls in SAP BusinessObjects Access Control Define alerting as a powerful detective control Locate and view the Action Usage by Users report Locate and view the Invalid Mitigation Controls report Locate and view the SoD Violations from Custom Programs report Discuss SoD management as an ongoing process Explain how the Risk Terminator can support continuous compliance List the steps to activate Risk Terminator within SAP BusinessObjects Access Control List additional possibilities for continuous compliance Unit Contents Lesson: Risk Analysis and Remediation - Verification of Installation and Configuration ......................................................................... 44 Lesson: Introduction to the SoD Risk Management Process .................. 48 Lesson: Rule Building and Validation ............................................. 53 Exercise 3: Rule Building and Validation ..................................... 59 Lesson: Rule Reporting ............................................................. 64 Exercise 4: Rule-Set-Relevant Reporting .................................... 69 Lesson: Risk Analysis ............................................................... 73 Exercise 5: Perform a Risk Analysis .......................................... 79 Lesson: Risk Remediation.......................................................... 84 Exercise 6: Risk Remediation ................................................. 91 Lesson: Definition of Process-Related Mitigation Controls..................... 98 42 © 2010 SAP AG. All rights reserved. 2009 GRC300 Unit 2: Risk Analysis and Remediation Overview Exercise 7: Definition of Risk-Related Mitigation Controls ................ 105 Lesson: Risk Analysis and Remediation Reporting ............................ 113 Exercise 8: Remediation-Relevant Reporting .............................. 115 Lesson: Continuous Compliance ................................................. 119 2009 © 2010 SAP AG. All rights reserved. 43 Unit 2: Risk Analysis and Remediation Overview GRC300 Lesson: Risk Analysis and Remediation - Verification of Installation and Configuration Lesson Overview In this lesson, you will learn how to verify installation and configuration of Risk Analysis and Remediation. Lesson Objectives After completing this lesson, you will be able to: • • • List the required steps after installation of SAP BusinessObjects Access Control Risk Analysis and Remediation Explain how to connect Risk Analysis and Remediation to a back-end system Explain the possibility of exporting and importing configuration settings in order to perform transports from development to production Business Example To set up a project plan for the implementation of SAP BusinessObjects Access Control Risk Analysis and Remediation, you need to familiarize yourself with the efforts required for setup. After Technical Installation When implementing Risk Analysis and Remediation, there are several items that must be configured for the system to work properly. Following is a list of items that must be checked. 44 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Analysis and Remediation - Verification of Installation and Configuration Figure 22: Background Job Daemon Verification Figure 23: UME - Verification of Imported Role 2009 © 2010 SAP AG. All rights reserved. 45 Unit 2: Risk Analysis and Remediation Overview GRC300 Steps to Verify Installation • • Confirm that the Internet Graphics Sever (IGS) is running. Go to http://servername:40080/; this location will tell you if the IGS is running or not. If you see a message that says SAP IGS is running, this confirms it has been configured properly. Confirm that the job daemon is running. To verify that it is running, go to http://servername:port/sap/CCBgStatus.jsp and to http://servername:port/sap/CCADStatus.jsp. If you experience issues with the job deamon you will need to verify that the lines 105, 106 and 107 are inserted in the table virsa_cc_config. Use the debugger: http://servername:50000/webdynpro/dispatcher/sap.com/grc~ccappcomp/CCDebugger for this. • • • Verify that the roles have been imported to the UME. It is important to make sure that the roles text file was imported during the installation of Risk Analysis and Remediation. Do this by going to the User Management Engine (UME) Ensure that the Real Time Agents (RTA) have been installed through transaction code SPAM. Ensure that the SAP Java Connectors (JCo) have been activated. Two JCos are required for Risk Analysis and Remediation; one is for metadata and one is for model. To check them, choose Webdynpro → Administrator Content → Maintain JCo Connectors. Caution: During installation of the RTAs, use transaction SPAM to identify if there are any HR components installed on that system. If there are any HR components, you will need to install the HR RTA. If this is not done, the risk analysis will not complete when you attempt to run it from Risk Analysis and Remediation. 46 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Analysis and Remediation - Verification of Installation and Configuration Lesson Summary You should now be able to: • List the required steps after installation of SAP BusinessObjects Access Control Risk Analysis and Remediation • Explain how to connect Risk Analysis and Remediation to a back-end system • Explain the possibility of exporting and importing configuration settings in order to perform transports from development to production 2009 © 2010 SAP AG. All rights reserved. 47 Unit 2: Risk Analysis and Remediation Overview GRC300 Lesson: Introduction to the SoD Risk Management Process Lesson Overview This lesson will review the SoD risk management process. Lesson Objectives After completing this lesson, you will be able to: • • • List the main process in identifying and resolving SoD issues Describe the people involved in the process and their responsibilities Name each step of the process and explain the required activities in each phase Business Example As a business expert, you are responsible for guiding the other project team members through the segregation of duties risk management process to clean up your system. Consequently, you need to familiarize yourself with the process steps. Risk Management Phase approach SAP has developed a three-phase approach to risk management. By applying this method, it is possible to implement a process for segregation of duties (SoD) risk management. Figure 24: SoD Risk Management Process The process begins by defining the risks, rule building, and validation. 48 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Introduction to the SoD Risk Management Process Risk Recognition In the risk recognition phase, identify authorization risks and approve exceptions. Clarify and classify risk as high, medium, or low. Identify new risks and conditions for monitoring in the future. Rule Building and Validation In the rule building and validation process, reference best practices rules for your environment. Validate rules, customize rules, then test. Verify against test user and role cases. Analysis During analysis, run analytical reports. Estimate cleanup efforts. Analyze roles and users. Modify rules based on analysis. Set alerts to distinguish executed risks. Remediation In the remediation process, determine alternatives for eliminating risks. Present analysis and select corrective actions. Document approval of corrective actions. Modify or create roles or user assignments. Mitigation During mitigation, determine alternative controls to mitigate risk. Educate management about conflict approval and monitoring. Document a process to monitor mitigation controls. Implement controls. Continuous Compliance In continuous compliance, communicate changes in roles and user assignments. Simulate changes to roles and users. Implement alerts to monitor for selected risks and mitigate control testing. Roles and Responsibilities During the SoD risk management process, there are a number of roles that need to be involved if you are to have a successful remediation plan. 2009 © 2010 SAP AG. All rights reserved. 49 Unit 2: Risk Analysis and Remediation Overview GRC300 Figure 25: Roles and Responsibilities In defining the roles and responsibilities, you should think about the individuals in your company that meet some of these responsibilities. Business Process Owner During the risk management process, you will need to identify process owners in areas such as finance, sales, purchasing, and materials management, depending on where the SoD risks are located. Involving the business process owners from the beginning of the project is important because they will understand the impact of the risks after the rules have been defined. Senior Officers One of the main reasons senior officers should be involved is to approve or reject risks between areas and approve mitigating controls. By having senior officers involved, you maintain focus on the identified risks and how those risks affect the company financially. Security Administrators and Technical Liaisons Security administrators and technical liaisons assume responsibility of the application from a maintenance point of view. They grant access to users, troubleshoot problems, and can remediate SoD conflicts at role level. 50 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Introduction to the SoD Risk Management Process Auditors and Regulators Internal audit can assist in running a risk analysis on a regular basis. They can provide guidance to other team members as to which risks are true conflicts and what might be considered a false positive. SoD Rule Keeper The rule keeper is involved in making necessary configuration changes to rules. The rule keeper can also maintain mitigating controls for control owners and be a liaison between Basis and the SAP GRC team. Caution: When setting your rule set, make sure that you consider critical actions that will also need to be maintained in the rule set. 2009 © 2010 SAP AG. All rights reserved. 51 Unit 2: Risk Analysis and Remediation Overview GRC300 Lesson Summary You should now be able to: • List the main process in identifying and resolving SoD issues • Describe the people involved in the process and their responsibilities • Name each step of the process and explain the required activities in each phase 52 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Rule Building and Validation Lesson: Rule Building and Validation Lesson Overview This lesson will explain the terminology related to risks within SAP BusinessObjects Access Control Risk Analysis and Remediation. Lesson Objectives After completing this lesson, you will be able to: • • • • Explain the key terminology related to risks within SAP BusinessObjects Access Control Create and maintain functions and risk, build the resulting rules, and explain the concept of organizational rules Discuss what is delivered in the delivered rule set List the systems for which a rule set is provided Business Example As a business process expert, you are responsible for implementing the identified risks inside SAP BusinessObjects Access Control. Your organization decides to build a new rule set from the scratch, using the standard rule set delivered from SAP as a template. Rule Building and Validation After risk recognition, the second part of phase one is rule building and validation. 2009 © 2010 SAP AG. All rights reserved. 53 Unit 2: Risk Analysis and Remediation Overview GRC300 Figure 26: Rule Building and Validation Key Terminology Business Process: The business area categories in which you would like to report risk analysis results in Risk Analysis and Remediation Function: A grouping of one or more related actions or permissions for a specific business area Risk: An opportunity for physical loss, fraud, process disruption, or productivity loss that occurs when individuals exploit a specific condition; functions are the main components of risks Action: An activity that is performed in the system in order to fulfill a specific function, for example, Create Purchase Order or Create Material Master Record Permission: Authorizations that allow a user to perform a particular activity in a system System: Refers to a system in which risk analysis is performed, for example, SAP ERP, Oracle, SAP CRM, PeopleSoft, or Hyperion 54 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Rule Building and Validation Figure 27: Rule Structure Rule Building Figure 28: Main Components of the Rule-Building Process 2009 © 2010 SAP AG. All rights reserved. 55 Unit 2: Risk Analysis and Remediation Overview GRC300 Figure 29: Functions Figure 30: Risks Organizational Rules The organizational rule functionality eliminates false positives based on organizational-level restrictions. Use this functionality for exception-based reporting only. 56 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Rule Building and Validation Companies should perform an analysis prior to implementation to ensure their situation warrants the use of organizational rules, and should not institute organizational rules until the remediation phase of their project. Only after identifying a possible organizational rule scenario that you should create the organization rules. Using organizational rules to group users into reports by organizational levels to distribute SoD reports to various management levels is not recommended. Rather, use the organization level rules exclusively for exception-based reporting to remove false positive conflicts that result from organization-level segregation. Because of the sizable performance impact that organization level rules can have, use them for only those situations in which the company has made a conscious decision to segregate via organization levels. Delivered Rule Set from SAP The SAP delivered rule set provides a list of SoD risks that have been accumulated from best practices, clients, and SAP's own experience You should review these rules to determine if they are applicable to your clients. They are a recommendation only. The delivered rule set includes rules for: 2009 • ERP • • • • – Basis – Finance – HR / Payroll – MM / PP / QM – Order-to-cash – Procure-to-pay SRM / EBP CRM Consolidation APO © 2010 SAP AG. All rights reserved. 57 Unit 2: Risk Analysis and Remediation Overview 58 © 2010 SAP AG. All rights reserved. GRC300 2009 GRC300 Lesson: Rule Building and Validation Exercise 3: Rule Building and Validation Exercise Objectives After completing this exercise, you will be able to: • Implement the identified issues from the Risk Recognition Workshop in your own rule set • Create critical functions inside SAP BusinessObjects Access Control • Create and describe risks resulting from the critical respectively conflicting functions Business Example As a business process expert, you are responsible for implementing the identified risks inside SAP GRC Access Control. Your organization decided to build a new rule set from scratch while using the standard rule set delivered from SAP as a template only. Task: Create and generate your own rule set. 1. Log on to SAP BusinessObjects Access Control (Risk Analysis and Remediation) and select the tab Rule Architect to create a new rule set. Expand Rules Sets in the left menu pane and click Create. 2. Log on to SAP BusinessObjects Access Control (Risk Analysis and Remediation) and select the tab Rule Architect to create your own business process for purchase-to-pay. Expand Business Processes in the left menu pane and click Create. 3. 4. Create a function with the following information. Function ID Func1_XX (where XX is your group number) Description Func1_XX Business Process <XX> Procure to Pay Analysis Scope Single Actions XK01 Create a function with the following information. Continued on next page 2009 © 2010 SAP AG. All rights reserved. 59 Unit 2: Risk Analysis and Remediation Overview 5. 6. 60 GRC300 Function ID Func2_XX (Where XX is your group number) Description Func2_XX Business Process <XX> Procure to Pay Analysis Scope Single Actions ME21N Create a risk with the two functions from above and the following information. Risk ID <XX>NN (Where XX is your group number and NN is free to be changed.) Description Risk_XX Risk Type Segregation of Duties Risk Level Medium Business Process PP<XX> Status Enable Generate rules for the risk you just created. © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Rule Building and Validation Solution 3: Rule Building and Validation Task: Create and generate your own rule set. 1. Log on to SAP BusinessObjects Access Control (Risk Analysis and Remediation) and select the tab Rule Architect to create a new rule set. Expand Rules Sets in the left menu pane and click Create. a) 2. Enter the information from the table below. Replace XX with your group number. Rule Set ID RS<XX> Description <XX> rule set Log on to SAP BusinessObjects Access Control (Risk Analysis and Remediation) and select the tab Rule Architect to create your own business process for purchase-to-pay. Expand Business Processes in the left menu pane and click Create. a) 3. Enter the information from the table below. Replace XX with your group number. Business Process ID PP<XX> Description <XX> Procure to Pay Create a function with the following information. Function ID Func1_XX (where XX is your group number) Description Func1_XX Business Process <XX> Procure to Pay Analysis Scope Single Actions XK01 a) 4. Create a function with the following information. Continued on next page 2009 © 2010 SAP AG. All rights reserved. 61 Unit 2: Risk Analysis and Remediation Overview GRC300 Function ID Func2_XX (Where XX is your group number) Description Func2_XX Business Process <XX> Procure to Pay Analysis Scope Single Actions ME21N a) 5. 6. Create a risk with the two functions from above and the following information. Risk ID <XX>NN (Where XX is your group number and NN is free to be changed.) Description Risk_XX Risk Type Segregation of Duties Risk Level Medium Business Process PP<XX> Status Enable a) Add your two functions as the two conflicting functions. b) Select the rule set that you created, Rule set XX. Generate rules for the risk you just created. a) 62 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Rule Building and Validation Lesson Summary You should now be able to: • Explain the key terminology related to risks within SAP BusinessObjects Access Control • Create and maintain functions and risk, build the resulting rules, and explain the concept of organizational rules • Discuss what is delivered in the delivered rule set • List the systems for which a rule set is provided 2009 © 2010 SAP AG. All rights reserved. 63 Unit 2: Risk Analysis and Remediation Overview GRC300 Lesson: Rule Reporting Lesson Overview This lesson discusses reporting within the risk library. Lesson Objectives After completing this lesson, you will be able to: • • • View or locate function change history View or locate risk change history Compare rule sets Business Example Audit demands lists of recent changes to the rule set in order to check if the implemented change management process is effective. Only approved changes will be actually implemented in SAP BusinessObjects Access Control. Change History Choose Change History to view the changed functions log for functions and the risk history in the change log for risks. Viewing the logs permits managers and administrators to determine which functions and risks were changed and who changed them. Whether or not you will have the ability to see the logs is determined during configuration. 64 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Rule Reporting Figure 31: Function Change History Function Change History To view change log information for functions, choose Rule Architect → Change History → Functions. In the displayed Functions-Change History Results screen, select your settings and choose Execute to run a search to view the change log results. The Functions Change History Results log includes: • • • • • • • • • 2009 Changed On: The date and time Changed by: The user ID Function (ID) Change Type: This is either Insert Function or Delete Function System Action Item Value Status © 2010 SAP AG. All rights reserved. 65 Unit 2: Risk Analysis and Remediation Overview GRC300 Figure 32: Risk Change History Risk Change History To view change log information for risks, choose Rule Architect → Change History → Risks. In the displayed Risks-Change History Results screen, you select your settings and choose Execute to run a search to view the change log results. The Risks Change History Results log includes: • • • • • • • Changed On: The date and time Changed by: The user ID Risk ID Change Type: The type is either Insert or Delete Field Old Value New Value Comparing Rule Sets This report compares the contents of two rule sets and displays the results. 66 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Rule Reporting Figure 33: Rule Set Comparison The rule sets can be compared in two ways: • • A comparison of just the risks in the designated rule sets A comparison of risks and actions/permissions To perform a comparison of rule sets, chooseRule Architect → Rule Sets → Compare. A comparison of risks is always performed, and these results are displayed initially. The Summary button on the risk comparison screen drills down to an action rule comparison. The Detail button in the action rule comparison drills down to a permission rule comparison. 2009 © 2010 SAP AG. All rights reserved. 67 Unit 2: Risk Analysis and Remediation Overview 68 © 2010 SAP AG. All rights reserved. GRC300 2009 GRC300 Lesson: Rule Reporting Exercise 4: Rule-Set-Relevant Reporting Exercise Objectives After completing this exercise, you will be able to: • Execute and interpret the Function Change History and Risk Change History reports • Use the rule set comparison Business Example As the owner of the rule set, you are responsible for reviewing changes to ensure the integrity and proper documentation of access-relevant risks in SAP BusinessObjects Access Control. Task 1: Demonstrate the Function Change History report. 1. Demonstrate the Function Change History report. Task 2: Demonstrate the Risk Change History report. 1. Demonstrate the Risk Change History report. Task 3: Demonstrate the Rule Set Comparison report. 1. 2009 Demonstrate the Rule Set Comparison report. © 2010 SAP AG. All rights reserved. 69 Unit 2: Risk Analysis and Remediation Overview GRC300 Solution 4: Rule-Set-Relevant Reporting Task 1: Demonstrate the Function Change History report. 1. Demonstrate the Function Change History report. a) Log on to Risk Analysis and Remediation via the SAP BusinessObjects Access Control launch pad. b) Choose Rule Architect → Change History → Functions. c) In the Function ID field, enter the function that you created in the Rule Building and Validation exercise (Func1_XX). d) Choose Execute. e) Look at the changes that are identified on the results screen. Task 2: Demonstrate the Risk Change History report. 1. Demonstrate the Risk Change History report. a) Log on to Risk Analysis and Remediation via the SAP BusinessObjects Access Control launch pad. b) Choose Rule Architect → Change History → Risks. c) In the Risk ID field, enter the risk that you created in the “Rule Building and Validation” exercise (<XX>NN). d) Choose Execute. e) Look at the changes that are identified on the results screen. Continued on next page 70 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Rule Reporting Task 3: Demonstrate the Rule Set Comparison report. 1. 2009 Demonstrate the Rule Set Comparison report. a) Log on to Risk Analysis and Remediation via the SAP BusinessObjects Access Control launch pad. b) Choose Rule Architect → Rule Set → Compare. c) Compare the Global rule set to the rule set you created in the “Rule Building and Validation” exercise (<XX> RuleSet). d) Select Actions and Permissions. Note that Risks are automatically selected. e) Look at the results that are identified on the Results screen. Switch between the Actions and Permission reports. © 2010 SAP AG. All rights reserved. 71 Unit 2: Risk Analysis and Remediation Overview GRC300 Lesson Summary You should now be able to: • View or locate function change history • View or locate risk change history • Compare rule sets 72 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Analysis Lesson: Risk Analysis Lesson Overview This lesson will give you an overview of the management reports in the RAR Informer tab in SAP BusinessObjects Access Control. Lesson Objectives After completing this lesson, you will be able to: • • • • • • Define the relevant management views Run a risk analysis at role level Run a risk analysis at user level List the relevant report types Explain the use of different report formats Schedule a risk analysis as a background job Business Example As leading risk management expert, you need to improve the process of checking the current risk situation in the system, and estimate the required cleanup effort inside your organization. SoD Risk Management Process Phase Two: Analysis The purpose of this phase is to provide business process analysts and business process owners with alternatives for correcting or eliminating risks by: • • Performing a security analysis to confirm risks for: – Simple roles – Composite roles – Users Reviewing the role to determine how certain personnel might be restricted from performing undesired activities by checking: – – – 2009 Objects Fields Values © 2010 SAP AG. All rights reserved. 73 Unit 2: Risk Analysis and Remediation Overview GRC300 Figure 34: Analysis Phase of the SoD Risk Management Process Management View The Management view in the Informer tab of Risk Analysis and Remediation provides a compact overview of risk violations grouped by time, severity, and business process. 74 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Analysis Figure 35: Management View - Risk Violations Management View: Reports Start from the overview level and concentrate on the details afterward. • SoD Violations report – 2009 • Displays a pie chart and a bar chart to represent current and past violations in the system landscape – Supports two different views: Violations by risk level and violations by process User Analysis report • – Risks by user resulting from SoD conflicts – Risks by user resulting from critical actions and roles Role Analysis report © 2010 SAP AG. All rights reserved. 75 Unit 2: Risk Analysis and Remediation Overview GRC300 Provides an overview of the remediation progress: • Comparisons report – • Choose quarterly or monthly comparisons of user, role, and profile violations – Check remediation progress and percent completion Alerts report – • • Provides an accumulated view of conflicting action alerts per business process Rules Library report Controls Library report Figure 36: Reports in the Management View Risk Analysis Analyze risks based on users, roles, HR objects, and other factors: • Specify the parameters of the analysis – – – 76 Cross-system analysis is possible Specific roles or users can be selected for risk analysis Restrict by business process or risk level if required © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Analysis Figure 37: Analyzing a Risk Report Types Depending on the required analysis, select: • Action Level • – Performs SoD analysis only at action level Permission Level • – Performs SoD analysis at action and permission levels Critical Actions – • Analyzes users having access to one critical function (actions and permissions) Critical Permissions • – Analyzes users having access to one critical function (permissions only) Critical Roles/Profiles – • 2009 Analyzes users having access to critical roles or profiles Assignment of Mitigation Controls © 2010 SAP AG. All rights reserved. 77 Unit 2: Risk Analysis and Remediation Overview GRC300 Report Formats Depending on the required level of detail, choose: • Executive Summary report – • Provides a description of the risks and a count of the number of rules that are causing the conflict Management Summary report • – Displays users causing the conflicts, but no actions Summary report • – Displays the users or roles and action conflicts involved Detail report – Provides the highest level of detail, including transactions Note: It is possible to change the report format after a risk analysis is completed. Scheduling a Background Job Large background jobs should be scheduled to run overnight: • • • • 78 Type in a descriptive name. Decide whether to run the job immediately or if it should be delayed. Schedule periodically if required. Only the scheduler and the administrator should be able to see the result of the job (check UME actions). © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Analysis Exercise 5: Perform a Risk Analysis Exercise Objectives After completing this exercise, you will be able to: • Run a risk analysis against a business user using the recently designed rule set containing the risk identified in the Risk Recognition Workshop • Schedule a risk analysis job to check conflicts inside a composite role Business Example You want to use the Risk Analysis and Remediation capabilities of SAP BusinessObjects Access Control to improve the process of checking the current risk situation in the system and to estimate the required cleanup efforts. Task 1: User Risk Analysis report 1. Use the Risk Analysis and Remediation functionality of SAP BusinessObjects Access Control to identify the risks of your business user, GRCBIZZ-xx. 2. Use the icons in the result screen of the risk analysis to toggle the different report formats. Task 2: Role risk analysis 1. Use the Risk Analysis and Remediation functionality of SAP BusinessObjects Access Control to identify the risks inside the composite role GRC300-CR_PURCHASE_TO_PAY-<XX>. 2. Check the result of your background job analysis, toggle to report format Detail Report, and download the result in a Microsoft Excel file. Result Congratulations! Now you can use the result of your analysis for further discussions with the role and authorizations team within your company. 2009 © 2010 SAP AG. All rights reserved. 79 Unit 2: Risk Analysis and Remediation Overview GRC300 Solution 5: Perform a Risk Analysis Task 1: User Risk Analysis report 1. Use the Risk Analysis and Remediation functionality of SAP BusinessObjects Access Control to identify the risks of your business user, GRCBIZZ-xx. a) Log on to SAP BusinessObjects Access Control and perform a risk analysis at user level. Hint: Replace xx with your group number. b) Enter the following information. User: GRCBIZZ-xx Rule Set: Global Report Type: Permission Level Report Format: Executive Summary c) Choose Execute. How many high or critical rated risks came up for your user? 2. Use the icons in the result screen of the risk analysis to toggle the different report formats. a) Display Management Summary report: Review business risks identified by report. Display Summary report: Review the risk description and the transaction combinations of the first three risks. Display Detail report: Review roles identified by the report that cause SoD conflicts within the user's account. Continued on next page 80 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Analysis Task 2: Role risk analysis 1. Use the Risk Analysis and Remediation functionality of SAP BusinessObjects Access Control to identify the risks inside the composite role GRC300-CR_PURCHASE_TO_PAY-<XX>. a) Log on to SAP BusinessObjects Access Control and schedule a risk analysis background job at role level. Hint: Replace xx with your group number. b) Enter the following information. Role: GRC300-CR_PURCHASE_TO_PAY-<xx> Rule Set: Global Report Type: Permission Level Report Format: Summary c) Choose Background. d) Enter Job Name: “xx” Risk Analysis GRC300PURCHASE_TO_PAY e) Choose Immediate Start. f) Choose Schedule. What is the ID of the job you scheduled? Hint: Check the message at the bottom of the screen. Continued on next page 2009 © 2010 SAP AG. All rights reserved. 81 Unit 2: Risk Analysis and Remediation Overview 2. GRC300 Check the result of your background job analysis, toggle to report format Detail Report, and download the result in a Microsoft Excel file. a) Select the Informer tab and choose Background Job → Search from the right menu panel. b) Specify the Job ID from exercise 5 and choose Search. c) In the next screen, choose the Result icon and toggle to the various report formats. d) Choose the Export icon and save the result as an Excel file. Result Congratulations! Now you can use the result of your analysis for further discussions with the role and authorizations team within your company. 82 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Analysis Lesson Summary You should now be able to: • Define the relevant management views • Run a risk analysis at role level • Run a risk analysis at user level • List the relevant report types • Explain the use of different report formats • Schedule a risk analysis as a background job 2009 © 2010 SAP AG. All rights reserved. 83 Unit 2: Risk Analysis and Remediation Overview GRC300 Lesson: Risk Remediation Lesson Overview This lesson describes a remediation strategy using Risk Analysis and Remediation in SAP BusinessObjects Access Control. Lesson Objectives After completing this lesson, you will be able to: • • • • Perform simulations based on roles and users Explain the best approach for risk remediation and system cleanup Simulate cleanup activities in SAP BusinessObjects Access Control Perform cleanup activities in SAP ERP Business Example To reach an important milestone in your organization’s SoD management project, you need to restructure access rights in the SAP back-end system. The simulation functionality of SAP BusinessObjects Access Control makes it easy to verify the appropriate role and authorization concept. SoD Risk Management Process Phase Two: Risk Remediation The purpose of the remediation phase is to determine alternatives for eliminating issues in roles. The recommended approach is to resolve issues in the following order: 1. Single roles 2. 3. • Simplest place to start • Prevents SoD violations from being reintroduced Composite roles Users A remediation plan should be documented by the security administrators. Business process owners should be involved in its development and approve the plan. 84 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Remediation Figure 38: Remediation Phase of SoD Risk Management Process Remediation Strategy • • • • Analyze report results to determine the extent of remediation efforts. Discuss potential remediation methodologies to address identified security violations. Use a simulation to estimate remediation efforts. Perform walkthroughs of the remediation strategies using live examples. Note: Use the Management View or Risk Analysis reports for analysis. Use a simulation to perform a “what if” analysis on the assignment or removal of user actions. 2009 © 2010 SAP AG. All rights reserved. 85 Unit 2: Risk Analysis and Remediation Overview GRC300 Simulation Simulation takes place in the Risk Analysis screen: • Decide whether to add or remove a value: • – To add, choose Exclude = No. – To remove, choose Exclude = Yes. Decide which objects should be included in the simulation: • – Add or remove an action. – Add or remove a role. – Add or remove a profile. Specify the values for simulation. Start Small and Work Big A customer can often become overwhelmed at the beginning of a remediation project. The best strategy is to start small and work big. Figure 39: Start Small and Work Big! 86 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Remediation Reality check: • Most customers are only focused on one question: “How many users have SoD violations?” • • Focusing on fixing SoD violations at user level makes the process much more complex than it should be. First, have a look at the roles: – – Using and tailoring authorization objects and values helps define specific access privileges and avoid risks Reporting and simulation help to find the correct authorization settings to remediate risks Make sure the rule set matches business and audit requirements: • The SAP GRC technology foundation provides a standard rule set out of the box with SAP BusinessObjects Access Control: – – Rule architect allows you to create, change, and enhance the rule set to match customer-specific business, policy, and system requirements. Adapt the rule set to the customer’s business processes to avoid false positives. Perform risk analysis against single roles: • Identify SoD violations within the smallest building blocks of a customer’s security structure: – • If one role has three SoD violations, and 3,000 users have that role assigned to them, it translates into 9,000 violations! – Prioritize risks as critical, high, medium, or low, and report specifically on those levels that matter most to your organization. Identify issues that can be resolved quickly and significantly reduce SoD violations – 2009 Not used transactions or change activity in display-only roles © 2010 SAP AG. All rights reserved. 87 Unit 2: Risk Analysis and Remediation Overview GRC300 Focus on composite roles after single roles are clean: • • Perform risk analysis against composite roles. Re-structure the role concept using the information from the simulation. – • Remove access for functionalities that are not used within your organization. – Clean up SoD violations caused by multiple roles coming together under a composite role by using simulation functionality. Re-run risk analysis at role level. Analyze access rights for individual users: • • • • Perform risk analysis against users after all single roles and composite roles have been remedied. Target specific functionality and business areas that contain the most critical areas of risk, such as purchase-to-pay, financial accounting, and so on. Adapt role assignments at user master record level to avoid risks caused by SoD conflict. Re-run risk analysis at user level. Remediation Remediation means correcting or eliminating SoD violations. 1. Is this SOD violation caused by an incorrect rule? If so, modify rule to resolve false positive. 2. 3. Can access be removed from the role or user? Address SoD violation by using alternatives: 4. • SAP workflow • User exits • Configuration modifications • Business process change Check if superuser privilege management is possible. Note: If the SoD violation is not resolved in steps 1 to 4, mitigation is required. 88 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Remediation Run Simulations and Split Responsibilities 1. 2. 2009 Use the simulation functionality in SAP BusinessObjects Access Control to identify possible ways to remediate risks. Log on to SAP and redesign your business user’s role assignments to ensure that any possible SoD violation is solved. © 2010 SAP AG. All rights reserved. 89 Unit 2: Risk Analysis and Remediation Overview 90 © 2010 SAP AG. All rights reserved. GRC300 2009 GRC300 Lesson: Risk Remediation Exercise 6: Risk Remediation Exercise Objectives After completing this exercise, you will be able to: • Use the simulation functionality inside SAP BusinessObjects Access Control due to identify possible ways to remediate risks • Re-design the role assignments to your business user to ensure the possible SoD violation is solved Business Example To reach a big milestone in your organization's SoD management project, you need to restructure the access rights in the SAP back-end system. The simulation function of SAP BusinessObjects Access Control plays an important role in investing the work to have the building block of the role and authorization concept. Task 1: In the previous risk analysis exercise you identified the composite role GRC300-CR_PURCHASE_TO_PAY-## as the main source of risk for user GRCBIZZ-##. To resolve the SoD risks for all users who are assigned to this role, use the most efficient method of remediation at role level. Perform a role analysis on a composite role. 1. Log on to SAP BusinessObjects Access Control with user GRC300-## and perform a risk analysis at role level due to assess the current risk situation. Hint: Replace xx with your group number. Task 2: Perform a role analysis on a single role. 1. Log on to SAP BusinessObjects Access Control and perform a simulation on role level. Simulate the removal of the single role GRC300-PAYMENT_RUN from the composite role GRC300-CR_PURCHASE_TO_PAY-##. Compare the results with the first part of this exercise. Continued on next page 2009 © 2010 SAP AG. All rights reserved. 91 Unit 2: Risk Analysis and Remediation Overview GRC300 Task 3: Removal of the single role GRC300-PAYMENT_RUN from the composite role GRC300-CR_PURCHASE_TO_PAY-## will automatically remediate the risk for all users assigned to this composite role. As a consequence, the risk situation in the system can be improved significantly. 1. Log on to the SAP back-end system with the user GRC300-## and adapt the role in the Profile Generator. 2. Log on to SAP BusinessObjects Access Control with user GRC300-## and perform a risk analysis on user level. Result The removal of the single role for payment run from the composite role was performed and the total number of risks for your business user GRCBIZZ-## has decreased. The real-time capabilities of SAP BusinessObjects Access Control allow you to check the results of your work immediately. 92 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Remediation Solution 6: Risk Remediation Task 1: In the previous risk analysis exercise you identified the composite role GRC300-CR_PURCHASE_TO_PAY-## as the main source of risk for user GRCBIZZ-##. To resolve the SoD risks for all users who are assigned to this role, use the most efficient method of remediation at role level. Perform a role analysis on a composite role. 1. Log on to SAP BusinessObjects Access Control with user GRC300-## and perform a risk analysis at role level due to assess the current risk situation. Hint: Replace xx with your group number. a) Enter the following information. Role: GRC300-CR_PURCHASE_TO_PAY-## Rule Set: Global Report Type: Permission Level Report Format: Executive Summary b) Choose Execute. c) Write down the risk descriptions. Risk No Risk Description ##01 ##02 ##03 ##04 ##05 ##06 Continued on next page 2009 © 2010 SAP AG. All rights reserved. 93 Unit 2: Risk Analysis and Remediation Overview GRC300 Task 2: Perform a role analysis on a single role. 1. Log on to SAP BusinessObjects Access Control and perform a simulation on role level. Simulate the removal of the single role GRC300-PAYMENT_RUN from the composite role GRC300-CR_PURCHASE_TO_PAY-##. Compare the results with the first part of this exercise. a) Select the Informer tab and choose Risk Analysis → Role Level. b) Enter the following information. Rule Set: Global Report Format: Executive Summary c) Choose Simulation. d) In the next screen, specify the following values. Role: GRC300-CR_PURCHASE_TO_PAY-## Report Type: Permission Level Type: Role Value: GRC300-PAYMENT_RUN Exclude Values: YES (Meaning simulation of a removal) Risks from Simulation only: NO e) Choose Background Simulation. f) Enter Job Name: ## Risk Analysis GRC300-PURCHASE_TO_PAY g) Choose Immediate Start. h) Choose Schedule. i) Write down the risk descriptions. Risk No Risk Description ##01 ##02 ##03 ##04 Continued on next page 94 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Remediation Risk No Risk Description ##05 j) Which risks disappeared compared with the previous exercise? Note: The removal of the single role for payment run from the composite role will minimize the risk situation in the system. Task 3: Removal of the single role GRC300-PAYMENT_RUN from the composite role GRC300-CR_PURCHASE_TO_PAY-## will automatically remediate the risk for all users assigned to this composite role. As a consequence, the risk situation in the system can be improved significantly. 1. Log on to the SAP back-end system with the user GRC300-## and adapt the role in the Profile Generator. a) b) Enter the following information. Client: Ask instructor for logon setup details User: GRC300-## c) Enter transaction code PFCG and enter Role: GRC300CR_PURCHASE_TO_PAY-##. d) Switch to Change mode (pencil icon). e) In the next screen, choose the Roles tab and select the single role GRC300-PAYMENT_RUN. Remove the assignment of this role to the composite role by choosing Delete Row. f) Choose Save to save your changes. Note: Update Role Information in Risk Analysis and Remediation tables: Schedule an incremental role synchronization job to update the composite roles in SAP BusinessObjects Access Control. Continued on next page 2009 © 2010 SAP AG. All rights reserved. 95 Unit 2: Risk Analysis and Remediation Overview 2. GRC300 Log on to SAP BusinessObjects Access Control with user GRC300-## and perform a risk analysis on user level. a) Enter the following information. User: GRCBIZZ-## Rule Set: Global Report Type: Permission Level Report Format: Executive Summary b) Choose Execute. Result The removal of the single role for payment run from the composite role was performed and the total number of risks for your business user GRCBIZZ-## has decreased. The real-time capabilities of SAP BusinessObjects Access Control allow you to check the results of your work immediately. 96 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Remediation Lesson Summary You should now be able to: • Perform simulations based on roles and users • Explain the best approach for risk remediation and system cleanup • Simulate cleanup activities in SAP BusinessObjects Access Control • Perform cleanup activities in SAP ERP 2009 © 2010 SAP AG. All rights reserved. 97 Unit 2: Risk Analysis and Remediation Overview GRC300 Lesson: Definition of Process-Related Mitigation Controls Lesson Overview This lesson provides an overview of the mitigation function in SAP BusinessObjects Access Control Risk Analysis and Remediation. Lesson Objectives After completing this lesson, you will be able to: • • • Explain how mitigation controls can support you in reducing access risks in your landscape Describe the difference between preventative and detective controls, and implement mitigation controls in SAP BusinessObjects Access Control Define alerting as a powerful detective control Business Example Due to organizational restrictions, not all risks could be avoided via remediation activities. As a consequence, you need to find mitigation controls to properly handle the remaining risks. SoD Risk Management Process Phase Two: Mitigation The purpose of the mitigation phase is to determine what mitigation controls are needed for those duties that cannot be segregated. 98 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Definition of Process-Related Mitigation Controls Figure 40: Mitigation Phase of SoD Risk Management Process Mitigation Controls when Remediation Fails Mitigation controls are required when it is not possible to segregate duties within the business process. For example, in a small office, one person has to take over two roles within the business process, which causes a missing SoD conflict. • Examples of mitigation controls: – – – – – 2009 Release strategies and authorization limits Review of user logs Review of exception reports Detailed variance analysis Establish insurance to cover impact of a security incident © 2010 SAP AG. All rights reserved. 99 Unit 2: Risk Analysis and Remediation Overview GRC300 Types of Mitigation Controls There are two types of mitigation controls: • Preventative controls • – Minimize the likelihood or impact of a risk before it actually occurs. Detective controls – Alert when a risk takes place and enable the responsible person to initiate corrective measures. Figure 41: Types of Mitigation Controls Mitigation Controls: Leading Practices Best practices include: • • Segregate creation and approval from assignment. Use mitigation as a last resort. – • 100 Exceptions left over from remediation efforts that have legitimate business reasons to not use SoD controls. Controls can be preventative or detective. © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Definition of Process-Related Mitigation Controls Setting Up Mitigation Controls: Overview Required steps: • • • • • • Naming convention for controls Definition: Who / what / how often / why (control objective) Approval: The person who is responsible for approving setup of mitigation controls, for example, the Sarbanes-Oxley Act team Monitors: The person who is in charge of performing the mitigation control Assignment to roles Assignment to users Setting Up Mitigation Controls Definition of responsibilities: • Define administrators and select applicable role. – Approver - Approve the control and identify appropriate mitigation monitors. - Ensure monitors are executing applicable controls within the period frequency stated in a mitigation control. – Monitor - Perform the actions identified in the control to monitor users and identify inappropriate actions. – Risk owner - Responsible for monitoring the use of actions and permissions associated with a risk • 2009 Create business units and assign monitors to each. © 2010 SAP AG. All rights reserved. 101 Unit 2: Risk Analysis and Remediation Overview GRC300 Control creation: • Specify control ID. – Sample naming convention: - Character 1 – Business area designation - Character 2 – User or role group letter - Characters 3 to 10 – Sequential number • Enter description. • • • – Definition: Who / what / how often / why (control objective) Assign business unit. Assign approver from available approvers for the entered business unit. Assign associated risk IDs as preselection. Document control monitoring: • • Assign one or more monitors. Assign one or more mitigation reports (optional). – – – – Select the system from which you will run the reports. Enter associated action. Assign a monitor to each report. The frequency must be established in number of days, for example, enter 30 for monthly reports. Alerts: Overview Alerts are used for the following scenarios: • • • • 102 As a temporary mitigation control To display users accessing multiple conflicting actions To display users accessing critical actions To ensure effectiveness of mitigation control by showing delays in starting mitigation reports © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Definition of Process-Related Mitigation Controls Alert Setup Enablement and scheduling: • Enter an application server location to store executed action information: • – Choose Configuration→ Miscellaneous. Schedule background jobs for alert generation: • – Action log – Conflicting action – Critical action – Mitigation monitoring Schedule background jobs for alert notification: – – 2009 Risk owner assigned to the associated risk is notified by e-mail (maintained in Mitigation tab) Monitors can also review the list of alerts through the Alert module © 2010 SAP AG. All rights reserved. 103 Unit 2: Risk Analysis and Remediation Overview 104 © 2010 SAP AG. All rights reserved. GRC300 2009 GRC300 Lesson: Definition of Process-Related Mitigation Controls Exercise 7: Definition of Risk-Related Mitigation Controls Exercise Objectives After completing this exercise, you will be able to: • Create control responsibilities (monitor and approver) • Define mitigation controls within SAP BusinessObjects Access Control • Mitigate a composite role and check the result of the mitigation Business Example Due to organizational restrictions, not all risks could be avoided via remediation activities. As a consequence, you need to find the proper way to handle the remaining risks via mitigation controls. Before the implementation of a mitigation control can be performed, you need to create a responsible approver and monitor, as well as a business unit as a container for the controls, in SAP BusinessObjects Access Control. Furthermore, all responsible approvers and monitors need to be pre-assigned to a business user to simplify the process of finding the right persons when creating a control. Task 1: Create an approver for the new mitigation control. 1. Create an approver for the new mitigation control. 2. Create a monitor for the new mitigation control. 3. Define a business unit as container for the mitigation controls. Task 2: SAP offers a dual-control principle to protect sensitive fields in the vendor master record from direct manipulations performed by one user. This preventative mitigation control can be used to mitigate the risk of fraudulent manipulation of bank accounts. After the security measure is activated in customizing by the IT department, the mitigation control needs to be implemented in SAP BusinessObjects Access Control. 1. Implement the mitigation control in SAP BusinessObjects Access Control. 2. After the security measure is activated in customizing by the IT department, implement the mitigation control in SAP BusinessObjects Access Control. Continued on next page 2009 © 2010 SAP AG. All rights reserved. 105 Unit 2: Risk Analysis and Remediation Overview 3. 106 GRC300 Check the assignment of the mitigation control by performing a new risk analysis on GRC300-CR_PURCHASE_TO_PAY-##. © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Definition of Process-Related Mitigation Controls Solution 7: Definition of Risk-Related Mitigation Controls Task 1: Create an approver for the new mitigation control. 1. Create an approver for the new mitigation control. a) Log on to SAP BusinessObjects Access Control with user GRC300-##. b) Select the Mitigation tab and choose Administrators → Create. c) Enter the following information. Administrator ID: ##-Approver Full Name: Approved Approver ## Email: Enter a fictitious mail address Role: Approver 2. Create a monitor for the new mitigation control. a) Log on to SAP BusinessObjects Access Control. b) Select the Mitigation tab and choose Administrators → Create . c) Enter the following information. Administrator ID: ##-Monitor Full Name: Watching Monitor ## Email: Enter a fictitious mail address Role: Monitor Continued on next page 2009 © 2010 SAP AG. All rights reserved. 107 Unit 2: Risk Analysis and Remediation Overview 3. GRC300 Define a business unit as container for the mitigation controls. a) Log on to SAP BusinessObjects Access Control. b) Select the Mitigation tab and choose Business Units → Create. c) Enter the following information. Business Unit ID: PP## Description: ## Purchase-to-Pay Approver ID: Enter the approver ID that you created in the previous step Monitor ID: Enter the monitor ID that you created in the previous step Continued on next page 108 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Definition of Process-Related Mitigation Controls Task 2: SAP offers a dual-control principle to protect sensitive fields in the vendor master record from direct manipulations performed by one user. This preventative mitigation control can be used to mitigate the risk of fraudulent manipulation of bank accounts. After the security measure is activated in customizing by the IT department, the mitigation control needs to be implemented in SAP BusinessObjects Access Control. 1. Implement the mitigation control in SAP BusinessObjects Access Control. a) Log on to SAP BusinessObjects Access Control. b) Select the Mitigation tab and choose Mitigation Controls → Create. c) Mitigation Control ID: MCVEN## To ensure the effectiveness of the control, the monitor needs to check the critical vendor on a weekly basis to investigate the result of S_ALR_87012090 (Display / Confirm critical vendor changes). d) Description: A vendor master data field marked in customizing table T055F as sensitive can only be changed after it is confirmed by a second party. Before approval takes place, a payment run block is activated for that account, and the confirmation status “To be confirmed” is set. Consequently, the likelihood of fraudulent manipulation is lower because an extra confirmation is required. e) Business Unit: Purchase-to-Pay Management Approver: ##-Approver Risk ID: Choose all risks ##NN you built in exercise, Rule Building and Validation, containing “vendor master data maintenance” as one of the conflicting functions Monitor ID: ##-Monitor System: Select the appropriate system Action: S_ALR_87012090 Frequency: To run the report once a week (every seven days), enter 7. Continued on next page 2009 © 2010 SAP AG. All rights reserved. 109 Unit 2: Risk Analysis and Remediation Overview 2. GRC300 After the security measure is activated in customizing by the IT department, implement the mitigation control in SAP BusinessObjects Access Control. a) Select the Informer tab and choose Risk Analysis → Role Level. Enter the following data. Role: GRC300-CR_PURCHASE_TO_PAY-## Rule Set: Global Report Type: Permission Level Report Format: Management Summary b) In the resulting report, select the risk you want to mitigate with the control and choose Execute. Hint: It should contain “vendor master data maintenance” as one of the conflicting functions. To see more details, toggle to the Summary report. c) Select the risk description and select Mitigate the Risk in the Options area. d) Choose Continue. In the Risk Mitigation screen, and enter the following data. Mitigation Control: MCVEN## Monitor ID: ##-Monitor Status: Enable e) Check if the role name and the risk ID are correct. f) Choose Save. Result: The mitigation control is now assigned to risks. Continued on next page 110 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Definition of Process-Related Mitigation Controls 3. Check the assignment of the mitigation control by performing a new risk analysis on GRC300-CR_PURCHASE_TO_PAY-##. a) Select the Informer tab and choose Risk Analysis. b) Enter the following data. Role Level Role: GRC300-CR_PURCHASE_TO_PAY-## Rule Set: Global Report Type: Permission Level Report Format: Management Summary c) Choose More Options. d) Set Exclude Mitigated Risks to YES to make the mitigated risks invisible in the result screen of the analysis. e) Choose Execute. In the results screen, all mitigated risks have vanished and the composite role is much cleaner than before our remediation and mitigation activities started. 2009 © 2010 SAP AG. All rights reserved. 111 Unit 2: Risk Analysis and Remediation Overview GRC300 Lesson Summary You should now be able to: • Explain how mitigation controls can support you in reducing access risks in your landscape • Describe the difference between preventative and detective controls, and implement mitigation controls in SAP BusinessObjects Access Control • Define alerting as a powerful detective control 112 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Analysis and Remediation Reporting Lesson: Risk Analysis and Remediation Reporting Lesson Overview This lesson will cover some new reports in SAP BusinessObjects Access Control Risk Analysis and Remediation. Lesson Objectives After completing this lesson, you will be able to: • • • Locate and view the Action Usage by Users report Locate and view the Invalid Mitigation Controls report Locate and view the SoD Violations from Custom Programs report Business Example You are asked to use the reporting functionalities within SAP BusinessObjects Access Control to identify possibilities to accelerate the decision-making and cleanup processes in the Remediation phase. Your first task is to find out how often critical transactions included in standard roles are actually used by the business users. You next have to investigate the validity of your mitigation controls in the system. Finally, it is important to identify and remediate hidden risks in the custom programs resulting from "call transaction" statements. Action Usage by User Report The Action Usage by User report is useful during remediation. Situations where users have risks that are the result of rarely used transactions are often “easy wins” in a remediation effort, allowing you to remove or substitute roles with little or no impact on operations. This report is produced based on transaction usage information that is obtained from the back-end system via the Alert Generation function. The accuracy of the report depends on that function being executed on a regular basis. Is accessible by choosing Informer → Security Reports → Miscellaneous. Invalid Mitigation Controls The Invalid Mitigation Controls report is available from both the user and role-risk-analysis features within the Informer tab. 2009 © 2010 SAP AG. All rights reserved. 113 Unit 2: Risk Analysis and Remediation Overview GRC300 When this new report type is selected, a validity date field appears, which defaults to the current date. A given role or user appears if any of the following conditions exists: • • • • The validity date is not within the range associated with the mitigating control assignment. The user account has expired or has been deleted. The role has been deleted. The user or role no longer contains the risk. You can find the Invalid Mitigation Controls report by choosing Informer → Risk Analysis → Role Level or Informer → Risk Analysis → User Level Report Type = Invalid Mitigating Controls SoD Violations from Custom Programs The SoD Violations from Custom Programs report is useful when customizing a rule set. Often, clients will build custom “Z” transactions that contain calls to SAP transactions. If those SAP transactions are critical or are SoD-relevant, the “Z” transaction may need to be included in the rule set. The report can also be executed against standard programs. There are two report types: • • Any critical action in any program Conflicting actions in one program Each report type is available in both a Summary and a Detail version. You can select the desired report type of the selection criteria screen, and when a report is displayed you can switch to the alternate version by choosing the Summary or Detail buttons. You can access this report by choosing Informer → Audit Reports → Miscellaneous. 114 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Analysis and Remediation Reporting Exercise 8: Remediation-Relevant Reporting Exercise Objectives After completing this exercise, you will be able to: • Execute and interpret the Action Usage by Users, Invalid Mitigation Controls, and SoD Violations from Custom Programs reports Business Example As of the main business process experts for the remediation phase, you want to identify possibilities to improve the remediation results by checking the current solution setup. Task 1: Demonstrate the Action Usage by Users report. 1. Demonstrate the Action Usage by Users report. Task 2: Demonstrate the Invalid Mitigation Controls report. 1. Demonstrate the Invalid Mitigation Controls report. Task 3: Demonstrate the SoD Violations from Custom Programs report. 1. 2009 Demonstrate the SoD Violations from Custom Programs report. © 2010 SAP AG. All rights reserved. 115 Unit 2: Risk Analysis and Remediation Overview GRC300 Solution 8: Remediation-Relevant Reporting Task 1: Demonstrate the Action Usage by Users report. 1. Demonstrate the Action Usage by Users report. a) Log on to Risk Analysis and Remediation via the SAP BusinessObjects Access Control launch pad. b) Choose Informer → Security Reports → Miscellaneous. c) Select the Action Usage by Users report. d) In the selection criteria, enter the following data. System TRN Date Use default Action SU01 Report Type All e) Choose Execute. f) Look at the results of the search. Continued on next page 116 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Risk Analysis and Remediation Reporting Task 2: Demonstrate the Invalid Mitigation Controls report. 1. Demonstrate the Invalid Mitigation Controls report. a) Log on to Risk Analysis and Remediation via the SAP BusinessObjects Access Control launch pad. b) Choose Informer Risk → Analysis → User Level. c) In the selection criteria, enter the following data. System TRN Risk ID 9901* Report Type Invalid Mitigation Controls d) Choose Execute . If you see a runtime warning, choose OK. e) Look at the results of the report. Task 3: Demonstrate the SoD Violations from Custom Programs report. 1. 2009 Demonstrate the SoD Violations from Custom Programs report. a) Log on to Risk Analysis and Remediation via the SAP BusinessObjects Access Control launch pad. b) Choose Informer → Audit Reports → Miscellaneous. © 2010 SAP AG. All rights reserved. 117 Unit 2: Risk Analysis and Remediation Overview GRC300 Lesson Summary You should now be able to: • Locate and view the Action Usage by Users report • Locate and view the Invalid Mitigation Controls report • Locate and view the SoD Violations from Custom Programs report 118 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Continuous Compliance Lesson: Continuous Compliance Lesson Overview This lesson discusses SoD management as an ongoing process. Lesson Objectives After completing this lesson, you will be able to: • • • • Discuss SoD management as an ongoing process Explain how the Risk Terminator can support continuous compliance List the steps to activate Risk Terminator within SAP BusinessObjects Access Control List additional possibilities for continuous compliance Business Example Your organization plans to ensure continuous compliance. In order to achieve a “quick win”, you want to evaluate Risk Terminator as a possible measure to increase risk awareness in the role development and user assignment process, as well as to force better documentation of reasons for activating critical roles inside your SAP system. Risk Terminator There are some necessary configuration settings when implementing Risk Terminator. You need to make these settings before Risk Terminator will work. Start transaction /n/VIRSA/ZRTCNFG to configure Risk Terminator. 2009 © 2010 SAP AG. All rights reserved. 119 Unit 2: Risk Analysis and Remediation Overview GRC300 Figure 42: Risk Terminator Configuration 120 • Select the CC release to be used. In this scenario, we use Risk Analysis and Remediation 5.3 to connect to Risk Terminator. • RFC destination for release CC5.X. This RFC is required so that Risk Terminator can run a risk analysis when a role is developed or a user's master record is modified. • PFCG Plugin (Yes/No). If you set this parameter to Yes, it will analyze changes that occur through PFCG, such as new roles that are created and roles that are modified. • PFCG user assignment Plug-in (Yes/No). With this setting set to Yes, if you make a user assignment through PFCG, Risk Terminator will analyze the user's access with the new role assigned and determine if there are any new risks involved. • SU01 Role assignment (Yes/No). If this is set to Yes, Risk Terminator will analyze role assignment through SU01 and determine if there are any new SoD violations generated from that change. • SU10 Multiple-user Role assignment Plug-in (Yes/No). If this is set to Yes when you make changes under SU10, Risk Terminator will analyze those changes. This is also helpful because mass changes through SU10 could produce SoD conflicts with users through mass maintenance changes. • Stop generation if violations exist. This setting will stop any role generation if there are risks generated by any change or transaction codes that are introduced to the role. © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Continuous Compliance Caution: When activating stop generation, be mindful on which system (QA, DEV, or PROD) it should be activated. If it is activated for all, it can impact the security team's response time to making changes to roles or creating new roles. 2009 • Comments are required in case of violations. If this is set to Yes, a Comments screen will appear if there are SoD violations during the risk analysis of a new role, or a role change. • Send notification in case of violations © 2010 SAP AG. All rights reserved. 121 Unit 2: Risk Analysis and Remediation Overview GRC300 Lesson Summary You should now be able to: • Discuss SoD management as an ongoing process • Explain how the Risk Terminator can support continuous compliance • List the steps to activate Risk Terminator within SAP BusinessObjects Access Control • List additional possibilities for continuous compliance 122 © 2010 SAP AG. All rights reserved. 2009 GRC300 Unit Summary Unit Summary You should now be able to: • List the required steps after installation of SAP BusinessObjects Access Control Risk Analysis and Remediation • Explain how to connect Risk Analysis and Remediation to a back-end system • Explain the possibility of exporting and importing configuration settings in order to perform transports from development to production • List the main process in identifying and resolving SoD issues • Describe the people involved in the process and their responsibilities • Name each step of the process and explain the required activities in each phase • Explain the key terminology related to risks within SAP BusinessObjects Access Control • Create and maintain functions and risk, build the resulting rules, and explain the concept of organizational rules • Discuss what is delivered in the delivered rule set • List the systems for which a rule set is provided • View or locate function change history • View or locate risk change history • Compare rule sets • Define the relevant management views • Run a risk analysis at role level • Run a risk analysis at user level • List the relevant report types • Explain the use of different report formats • Schedule a risk analysis as a background job • Perform simulations based on roles and users • Explain the best approach for risk remediation and system cleanup • Simulate cleanup activities in SAP BusinessObjects Access Control • Perform cleanup activities in SAP ERP • Explain how mitigation controls can support you in reducing access risks in your landscape • Describe the difference between preventative and detective controls, and implement mitigation controls in SAP BusinessObjects Access Control • Define alerting as a powerful detective control • Locate and view the Action Usage by Users report • Locate and view the Invalid Mitigation Controls report 2009 © 2010 SAP AG. All rights reserved. 123 Unit Summary GRC300 • • • • • 124 Locate and view the SoD Violations from Custom Programs report Discuss SoD management as an ongoing process Explain how the Risk Terminator can support continuous compliance List the steps to activate Risk Terminator within SAP BusinessObjects Access Control List additional possibilities for continuous compliance © 2010 SAP AG. All rights reserved. 2009 Unit Summary 125 GRC300 © 2010 SAP AG. All rights reserved. 2009 Unit Summary 126 GRC300 © 2010 SAP AG. All rights reserved. 2009 Unit 3 Compliant User Provisioning Overview Unit Overview Regular compliance checks and special measures are necessary to “stay clean” after the segregation of duties (SoD) project is complete. Consequently, your organization is interested in evaluating how the workflow and the functionalities Superuser Privilege Management, Enterprise Role Management, and Compliant User Provisioning can be used as preventative measures to support this phase. This Unit will give an overview of the post installation steps, configuration, and setting up of workflows to support this preventative compliance phase. Unit Objectives After completing this unit, you will be able to: • • • • • • • • • • • • 2009 List the required steps after installation of SAP BusinessObjects Access Control Compliant User Provisioning Upload initial data Explain how to configure the user data source Define the authentication system for requestors Describe how to configure the Web service call to Risk Analysis and Remediation Explain how to connect Compliant User Provisioning to a back-end system Explain how to export and import configuration settings in order to perform transports from development to production Explain the workflow basics: initiator, stage, path, approver determinator Explain stage customizing options Name other areas for which the workflow functionality of SAP BusinessObjects Access Control can be used: risk maintenance, control maintenance, mitigation activities, user maintenance, role maintenance, and requesting superuser access Use the workflow functionality to ensure a comprehensive and compliant change management process for risk and control maintenance Describe the required configuration steps and the business background of using this functionality © 2010 SAP AG. All rights reserved. 127 Unit 3: Compliant User Provisioning Overview • • • • • • • • • • GRC300 Configure the workflow for User Access Review Configure the workflow for User SoD Review Explain the main advantages of Compliant User Provisioning and discuss how it can be used to ensure continuous compliance within your organization Describe and demonstrate a typical request initiated by an end user, the required approval steps and risk analysis, and the final provisioning in the back-end system Describe the workflow creation process (plan, implement, test, and adjust) Describe the password-sending options Explain the usage of default roles, role mapping, and user defaults Describe the LDAP connector and LDAP mapping to retrieve manager information Explain and configure workflow exception handling using escalations, detours, rerouting, and forwarding Configure an advanced user provisioning workflow Unit Contents Lesson: Compliant User Provisioning Installation Verification and Configuration ........................................................................ 129 Lesson: Compliant User Provisioning Functionality ............................ 142 Exercise 9: Multi-stage Workflow with Detour for SoD Violations Workflow ......................................................................... 149 Lesson: Compliant User Provisioning – Additional Functionality ............. 163 Exercise 10: Workflow-Controlled Risk Maintenance ..................... 169 Lesson: Workflow-Based Reviews ............................................... 173 Lesson: Compliant User Management Life Cycle .............................. 180 Exercise 11: Workflow Creation Workshop (Group Exercise) ............ 187 128 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Installation Verification and Configuration Lesson: Compliant User Provisioning Installation Verification and Configuration Lesson Overview This lesson discusses installation verification and configuration for compliant user provisioning. Lesson Objectives After completing this lesson, you will be able to: • • • • • • • List the required steps after installation of SAP BusinessObjects Access Control Compliant User Provisioning Upload initial data Explain how to configure the user data source Define the authentication system for requestors Describe how to configure the Web service call to Risk Analysis and Remediation Explain how to connect Compliant User Provisioning to a back-end system Explain how to export and import configuration settings in order to perform transports from development to production Business Example In order to set up a project plan for the implementation of SAP BusinessObjects Access Control Compliant User Provisioning in your organization, you need to familiarize yourself with the efforts required for the setup of the solution. 2009 © 2010 SAP AG. All rights reserved. 129 Unit 3: Compliant User Provisioning Overview GRC300 Required Steps for Compliant User Provisioning After Installation of SAP BusinessObjects Access Control • Ensure that you have applied all real-time agents (RTAs) have been applied to all Compliant User Provisioning systems. There must be RTAs for GRC BusinessObjects Access Control installed on any system to which Compliant User Provisioning will be provisioning. The RTAs are installed by the Basis team. • Choose the authentication system and ensure that all necessary user accounts exist. Choose the Configuration tab, choose Authentication, and then choose System. This is the system that Compliant User Provisioning will use to authenticate users. When a user signs in from the Compliant User Provisioning Request for Access screen, this setting determines where Compliant User Provisioning will look to validate that user. This is not for Administrator access. • Verify that all directories have the correct permissions. Make sure that all tabs in Compliant User Provisioning are available and all the options are listed. Figure 43: Choosing the Authentication System 130 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Installation Verification and Configuration Uploading Initial Data Before you begin configuring Compliant User Provisioning, you must import initial system data. This data is the default system data that is prepackaged with the system. It is the minimum set of data required for the application to function properly and is imported directly from the application itself. Caution: Import initial data only if it was not done during the post-installation phase of the SAP BusinessObjects Access Control installation process. You can verify that the initial data was already imported by checking if there are request types on the main request page for users. Figure 44: Verification of Upload of Initial Data 2009 © 2010 SAP AG. All rights reserved. 131 Unit 3: Compliant User Provisioning Overview GRC300 Procedure to Upload Initial Data • On the Configuration tab, choose Initial System Data. The Initialize DB screen appears. • Choose Browse. • Navigate to the directory containing the Compliant User Provisioning installation files. • In the Browse window, double-click the appropriate XML file. There are three options for import: (1) Insert, (2) Append, and (3) Clean and Insert. Each delivered initial load file will specify how to load. • The files to import are: AE_init_append_data.xml – Select Append. AE_init_append_data_ForSODUARReview.xml – Select Append. AE_init_clean_and_insert_data.xml – Select Clean and Insert. • Choose Import.. User Data Source Use the User Data Source option to increase the scope of SAP back-end systems that you configured in the Connectors screen. Define the primary source for extracting user data on the User Data Source screen. Mapping the data source allows Compliant User Provisioning to search for all users, managers, and approvers. However, keep in mind that this is not an authorization mechanism to check for existing users and managers. The data source that you map (such as LDAP, SAPHR, SAP, or SAPUME) also determines how certain types of data are handled through the assigned protocols and from specific systems. Therefore, once you select a user data source, you do not need to perform any additional configuration to map the user ID. 132 © 2010 SAP AG. All rights reserved. 2009 GRC300 2009 Lesson: Compliant User Provisioning Installation Verification and Configuration © 2010 SAP AG. All rights reserved. 133 Unit 3: Compliant User Provisioning Overview GRC300 Figure 45: User Data Source • Using UME as the user data source: The SAP UME is the most common data source to find user and approver data in an enterprise portal environment. UME is also used a data source by SAP NetWeaver for other applications that are integrated into the SAP system. The SAP UME is a central management repository for retrieving SAP user data through Compliant User Provisioning. • Using LDAP as the user data source: Using LDAP as the user data source is preferable, because LDAP is normally the first point of entry for users accessing the enterprise system. LDAPs generally contain as much information about the user as the SAP business system. If you set the user detail data source to LDAP, the user’s manager listed on the LDAP record can automatically populate the request during the request creation. • Using multiple data sources as the user details data source: When you select Multiple Datasources, the Multiple Datasources screen appears, and you can select the systems involved with the search. You can also order the sequence in which the data sources should be searched. Compliant User Provisioning searches the systems in the specified order until it finds the user ID and retrieves the user’s details from that system. For example, all employee user information can be fetched from SAP HCM. However, part-time and contract personnel detail information exists in an LDAP system. In this case, you can configure multiple data sources with SAP HCM and LDAP systems which fetch detail information for both employees and contractors. Integrating Compliant User Provisioning and Risk Analysis and Remediation with Web Service Calls You integrate Compliant User Provisioning with Risk Analysis and Remediation to enable risk analysis, mitigation, transaction usage, and other Risk Analysis and Remediation functions. To integrate Compliant User Provisioning for risk analysis and mitigation, follow the steps below. 134 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Installation Verification and Configuration Figure 46: Web Services for Risk Analysis 2009 © 2010 SAP AG. All rights reserved. 135 Unit 3: Compliant User Provisioning Overview GRC300 Integrating Risk Analysis and Remediation • Retrieve the URL for Risk Analysis Web service configuration. a. From the SAP NetWeaver Web Application Server start page, choose Web Service Navigator. b. Expand VirsaCCRiskAnalysisService Web service. c. Choose Document. d. Right click on the URL address under the WSDL heading to copy as a shortcut. • Choose Compliant User Provisioning, choose the Configuration tab, and choose Risk Analysis. • In the Select Analysis and Remediation Version pane, choose 5.3 Web Service from the Version menu. • In the URL field, enter the risk analysis URL. You can paste in the copied shortcut you obtained in the first step. • Enter a User Name and a Password. Note: This user must have the Admin role for Risk Analysis and Remediation. • Choose Save. Connecting Compliant User Provisioning to a Back-End System After installing Compliant User Provisioning, you must configure the interactions with the appropriate back-end systems via connectors. This is essential to provision approved users to the back-end systems. Compliant User Provisioning supports several connector types for back-end systems. Connectors facilitate the transfer of data between Compliant User Provisioning and SAP systems, non-SAP systems, SAP Enterprise Portal, LDAP, and other systems. By configuring the connectors, you specify how Compliant User Provisioning communicates with these back-end systems. 136 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Installation Verification and Configuration Compliant User Provisioning supports multiple data sources where you can define data sources, including their sequence order for extracting data. The supported multiple data sources include the following system types: • • • • • • • SAP SAPHR LDAP JDE (JD Edwards) SAPEP (SAP Enterprise Portal) ORAAPPS (Oracle Applications) PEOPLESOFT For multiple LDAPs, Compliant User Provisioning supports: • • • • • 2009 Microsoft Active Directory Sun Microsystems SunOne Novell E-Directory IBM Tivoli Any other LDAP supported in SAP NetWeaver © 2010 SAP AG. All rights reserved. 137 Unit 3: Compliant User Provisioning Overview GRC300 Defining Connectors for SAP Figure 47: Connecting to an SAP System To define connectors for SAP systems: • • Choose Compliant User Provisioning, select the Configuration tab, and choose Connectors → Create Connectors. In the Connector Type menu, choose SAP. Note: Any field name denoted with an asterisk (*) is required. • In the Name field, enter a name for the connector. Note: The connector names are important when integrating with other Access Control Components and Central User Administration (CUA). Make sure that the connector name for SAP BusinessObjects Access Control is the same as the one configured for CUA. • • • • 138 In the Short Description field, enter a brief description of the connector. In the Description field, enter a long-text description of the connector. In the Application field, enter the name of the application or application server. In the Application Server Host field, enter the host name of the application server. © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Installation Verification and Configuration • • • In the System Number field, enter the number in the SAP system log. In the Client field, enter the SAP client number. In the User ID field, enter the user ID you are configuring to have access to the back-end system. Note: The user ID must have the security access to perform the tasks required. If provisioning is configured for this connector, this user ID must have authorization access to maintain users in the SAP system. If provisioning is configured, this user ID appears on each change record on the SU01 user master record. • • • • • • • • • • • In the Password field, enter the specified password for the SAP user ID. In the System Language field, enter the language for the system. In the Message Server Name field, enter the name of the message server, which is used for load balancing of your SAP clustered environment. In the Message Server Group field, enter the logon group name to which the message server belongs. In the Message Server Host field, enter the host name of your message server. In the SAP Version menu, select the appropriate SAP version. Compliant User Provisioning supports SAP 4.6C, SAP 4.7, and SAP ECC 6.0. Select the SLD Connector checkbox to enable the Standard Landscape Directory. In the Connector Category menu, select the category to which the connector belongs. Possible values are Production, Non-Production, or Other. This selection is used to classify the servers into categories on the access request forms. In the Role menu, select whether or not role information comes from Enterprise Role Management or the SAP back end. Choose Create. Choose Test Connection to ensure that the connection is valid. Note: Executing this test verifies that the information on the connector is valid and initial communications can be established. It also verifies the user ID and password. This test, however, does not verify that the correct RTAs are installed on this connector. Exporting and Importing Configuration Settings Compliant User Provisioning now supports the export and import of configuration settings. This is not a transport mechanism to move changes from the development system to production, but can be used to create a production system for the first time by making a copy of the development system. 2009 © 2010 SAP AG. All rights reserved. 139 Unit 3: Compliant User Provisioning Overview GRC300 Figure 48: Export Settings Items that can be exported or imported: • • • • • • 140 Initial Data Connectors Roles Workflow Configuration User Defaults HR Triggers © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Installation Verification and Configuration Lesson Summary You should now be able to: • List the required steps after installation of SAP BusinessObjects Access Control Compliant User Provisioning • Upload initial data • Explain how to configure the user data source • Define the authentication system for requestors • Describe how to configure the Web service call to Risk Analysis and Remediation • Explain how to connect Compliant User Provisioning to a back-end system • Explain how to export and import configuration settings in order to perform transports from development to production 2009 © 2010 SAP AG. All rights reserved. 141 Unit 3: Compliant User Provisioning Overview GRC300 Lesson: Compliant User Provisioning Functionality Lesson Overview This lesson will explain the basic workflow options, customizing of a stage, and additional workflow functionality of SAP BusinessObjects Access Control Compliant User Provisioning. Lesson Objectives After completing this lesson, you will be able to: • • • Explain the workflow basics: initiator, stage, path, approver determinator Explain stage customizing options Name other areas for which the workflow functionality of SAP BusinessObjects Access Control can be used: risk maintenance, control maintenance, mitigation activities, user maintenance, role maintenance, and requesting superuser access Business Example Your organization wants to make sure that all changes to users are compliant with the current rule set and are approved by a dedicated owner. For that reason, you need to implement this control before the go live takes place. Furthermore, you are responsible for evaluating other areas of the workflow functionality that can help to support continuous compliance. Workflow in Compliant User Provisioning Compliant User Provisioning is an automated end-to-end user request, approval, and compliant provisioning solution that is Web-based and workflow configurable with proactive SoD compliance checking. 142 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Functionality Figure 49: How Does It Work? Components of a Workflow A workflow in Compliant User Provisioning is made up of three basic components: the initiator, the stage, and the path. Figure 50: Workflow Overview Every workflow is started by an unique initiator that is defined in the request. The following figures shows an example of a three-stage workflow. 2009 © 2010 SAP AG. All rights reserved. 143 Unit 3: Compliant User Provisioning Overview GRC300 Figure 51: Workflow Example Approver Determinator for a Stage The primary purpose of any stage is to pass a request to an approver. When you create a stage, you define the user who must approve or deny a request when the request reaches that stage. When you define a stage, you specify the approver for that stage. The term “approver determinator” defines the approvers for the request and indentifies the approver(s) of the stage. You can choose from several approver determinators on any stage. These are all delivered standard with Compliant User Provisioning. Figure 52: Approver Determinator Options 144 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Functionality Stage Customizing Options There are various optional configurations you can add to a stage to specify notifications, require risk analysis, and manage security. When you configure a stage, you determine which options apply. There are three configuration areas: • • • Notification Configuration Additional Configuration Additional Security Configuration (Approval Reaffirm) Note: If the user, requestor, and approver are the same, each receives multiple e-mail notifications. When sending an e-mail notification to the user and the requestor if the user is the requestor, the system sends two e-mail notifications. If the requestor and the manager are the same user, that person receives two e-mails. Notification Configuration The Notification Configuration screen configures e-mail notifications for a stage to determine whether and to whom the system sends notifications about the actions taken at this stage. There are four possible actions: 1. 2. 3. 4. Approved: The system sends the e-mail notification configured on the Approved tab when the approver approves the request. Rejected: The system sends the e-mail notification configured on the Rejected tab when the approver rejects or denies the request. Escalation: The system sends the e-mail notification configured on the Escalation tab when the approver fails to respond to the request within the allotted wait time and an escalation has occurred. Next Approver: The system sends the e-mail notification to the approver(s) of the stage when the request enters this stage. The next approver is the approver of the current stage. Additional Configuration The Additional Configuration screen refines the behavior of a stage. The options available depend on the workflow type you select when you initially define your stage. 2009 © 2010 SAP AG. All rights reserved. 145 Unit 3: Compliant User Provisioning Overview GRC300 Decide what functions you need, and select the appropriate option from each drop-down list. Several of these settings work in conjunction with each other. When you make a selection, all future options are based on that selection. Some fields become available and others become unavailable. • • Risk Analysis Mandatory: Select Yes or No to determine whether the approver is required to perform a risk analysis before approving the request. Change Request Content: An approver has the authority to change the content of the request. If set to Yes, the Add Roles field becomes available for selection. Select Yes or No to allow roles to be added during this stage. – If set to Yes, the Path Evaluation For New Roles field becomes available for selection. This setting determines how the roles are evaluated to see if they are on the correct path (this is necessary only if you configure your initiators by roles). – All Roles in Evaluation Path: All roles are re-evaluated against the initiators. New Roles Only: These new roles are analyzed against the initiators to determine if another parallel workflow mist be created for the newly added roles. – If the Change Request Content configuration option is set to Yes but Add Roles is set to No, the approver can remove roles from the request but not add additional roles. – If the Change Request Content configuration option is set to No, the approver cannot change the roles on the request. They cannot reject or remove roles, nor can they add additional roles to the request. Approval Level: The approver has the authority to approve the request at the Request, Role, or System and Role levels. Reject Level: The approver has the authority to reject the request at the Request, Role, or System and Role levels. Approval Type: Select whether any one approver can approve at this stage– or whether all approvers must approve at this stage– for the request to move on to the next stage. Email Group: This feature is no longer used. It remains on the screen for backward compatibility. Comments Mandatory: Select whether the approver is required to enter comments when approving or rejecting the request. If you set this option to Yes, checkboxes appear to allow the user to specify when comments are required (on approvals, request rejections, or both). – • • • • • 146 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Functionality • • • • • Request Rejection: If you set this option to Yes, the approver is allowed to reject the entire request. The Reject button appears next to the Approve button, so the approver can reject the entire request without individually rejecting each role. If No, the approvers can reject roles on the request without the ability to reject the entire request. Re-Route: The approver has the authority to re-route the request to a previous stage as an alternative to rejecting the request entirely. Re-routing does not apply if the approver chooses to approve the request. Confirm Approval: The approver must answer an additional question if he or she wants to confirm the approval action. Confirm Rejection: The approver must answer an additional question if he or she wants to confirm the rejection action. Reject by Email and Approve by Email: The approver can reject or approve the request by e-mail. If you set this option to Yes, there could be two additional links on the e-mail when the approver gets the e-mail notification for this stage stating that there is a request waiting for action. If Approve by Email is set to Yes, one link will be the Approve Request action. If Reject by Email is set to Yes, another link will be present for Reject Request. These buttons will transfer the approver to Compliant User Provisioning. The approver must still be the valid approver for this stage of the request and must enter his or her user ID and password. • • • • Reject by Email: The approver can reject the request by e-mail. This setting is not an option if actions are required, for example, if risk analysis or comments are required. Approve by Email: Options will allow the approver to approve the request by e-mail. This setting will not be an option if actions are required, for instance, if risk analysis or comments are required. Forward: The approver has the authority to forward the request to someone else for approval. Approve request despite risks: If you set this option to Yes, the approver is allowed to approve this stage, even if there are SoD violations that have not been mitigated. If you set this option to No, the approver at this stage must remediate (remove) or mitigate the violation before he or she can approve the request. The approver is required to enter comments when approving or denying the request. • 2009 Forward Type: Options are Any One Approver or All Approvals: If you select the Forward option, you can specify whether: © 2010 SAP AG. All rights reserved. 147 Unit 3: Compliant User Provisioning Overview GRC300 Any one of the approvers that the request is forwarded to can approve and the request can continue. All approvers listed on the Forward are required to approve before the request can continue on. Additional Security Configuration The Additional Security Configuration screen specifies whether the approver needs to confirm his or her identity to take an action at this stage. Approvers confirm their identities (reaffirm their decisions) by entering their password at a prompt when they take an action. The actions that can be configured to require reaffirmation are: • • • Approve Reject Create User Other Areas of Workflow Functionality SAP BusinessObjects Access Control Compliant User Provisioning can be used for: • • • • • • 148 Risk maintenance Control maintenance Mitigation activities User maintenance Role maintenance Requesting superuser access © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Functionality Exercise 9: Multi-stage Workflow with Detour for SoD Violations Workflow Exercise Objectives After completing this exercise, you will be able to: • Set up a multistage workflow with a detour for SoD, run an SoD check, then auto-provision to a SAP system • Verify that the change to the user was auto provisioned Business Example You are responsible for evaluating the implementation of the compliant workflow change management process. Task: Set up a basic workflow with one stage to make a change to a user, run an SoD check, then have the change auto-provisioned to an SAP system. 1. Log on to the back-end system assigned by your instructor, into client TBD with your user ID, and create the following roles: a. Z_##_FB50 and assign transaction FB50 with full authorizations i. Description: Post Journal Entry b. Z_##_OB52 and assign transaction OB52 with full authorizations i. Description: Open and Close Accounting Period 2. Log on to SAP BusinessObjects Access Control Compliant User Provisioning through http://servername:5<instancenumber>00/webdynpro/dispatcher/sap.com/grc~acappcomp/AC. 3. Choose Configuration → Roles → Import Roles and import the roles you created using the Selected Roles option. Select Role Source: Back End Select Roles: Z_##_FB50 Z_##_OB52 Select Roles: Z_##_FB50 Continued on next page 2009 © 2010 SAP AG. All rights reserved. 149 Unit 3: Compliant User Provisioning Overview 4. GRC300 Log on to the UME using your User ID and create the following users in the UME: a. Manager<XX> b. RoleOwner<XX> c. Security<XX> d. Sox<XX> 5. Log on to SAP BusinessObjects Access Control Compliant User Provisioning through http://servername:5<instancenumber>00/webdynpro/dispatcher/sap.com/grc~acappcomp/AC. 6. Choose Configuration → Roles → Attributes and create a functional area. a. Name: ##FI b. Short Description: ##FI c. Description: ##FI Functional Area 7. Choose Configuration → Roles → Role Search and select the roles imported into Compliant User Provisioning in Step 1 above. Verify/assign the following: a. Z_##_FB50 i. Business Process Finance ii. Critical Level High iii. Role Approver Tab RoleOwner (XX) b. Z_##_OB52 i. Business Process Finance ii. Critical Level High iii. Role Approver Tab RoleOwner(XX) 8. Go to the workflow configuration and create an initiator. Choose Configuration → Workflow → Initiator. 9. Choose Create and enter the following data. Name ##_Initiator Short Description ##_Initiator Workflow Type CUP Continued on next page 150 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Functionality Condition AND Attribute Functional Area Value ##FI Condition AND 10. Choose Save to save the initiator. 11. Create three stages. Choose Configuration → Workflow → Stage. 12. Choose Create and enter the following data. Name ##_Manager Short Description ##_Manager Workflow Type CUP Approver Determinator Manager Name ##_RoleOwner Short Description ##_RoleOwner Workflow Type CUP Approver Determinator Role Name ##_ Security Short Description ##_ Security Workflow Type CUP Approver Determinator Security 13. For the notification configuration, select the Next Approver tab and fill in the information for approval. 14. Select the following options for the Additional Configuration section. Risk Analysis Mandatory Yes Change Request Content No Add Role Should not be able to change. Why? Path Revaluation for New Roles Should not be able to change. Why? Continued on next page 2009 © 2010 SAP AG. All rights reserved. 151 Unit 3: Compliant User Provisioning Overview GRC300 Approval Level Request Rejection Level Request Approval Type Any one Approver Comments Mandatory Yes or no Request rejected No Re-route No Confirm Approval No Confirm Rejection No Reject by Email No Approve By Email No Forward Allowed No Approve Request Despite Risks Yes 15. Choose Save to save each stage. 16. Create a path. Choose Configuration → Workflow → Path. 17. Choose Create, then enter the following data. Name ##_Path Short Description ##_Path Workflow Type CUP Number of Stages 3 Initiator ##_Initiator Be sure to make the path Active. 18. Select the three stages (##_Manager, ##_RoleOwner, ##_Security) that you created in this exercise. 19. Choose Save to save the path. 20. Create a Custom Approver Determinator for detour. Choose Configuration → Workflow → Custom Approver Determinators and create a custom approver determinator. Continued on next page 152 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Functionality Name ##_SOD_CAD Short Description ##_SOD_CAD CAD Type Attribute Workflow Type CUP Attribute Functional Area Choose the Approvers button and choose Add. Functional Area ##FI Approver Sox## User Choose Save. 21. Define a stage for SoD violation. Choose Configuration → Workflow → Stage and enter the following data. Name ##_ SOD_Stage Short Description ##_ SOD_Stage Workflow Type CUP Approver Determinator ##_SOD_CAD Choose Save. Hint: It is not possible to directly log in to CUP with a UME user who has the “initial” password. The user has to change his or her password first. 22. Define a detour path. Choose Configuration → Workflow → Path and create the following path. Name ##_Detour Short Description ##_Detour Workflow Type CUP Number of Stages ` 2Ì€` Initiator None Continued on next page 2009 © 2010 SAP AG. All rights reserved. 153 Unit 3: Compliant User Provisioning Overview GRC300 Be sure to make the path Active Detour checkbox Select Yes Stage 1 ##_SOD_STAGE Stage 2 ##_Security Choose Save. 23. Define a detour for SoD violations. Choose Configuration → Workflow → Detour/Fork and create a detour. Workflow Type CUP Path ##_Path Stage ##_RoleOwner Action Save Condition SOD Violations Value Yes Detour Path ##_Detour Choose Save. 24. Test your workflow by creating several requests and verify that the path and detour you created work properly. Hint: Create multiple AE requests to create users for the back-end system. Assign each user to one or both of the roles you created in Step 1, above. It is not possible to directly log in to CUP with a UME user who has the “initial” password. The user has to change his or her password first. 154 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Functionality Solution 9: Multi-stage Workflow with Detour for SoD Violations Workflow Task: Set up a basic workflow with one stage to make a change to a user, run an SoD check, then have the change auto-provisioned to an SAP system. 1. Log on to the back-end system assigned by your instructor, into client TBD with your user ID, and create the following roles: a. Z_##_FB50 and assign transaction FB50 with full authorizations i. Description: Post Journal Entry b. Z_##_OB52 and assign transaction OB52 with full authorizations i. Description: Open and Close Accounting Period a) 2. Log on to SAP BusinessObjects Access Control Compliant User Provisioning through http://servername:5<instancenumber>00/webdynpro/dispatcher/sap.com/grc~acappcomp/AC. a) 3. Choose Configuration → Roles → Import Roles and import the roles you created using the Selected Roles option. Select Role Source: Back End Select Roles: Z_##_FB50 Z_##_OB52 Select Roles: Z_##_FB50 a) 4. Log on to the UME using your User ID and create the following users in the UME: a. Manager<XX> b. RoleOwner<XX> c. Security<XX> Continued on next page 2009 © 2010 SAP AG. All rights reserved. 155 Unit 3: Compliant User Provisioning Overview GRC300 d. Sox<XX> a) 5. Log on to SAP BusinessObjects Access Control Compliant User Provisioning through http://servername:5<instancenumber>00/webdynpro/dispatcher/sap.com/grc~acappcomp/AC. a) 6. Choose Configuration → Roles → Attributes and create a functional area. a. Name: ##FI b. Short Description: ##FI c. Description: ##FI Functional Area a) 7. Choose Configuration → Roles → Role Search and select the roles imported into Compliant User Provisioning in Step 1 above. Verify/assign the following: a. Z_##_FB50 i. Business Process Finance ii. Critical Level High iii. Role Approver Tab RoleOwner (XX) b. Z_##_OB52 i. Business Process Finance ii. Critical Level High iii. Role Approver Tab RoleOwner(XX) a) 8. Go to the workflow configuration and create an initiator. Choose Configuration → Workflow → Initiator. a) 9. Choose Create and enter the following data. Name ##_Initiator Short Description ##_Initiator Workflow Type CUP Continued on next page 156 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Functionality Condition AND Attribute Functional Area Value ##FI Condition AND a) 10. Choose Save to save the initiator. a) 11. Create three stages. Choose Configuration → Workflow → Stage. a) 12. Choose Create and enter the following data. Name ##_Manager Short Description ##_Manager Workflow Type CUP Approver Determinator Manager Name ##_RoleOwner Short Description ##_RoleOwner Workflow Type CUP Approver Determinator Role Name ##_ Security Short Description ##_ Security Workflow Type CUP Approver Determinator Security a) 13. For the notification configuration, select the Next Approver tab and fill in the information for approval. a) Continued on next page 2009 © 2010 SAP AG. All rights reserved. 157 Unit 3: Compliant User Provisioning Overview GRC300 14. Select the following options for the Additional Configuration section. Risk Analysis Mandatory Yes Change Request Content No Add Role Should not be able to change. Why? Change Request Content set to No. Path Revaluation for New Roles Should not be able to change. Why? Change Request Content set to No. Approval Level Request Rejection Level Request Approval Type Any one Approver Comments Mandatory Yes or no Request rejected No Re-route No Confirm Approval No Confirm Rejection No Reject by Email No Approve By Email No Forward Allowed No Approve Request Despite Risks Yes a) 15. Choose Save to save each stage. a) 16. Create a path. Choose Configuration → Workflow → Path. a) 17. Choose Create, then enter the following data. Continued on next page 158 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Functionality Name ##_Path Short Description ##_Path Workflow Type CUP Number of Stages 3 Initiator ##_Initiator Be sure to make the path Active. a) 18. Select the three stages (##_Manager, ##_RoleOwner, ##_Security) that you created in this exercise. a) 19. Choose Save to save the path. a) 20. Create a Custom Approver Determinator for detour. Choose Configuration → Workflow → Custom Approver Determinators and create a custom approver determinator. Name ##_SOD_CAD Short Description ##_SOD_CAD CAD Type Attribute Workflow Type CUP Attribute Functional Area Choose the Approvers button and choose Add. Functional Area ##FI Approver Sox## User Choose Save. a) 21. Define a stage for SoD violation. Choose Configuration → Workflow → Stage and enter the following data. Continued on next page 2009 © 2010 SAP AG. All rights reserved. 159 Unit 3: Compliant User Provisioning Overview GRC300 Name ##_ SOD_Stage Short Description ##_ SOD_Stage Workflow Type CUP Approver Determinator ##_SOD_CAD Choose Save. Hint: It is not possible to directly log in to CUP with a UME user who has the “initial” password. The user has to change his or her password first. a) 22. Define a detour path. Choose Configuration → Workflow → Path and create the following path. Name ##_Detour Short Description ##_Detour Workflow Type CUP Number of Stages ` 2Ì€` Initiator None Be sure to make the path Active Detour checkbox Select Yes Stage 1 ##_SOD_STAGE Stage 2 ##_Security Choose Save. a) 23. Define a detour for SoD violations. Choose Configuration → Workflow → Detour/Fork and create a detour. Workflow Type CUP Path ##_Path Stage ##_RoleOwner Continued on next page 160 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning Functionality Action Save Condition SOD Violations Value Yes Detour Path ##_Detour Choose Save. a) 24. Test your workflow by creating several requests and verify that the path and detour you created work properly. Hint: Create multiple AE requests to create users for the back-end system. Assign each user to one or both of the roles you created in Step 1, above. It is not possible to directly log in to CUP with a UME user who has the “initial” password. The user has to change his or her password first. a) 2009 © 2010 SAP AG. All rights reserved. 161 Unit 3: Compliant User Provisioning Overview GRC300 Lesson Summary You should now be able to: • Explain the workflow basics: initiator, stage, path, approver determinator • Explain stage customizing options • Name other areas for which the workflow functionality of SAP BusinessObjects Access Control can be used: risk maintenance, control maintenance, mitigation activities, user maintenance, role maintenance, and requesting superuser access 162 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning – Additional Functionality Lesson: Compliant User Provisioning – Additional Functionality Lesson Overview This lesson provides an overview of Compliant User Provisioning workflow capability for change management of the SoD rule and the control libraries in Risk Analysis and Remediation. Lesson Objectives After completing this lesson, you will be able to: • • Use the workflow functionality to ensure a comprehensive and compliant change management process for risk and control maintenance Describe the required configuration steps and the business background of using this functionality Business Example Your organization wants to make sure that all changes to the risk and control library within SAP BusinessObjects Access Control are properly managed and approved by a dedicated owner. For that reason, you need to implement this control before the go live takes place. You are also responsible for evaluating other areas in which the workflow functionalities can help to support continuous compliance. Risk Recognition The first phase of the SoD risk management process is to identify and classify the risks. The SoD rule library in Risk Analysis and Remediation is built on the foundation of the risk identification process. The mitigation controls for these risks are also documented as part of the Risk Analysis and Remediation control library for mitigation of user access. After the rule and control libraries have been implemented per business requirements, the next step is the process of managing changes to both of these libraries. This is where the workflow functions of Compliant User Provisioning can be integrated with Risk Analysis and Remediation to implement a change management process where the business risk owners can be closely involved in any changes going forward. 2009 © 2010 SAP AG. All rights reserved. 163 Unit 3: Compliant User Provisioning Overview GRC300 Figure 53: SoD Risk Management Process – Phase One Figure 54: Types of Risks: SoD vs. Critical Actions 164 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning – Additional Functionality Figure 55: Risks Identified: SoD Rule Set Building Blocks Risk and Mitigation Change Management To begin implementation of a change management process for risks, the business process owner must assume ownership for the process and the resulting risk in his or her areas of access and authorizations. The business then initiates and approves any updates to the risks built into the SoD rules library. A business owner associated with a risk within the library is set up to receive a workflow request from Compliant User Provisioning when changes are made to those risks. Changes will not take effect until the risk owner has approved the workflow request. The same business risk owners can also be set up with mitigation ownership as the control library is configured. Or a different set of business owners can be associated with the mitigation controls as they are documented within the control library. This will depend on the company's business needs and internal controls structure. As with changes to risks, changes to a mitigating control or creation of new additions to the control library can be configured in Compliant User Provisioning to send workflow approvals to the appropriate responsible parties. The changes take effect only after the owners have confirmed their approval. 2009 © 2010 SAP AG. All rights reserved. 165 Unit 3: Compliant User Provisioning Overview GRC300 Figure 56: Risk Analysis and Remediation and Compliant User Provisioning Workflow Integration for Change Management Configuring Workflow for Change Management The delivered workflow configuration options in Compliant User Provisioning include request types and Web services. These must be activated and applied in the proper settings. The rest of workflow configuration must be set up and tested by the designated application administrators. Workflow components that must be set up in the Compliant User Provisioning Configuration tab for risk and mitigation control changes include: 166 • Activating request types: • • • • • • – Create / Update / Delete Mitigation Control – Create / Update / Delete Mitigation Object – Create / Update / Delete Risk Activating mitigation URL settings Activating mitigation and risk workflows in miscellaneous Creating workflow initiators for risk and mitigation changes Creating custom approver determinators for risk and mitigation changes Creating stages for risk and mitigation changes Creating paths for risk and mitigation changes © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning – Additional Functionality Similarly, in Risk Analysis and Remediation, certain configuration settings must be completed to integrate the workflow functions. • • • • Mitigation and risk maintenance workflow settings must be activated in the Configuration tab. In the Mitigation tab, the Administrators table must be populated with the designated risk owners. When a mitigating control is created for the control library, a management approver and risks must be associated with the control being documented. When a risk is created in the Rule Architect tab, a risk owner must be associated with the risks. Note: The SAP BusinessObjects Access Control Configuration Guide delivered with the application documentation provides detailed steps on how to configure workflows in Compliant User Provisioning. You can find this in the Compliant User Provisioning section, under Workflow Management. Conclusion SAP BusinessObjects Access Control is used as the central workflow engine to ensure a compliant change management process. SAP BusinessObjects Access Control provides request submission service to initiate workflow for risk maintenance, mitigation maintenance, remediation activities, and mitigation activities out of the risk analysis and remediation process. It also supports the change management by using an event-driven, multilevel approval process that allows for close business involvement and responsibility. 2009 © 2010 SAP AG. All rights reserved. 167 Unit 3: Compliant User Provisioning Overview GRC300 Figure 57: Change Management with SAP BusinessObjects Access Control 168 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning – Additional Functionality Exercise 10: Workflow-Controlled Risk Maintenance Exercise Objectives After completing this exercise, you will be able to: • Change the description of a risk • Approve your change within the workflow engine Business Example You are responsible for evaluating the correct implementation of the workflow-supported risk change management process. Task: Use the Compliant User Provisioning workflow function to manage changes made to the SoD rule set in Risk Analysis and Remediation through the Rule Architect. 2009 1. Use the Compliant User Provisioning workflow function to manage changes made to the SoD rule set. 2. Open a new browser window and log on to SAP BusinessObjects Access Control with the approver User ID. 3. Review change history of Risk ID. © 2010 SAP AG. All rights reserved. 169 Unit 3: Compliant User Provisioning Overview GRC300 Solution 10: Workflow-Controlled Risk Maintenance Task: Use the Compliant User Provisioning workflow function to manage changes made to the SoD rule set in Risk Analysis and Remediation through the Rule Architect. 1. Use the Compliant User Provisioning workflow function to manage changes made to the SoD rule set. a) Log on to SAP BusinessObjects Access Control, select the Compliant User Provisioning link, and select the Configuration tab. Choose Workflow Custom → Approver Determinator and change approver determinator RISKUPDATE. Add a User ID as approver and the Risk ID that you want to change on update. b) Log on to SAP BusinessObjects Access Control, select Risk Analysis and Remediation link, and select the Configuration tab. c) Choose Workflow and set parameter Risk Maintenance to YES. d) Select the Configuration tab. From the menu on the left, select Risks (arrow down) and choose Search. e) Enter your Risk ID in the Risk IF field. f) Choose the Change button in the Search Results screen. g) Select the Control Objective tab and enter a statement describing the control objective for the selected risk ID. Hint: You can use any descriptive statement you wish for this exercise. You can also replace any statement already in place. h) Choose Save. Note: This action will create a request for approval which will workflow to the risk owner associated with the changed risk ID. Continued on next page 170 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Provisioning – Additional Functionality i) The application will give you the message Workflow request submitted, request id is xxxx, where xxx is the number of the request. Hint: Write down the request number. j) 2. Exit this screen by selecting Search again on the left-hand menu. Open a new browser window and log on to SAP BusinessObjects Access Control with the approver User ID. a) In the launch pad, select the Compliant User Provisioning link. Note: The default should be the My Work tab in Compliant User Provisioning, where you will see the number of the request created by your change to the risk in the previous steps. 3. b) Click on the link to request # xxxx (created by risk change). c) Review the request detail. For example, select the Control Objective tab to view the statement you added. d) Choose Approve. e) On the next screen you should get a successful message that says the request has been approved and closed. Review change history of Risk ID. a) Log on to SAP BusinessObjects Access Control, select the Risk Analysis and Remediation link, and select the Rule Architect tab. b) Select Change History and choose Risk ID and review the results. c) Search for your changed Risk ID and review the results. Result You have successfully updated a risk in Risk Analysis and Remediation, sent an approval request to the risk owner through workflow, and documented an approved change to a risk with an audit trail of the change. 2009 © 2010 SAP AG. All rights reserved. 171 Unit 3: Compliant User Provisioning Overview GRC300 Lesson Summary You should now be able to: • Use the workflow functionality to ensure a comprehensive and compliant change management process for risk and control maintenance • Describe the required configuration steps and the business background of using this functionality 172 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Workflow-Based Reviews Lesson: Workflow-Based Reviews Lesson Overview This lesson discusses the configuration of workflow for the User Access Review and the User SoD Review capabilities of SAP BusinessObjects Access Control Compliant User Provisioning. Lesson Objectives After completing this lesson, you will be able to: • • Configure the workflow for User Access Review Configure the workflow for User SoD Review Business Example Your organization plans to ensure continuous compliance by investigating and remediating risks that arise from excessive user access to company systems. For that reason, the organization plans to use SAP BusinessObjects Access Control to automate periodic reviews of user access and resulting risk violations. The internal audit department recommends implementing both workflows to improve risk awareness and compliance procedures within your company. User Access Review: Process Overview Managers and role approvers use User Access Review (UAR) to automate the periodic process of reviewing and reaffirming end-user role assignments. The system notifies managers to review their direct reports access to applications. Approvers must review the list of user role assignments and determine if the user still needs those roles based on their current responsibilities. Approvers either approve or remove the roles that are assigned to each user. If the user no longer requires a role, the role is de-provisioned from back-end systems automatically or manually. If the reviewer does not complete the review in the defined period, the process can be escalated. Escalation could include the deactivation of a user’s account until the review is completed. 2009 © 2010 SAP AG. All rights reserved. 173 Unit 3: Compliant User Provisioning Overview GRC300 Highlights of this process include: • • • • • • Automated decentralized user access review by business managers or role owners Reports generated automatically based on the company's internal control policy Workflow-request-based review and approval process Automatic de-provisioning for role removal Audit trail and reports for review details Allow manager to approve or remove roles based on employee’s business function Benefits: • • Streamline the internal control process with collaboration among business managers, internal control team, and IT team Provide efficiency and visibility to a company’s Sarbanes-Oxley Act compliance Configuring Workflow for User Access Review To produce requests for reviewers User Access Review, the following configurations must be set in place in Compliant User Provisioning and Enterprise Role Management. Figure 58: UAR Configuration 174 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Workflow-Based Reviews Configuring Workflow for User Access Review • Activate and configure UAR workflow. • – Define an initiator. – Define a stage (one stage for reviewer and another stage for security). – Define a path (one path for a reviewer and another path for security). – Define a detour with condition (for role removals). Set up User Review options for UAR in the Configuration tab. • – Select if Admin Review is required. – Select the reviewers: manager or role owner. – Define number of lines items per request. – Select the default request type. – Select the default priority of the request. Populate the Coordinator-Reviewer Relationships table if a coordinator is to be configured for the UAR. – • • • • • The coordinator is optional; it is possible to perform the review without a coordinator. – In addition, one coordinator might have many reviewers. Define the e-mail reminder. Define the service level for UAR. Schedule a role usage synchronization to perform the User Access Review in Enterprise Role Management. Schedule the UAR Review Load Data background job in Compliant User Provisioning. Schedule the UAR Review Update Workflow background job in Compliant User Provisioning. Note: You can schedule new background jobs to create workflow requests for manager or risk-owner review only after all previous UAR requests are closed. Note: The SAP BusinessObjects Access Control Configuration Guide delivered with the application documentation provides detailed steps on how to configure UAR in Compliant User Provisioning. Check the Compliant User Provisioning section under User Review. 2009 © 2010 SAP AG. All rights reserved. 175 Unit 3: Compliant User Provisioning Overview GRC300 User SoD Review Process Overview Business managers and risk owners use the segregation of duties (SoD) review process to automate periodic reviews of SoD conflicts. Once Risk Analysis and Remediation identifies user SoD conflicts, they must be remediated to ensure Sarbanes-Oxley-Act compliance. The system uses Risk Analysis and Remediation batch analysis data to update management graphics and to generate these SoD Review workflow requests in Compliant User Provisioning. The reviewer can either be the user’s manager or the risk owner (as defined by the Rule Architect of Risk Analysis and Remediation). Once the request is created, the system sends an e-mail notification for SoD violations to the reviewer. Depending on your configuration, requests may contain unmitigated SoD conflicts only, or both unmitigated and mitigated conflicts. Highlights of this process include: • • • • Automates the decentralized SoD review by business managers or risk owners Real-time detection of SoD violations with reports generated and submitted to reviewers Workflow-request-based and approval process Audit trail and reports for review details Benefits: • • • Real time SoD management by exception Streamline the internal control process with collaboration among business managers, internal control team, and IT team Provide efficiency and visibility to a company’s internal control process Configuring Workflow for User SoD Review To produce requests for reviewers User SoD Review, the following configurations must be set in place in Compliant User Provisioning and Enterprise Role Management. 176 © 2010 SAP AG. All rights reserved. 2009 GRC300 2009 Lesson: Workflow-Based Reviews © 2010 SAP AG. All rights reserved. 177 Unit 3: Compliant User Provisioning Overview GRC300 Figure 59: SoD Review Configuration • Activate and configure User SoD Review workflow. • – Define an initiator. – Define a stage (one stage for reviewer and another stage for security). – Define a path (one path for a reviewer and another path for security). – Define a detour with condition (for SoD removals). Set up user review options for User SoD Review in the Configuration tab. • – Select if Admin Review is required. – Select the reviewers: manager or role owner. – Define the appropriate SoD Review Users URL. – Define the appropriate SoD Review Users Risks URL. – Define number of lines items per request. – Select the default request type. – Select the default priority of the request. Populate the Coordinator-Reviewer Relationships table if a coordinator is to be configured for the User SoD Review. – • • • • • The coordinator is optional; it is possible to perform the review without a coordinator. – In addition, one coordinator might have many reviewers. Define the e-mail reminder. Define the service level for User SoD Review. Schedule background jobs to perform the batch risk analysis and management report updates in Risk Analysis and Remediation. Schedule the SOD Review Load Data background job in Compliant User Provisioning (either with or without mitigated risks). Schedule the SOD Review Update Workflow background job in Compliant User Provisioning. Note: You can schedule new background jobs to create workflow requests for manager or risk-owner review only after all previous User SoD Review request are closed. Note: The SAP BusinessObjects Access Control Configuration Guide delivered with the application documentation provides detailed steps on how to configure User SoD Review in Compliant User Provisioning. Check the Compliant User Provisioning section, under User Review. 178 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Workflow-Based Reviews Lesson Summary You should now be able to: • Configure the workflow for User Access Review • Configure the workflow for User SoD Review 2009 © 2010 SAP AG. All rights reserved. 179 Unit 3: Compliant User Provisioning Overview GRC300 Lesson: Compliant User Management Life Cycle Lesson Overview This lesson explains the Compliant User Management life cycle in Compliant User Provisioning. Lesson Objectives After completing this lesson, you will be able to: • • • • • • • • Explain the main advantages of Compliant User Provisioning and discuss how it can be used to ensure continuous compliance within your organization Describe and demonstrate a typical request initiated by an end user, the required approval steps and risk analysis, and the final provisioning in the back-end system Describe the workflow creation process (plan, implement, test, and adjust) Describe the password-sending options Explain the usage of default roles, role mapping, and user defaults Describe the LDAP connector and LDAP mapping to retrieve manager information Explain and configure workflow exception handling using escalations, detours, rerouting, and forwarding Configure an advanced user provisioning workflow Business Example Your organization has to set up proper change control procedures in the area of authorization and access management. Consequently, the implementation of Compliant User Provisioning as part of SAP BusinessObjects Access Control will ensure that all changes have been reviewed and approved prior to production activation. Several business owners within your organization request advanced functionalities and escalation possibilities in the defined user creation process. Therefore, you want to familiarize yourself with the advanced workflow functionalities within the solution. 180 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Management Life Cycle The Main Advantages of Compliant User Provisioning • • • • • • • • • • • • Automates, accelerates, and tracks the user access request process using workflow for SAP and non-SAP systems User administration with integrated risk analysis and mitigation capabilities keeps the system clean Provides simulation in the production system for risk analysis before changes are provisioned Provides a comprehensive audit trail Flexible configuration of multiple workflow paths and workflow triggers based on the type of request Self-service password reset lifts another user administration burden from the support team User authentication from a wide range of sources, including single-sign on, LDAP, and SAP systems Ensures audit compliance Automatically provision users and roles to users in multiple SAP systems Automated e-mail notification to appropriate parties Provides numerous reports in analytical and chart views Integrated with SAP Enterprise Portal Dynamic Workflow Dynamic Workflow Provides End-to-End Automation • • • • • • 2009 Automated user provisioning and de-provisioning to multiple applications Requests automatically filled with user identity information from LDAP directory or HR database Complete SAP provisioning including SAP R/3, SAP ERP, CUA, portals, and so on Role filtering or modeling facilitates simple assignment Approvals directly from e-mail Configurable path initiators, detours, and escalation © 2010 SAP AG. All rights reserved. 181 Unit 3: Compliant User Provisioning Overview GRC300 Figure 60: Dynamic Workflow Proactive Compliance Lowers Risk and Saves Money • • Integrated, real-time risk analysis before access is granted Pre-approved mitigating controls assigned as required Business-Friendly Reporting Increases Visibility • • Ticket process for detailed tracking Customizable reporting and process-efficiency statistics Helpful User Administration Services Save Money • • Self-service password reset saves time Simple Access Reaffirm meets regulatory requirements Demonstration of a Typical Workflow Request The instructor will demonstrate a typical workflow for adding a role to a user. Workflow Creation Process Plan - Implement - Test - Adjust 182 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Management Life Cycle Plan Planning a workflow requires determining: • • • • • Required workflow functionality Number of workflows needed What stages, initiators, and paths need to be created Who are the required approvers What will be the final provisioning Planning is the most critical component in the workflow process. • • Planning requires careful consideration at the start of implementation. The more time spent planning workflow needs, the easier the entire process. Implement Create workflows per planning decisions. • • • Create stages and initiators. Create workflow paths. Assign stages and an initiator to each workflow path. Test and Adjust Test workflows. Adjust as necessary. • • Fix existing workflows. Create new workflows. Password Sending Options Password options in e-mails can now be configured to send the password at the end of the request. You can configure this on the Email Reminder screen by choosing Configuration → Workflow → Email Reminder. Send Password in Mail: • • • 2009 No password sent Password sent in the e-mail Password is not sent directly in the e-mail, but will be sent as a link © 2010 SAP AG. All rights reserved. 183 Unit 3: Compliant User Provisioning Overview GRC300 Connecting to a LDAP Lightweight Directory Access Protocol (LDAP) is a standard for managing a large user directory. Compliant User Provisioning can use an LDAP directory to find detailed user information. Out of the box, Compliant User Provisioning supports Microsoft Active Directory, Sun ONE, Novell eDirectory, and IBM Tivoli LDAPs. Once connected to a LDAP directory, you have to map the user information. The LDAP Mapping option maps fields to their corresponding fields in an LDAP database. In addition, you can add fields and then map them to attributes that already exist in your enterprise’s LDAP database by selecting those attributes on the Additional Fields screen. The field mapping you defined for the LDAP directory is specific to the LDAP systems that you configured in the User Data Source option. The User Data Source option is where you configure one or many LDAP data sources for searching and retrieving user detail information. Advance Workflows Advance workflows include: • • • • 184 Escalations Detours Rerouting Forwarding © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Management Life Cycle Escalations Escalations are configured at the stage level, and dictate how to handle a request when an approver fails to respond within the time allotted during stage definition. Options for escalation are: • • • • No Escalation (default setting): Compliant User Provisioning waits for the approver’s response– even after the specified wait time passes– and does not take any steps to resolve the stalled request. The approver approves or rejects the request. An administrator can manually resolve the problem by approving on behalf of the assigned approver, forwarding the request to another approver, or rerouting the request. Forward to Next Stage: Compliant User Provisioning ignores the expected approval at this stage and proceeds to the next stage in the path. If you select this option – even if the designated approver does not respond to the request– it does not prevent the request from being approved. Use caution with this option, since it allows the request to bypass the defined approvers. Forward to Alternate Approver: This provides a fallback option if the designated approver does not respond within the allotted time. Compliant User Provisioning reassigns the approver. Alternate approvers must be maintained for the approver determinator of the stage where this option is set. Escalation to an alternate approver happens only once; there is no alternate approver for the alternate. After the system escalates the approval for the stage to the alternative approver, the original approver no longer has access to approve or reject the request. Forward to Administrator: If the approver fails to respond within the allotted time, Compliant User Provisioning forwards the request to the administrator. The administrator’s information must be maintained on the Configuration Support screen for this option to work. Detours Detours are standalone workflows that assume management of a request from a main workflow. Detours are not subsets or dependents of main workflows. They do not have initiators, so they cannot be triggered by a submitted request. If the state of a request meets predefined conditions, a main workflow passes control of the request to a detour workflow. The type of event that triggers a detour is typically one that prevents a main workflow from proceeding on its defined path. If something occurs that interferes with a request, the main workflow can be configured to pass the request to a detour workflow. 2009 © 2010 SAP AG. All rights reserved. 185 Unit 3: Compliant User Provisioning Overview GRC300 For example, you can design a workflow to handle a single request that includes more than one role. If an approver denies one of the roles in the request, you might want the remainder of the request to proceed. Rather than aborting the request, you can have the main workflow transfer it to a detour workflow. The detour can then continue the approval process for the remaining roles. The structure of a detour workflow is similar to the structure of a main workflow. It has a defined starting point and a sequence of one or more stages. At each stage of the detour, an approver must approve the request before it can proceed. Rerouting Rerouting is a option that allows the approver to reroute the request to a previous stage as an alternative to rejecting the request entirely. Rerouting does not apply if the approver chooses to approve the request. Forwarding Forwarding allows the approver to forward the request to someone else for approval. 186 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Management Life Cycle Exercise 11: Workflow Creation Workshop (Group Exercise) Exercise Objectives After completing this exercise, you will be able to: • Define a process to create a new employee account • Define a process to change the roles of an existing account • Design the process (on a whiteboard), identify the needed data, and estimate data that is already stored in the system Business Example As a business expert, you are working in a small team to design two workflows: Create Account and Change Existing Account. At the end of the breakout session, your team is responsible for presenting and arguing their decisions. Task 1: This exercise is a group exercise that will be performed in groups of three or less. 1. Define a process to create a new employee account. 2. Define a process to change the roles of an existing account. 3. Design the process (on a whiteboard), identify the needed data, and estimate data that is already stored in the system. Task 2: Discussion questions to help with the design process: 1. What information is needed for user creation? 2. Where is the information stored? 3. Which approval steps are necessary? 4. Who removes the old roles? 5. Who checks the correct responsibilities and authorizations? 6. What happens with accounts from employees that leave the company? 7. Who informs about leaving? Continued on next page 2009 © 2010 SAP AG. All rights reserved. 187 Unit 3: Compliant User Provisioning Overview 188 GRC300 8. What happens with long runtime of processes? 9. What happens if an approver is on vacation (escalation when and to whom)? © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Management Life Cycle Solution 11: Workflow Creation Workshop (Group Exercise) Task 1: This exercise is a group exercise that will be performed in groups of three or less. 1. Define a process to create a new employee account. a) 2. Define a process to change the roles of an existing account. a) 3. Design the process (on a whiteboard), identify the needed data, and estimate data that is already stored in the system. a) Task 2: Discussion questions to help with the design process: 1. What information is needed for user creation? a) 2. Where is the information stored? a) 3. Which approval steps are necessary? a) 4. Who removes the old roles? a) 5. Who checks the correct responsibilities and authorizations? a) 6. What happens with accounts from employees that leave the company? a) 7. Who informs about leaving? a) Continued on next page 2009 © 2010 SAP AG. All rights reserved. 189 Unit 3: Compliant User Provisioning Overview 8. GRC300 What happens with long runtime of processes? a) 9. What happens if an approver is on vacation (escalation when and to whom)? a) 190 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliant User Management Life Cycle Lesson Summary You should now be able to: • Explain the main advantages of Compliant User Provisioning and discuss how it can be used to ensure continuous compliance within your organization • Describe and demonstrate a typical request initiated by an end user, the required approval steps and risk analysis, and the final provisioning in the back-end system • Describe the workflow creation process (plan, implement, test, and adjust) • Describe the password-sending options • Explain the usage of default roles, role mapping, and user defaults • Describe the LDAP connector and LDAP mapping to retrieve manager information • Explain and configure workflow exception handling using escalations, detours, rerouting, and forwarding • Configure an advanced user provisioning workflow 2009 © 2010 SAP AG. All rights reserved. 191 Unit Summary GRC300 Unit Summary You should now be able to: • List the required steps after installation of SAP BusinessObjects Access Control Compliant User Provisioning • Upload initial data • Explain how to configure the user data source • Define the authentication system for requestors • Describe how to configure the Web service call to Risk Analysis and Remediation • Explain how to connect Compliant User Provisioning to a back-end system • Explain how to export and import configuration settings in order to perform transports from development to production • Explain the workflow basics: initiator, stage, path, approver determinator • Explain stage customizing options • Name other areas for which the workflow functionality of SAP BusinessObjects Access Control can be used: risk maintenance, control maintenance, mitigation activities, user maintenance, role maintenance, and requesting superuser access • Use the workflow functionality to ensure a comprehensive and compliant change management process for risk and control maintenance • Describe the required configuration steps and the business background of using this functionality • Configure the workflow for User Access Review • Configure the workflow for User SoD Review • Explain the main advantages of Compliant User Provisioning and discuss how it can be used to ensure continuous compliance within your organization • Describe and demonstrate a typical request initiated by an end user, the required approval steps and risk analysis, and the final provisioning in the back-end system • Describe the workflow creation process (plan, implement, test, and adjust) • Describe the password-sending options • Explain the usage of default roles, role mapping, and user defaults • Describe the LDAP connector and LDAP mapping to retrieve manager information • Explain and configure workflow exception handling using escalations, detours, rerouting, and forwarding • Configure an advanced user provisioning workflow 192 © 2010 SAP AG. All rights reserved. 2009 Unit Summary 193 GRC300 © 2010 SAP AG. All rights reserved. 2009 Unit Summary 194 GRC300 © 2010 SAP AG. All rights reserved. 2009 Unit 4 Superuser Privilege Management Overview Unit Overview This unit discusses the configuration of Superuser Privilege Management. It also discusses how Superuser Privilege Management can be used as a key mitigation control to ensure continuous compliance. Unit Objectives After completing this unit, you will be able to: • • • • List the required steps after installation of SAP BusinessObjects Access Control Superuser Privilege Management Explain how Superuser Privilege Management works Configure Superuser Privilege Management as a key mitigation control to ensure continuous compliance Implement a workflow to improve the request for superuser access rights with help of SAP BusinessObjects Access Control Unit Contents Lesson: Superuser Privilege Management Installation Verification and Configuration ........................................................................ 196 Lesson: Superuser Privilege Management Overview.......................... 200 Exercise 12: Superuser Privilege Management ............................ 203 2009 © 2010 SAP AG. All rights reserved. 195 Unit 4: Superuser Privilege Management Overview GRC300 Lesson: Superuser Privilege Management Installation Verification and Configuration Lesson Overview In this lesson, you will learn about the required post-installation steps for Superuser Privilege Management. Lesson Objectives After completing this lesson, you will be able to: • List the required steps after installation of SAP BusinessObjects Access Control Superuser Privilege Management Business Example In order to set up a project plan for the implementation of SAP BusinessObjects Access Control Superuser Privilege Management in your organization, you need to familiarize yourself with the efforts required for the solution setup. Post-Installation Steps During Superuser Privilege Management post-installation, it is important to verify that the RFC connection has been created. 1. 2. 3. 196 Go to transaction SM59 and verify that the RFC connection has been created. Schedule a Superuser Privilege Management background job for logging (SM36>/VIRSA/ZVFATBAK). Create a Superuser Privilege Management ID through transaction SU01. © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Superuser Privilege Management Installation Verification and Configuration Figure 61: SM59 Figure 62: SM36 2009 © 2010 SAP AG. All rights reserved. 197 Unit 4: Superuser Privilege Management Overview GRC300 Figure 63: SU01 198 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Superuser Privilege Management Installation Verification and Configuration Lesson Summary You should now be able to: • List the required steps after installation of SAP BusinessObjects Access Control Superuser Privilege Management 2009 © 2010 SAP AG. All rights reserved. 199 Unit 4: Superuser Privilege Management Overview GRC300 Lesson: Superuser Privilege Management Overview Lesson Overview This lesson will review the process of implementing Superuser Privilege Management. Lesson Objectives After completing this lesson, you will be able to: • • • Explain how Superuser Privilege Management works Configure Superuser Privilege Management as a key mitigation control to ensure continuous compliance Implement a workflow to improve the request for superuser access rights with help of SAP BusinessObjects Access Control Business Example You want to implement Superuser Privilege Management in your organization to eliminate the excessive authorizations and risks that your company experiences with the current emergency user approach. Superuser Privilege Management Superuser Privilege Management helps to eliminate superusers in the production environment. There are a few ways to use the application. One is to allow emergency changes in the production environment; in this case, Superuser Privilege Management provides an environment where it is monitoring the use of the system. The second way is to allow functional users to have a superuser level of access to perform some business functions that are not part of their daily process, for example, month-end close. Defining Users Before you use Superuser Privilege management, you need to identify: 1. 2. 3. 200 Who the owners of the IDs will be Who the controllers will be Which users will need to log on through Superuser Privilege Management © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Superuser Privilege Management Overview The main reason why you need to define these three types of users is because you will need the user information to enter it into Superuser Privilege Management when configuration is complete. This will also aid in providing the correct role assignments for the users. The roles begin with the format /VIRSA/Z_VFAT. Functionality After you have assigned a user to the application as a Firefighter and that user has the required role, the user is now able to log on to the application and see the following screen. Figure 64: Superuser Privilege Management Logon Screen If a user is required to log on for a process that only occurs once a month, you can use Superuser Privilege Management to give the user access through a Firefighter ID that is only useful for that purpose. 2009 © 2010 SAP AG. All rights reserved. 201 Unit 4: Superuser Privilege Management Overview GRC300 Figure 65: Reason Code Example Implementing There are a few additional items to consider when implementing Superuser Privilege Management: • • Identify what risks are going to be involved within the Firefighter ID. Ensure that only the necessary access is given, and not SAP_ALL, to the user ID. Workflow Integration Superuser Privilege Management can be integrated into the workflow process of Compliant User Provisioning. It works by having someone approve the request for the Firefigher ID and, after approval, the owner of Superuser Privilege Management can grant access to that user. 202 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Superuser Privilege Management Overview Exercise 12: Superuser Privilege Management Exercise Objectives After completing this exercise, you will be able to: • Verify the configuration of Superuser Privilege Management • Create messages in case of occupied firefighter IDs • Take over a firefighter session to initiate the payment run Business Example Since payment of vendors is a critical transaction, the security department has decided to use Superuser Privilege Management as a preventive control. As an internal auditor you need to verify if your emergency access process is well defined and properly configured in the back-end system. Task 1: Access Superuser Privilege Management and make sure that the default roles have been assigned, especially the administrator role. 1. Verify that the Firefighter ownership model was correctly implemented. 2. Log on to the SAP back-end system with the user GRCFFADM-## and check in transaction SU01D if the owner (GRCFFOWN-##) has appropriate authorizations to be able to enter the Firefighter application and maintain the Firefighter user mapping table. 3. Identify the Firefighter ID for which your owner is responsible. 4. Verify the Firefighter end user and Firefighter ID. 5. Log on as user GRCFFADM-## and check in transaction SU01D if the correct role was assigned to the Firefighter end user (GRCBIZZ-##). 6. Log on as user GRCFFADM-## and check in transaction SU01D if the correct firefighter role and a business roles were assigned to the Firefighter ID (GRCFFID-##). 7. Log on as owner (GRCFFOWN-##) and verify the mapping inside the Firefighter Application (choose the Firefighters button). The business user (GRCBIZZ-##) should be able to use the Firefighter ID (GRCFFID-##) to start a payment run. Make sure the current date is covered by this time frame. Continued on next page 2009 © 2010 SAP AG. All rights reserved. 203 Unit 4: Superuser Privilege Management Overview GRC300 8. Log on as GRCBIZZ-## and start the payment run. What happens? 9. As the same user (GRCBIZZ-##) go to the firefighter application (/n/virsa/vfat), log on as the available Firefighter, and execute a payment run in F110. 10. Try to open a second session of the same Firefighter ID. What happens? 11. Write a message to inform yourself that the Firefighter ID is requested by another user. Note: Before performing the next exercise, wait until the instructor has updated the Log Report manually due to have the recent activities available in reporting: Transaction: /n/VIRSA/ZVFAT_V01 -> button "Update Firefighter Log" Task 2: Act as an owner/controller. 204 1. Log on as Owner (GRCFFOWN-##) and start the firefighter application. 2. Use your Web browser to access the firefighter reporting information. © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Superuser Privilege Management Overview Solution 12: Superuser Privilege Management Task 1: Access Superuser Privilege Management and make sure that the default roles have been assigned, especially the administrator role. 1. Verify that the Firefighter ownership model was correctly implemented. a) 2. Log on to the SAP back-end system with the user GRCFFADM-## and check in transaction SU01D if the owner (GRCFFOWN-##) has appropriate authorizations to be able to enter the Firefighter application and maintain the Firefighter user mapping table. a) 3. Identify the Firefighter ID for which your owner is responsible. a) 4. Verify the Firefighter end user and Firefighter ID. a) 5. Log on as user GRCFFADM-## and check in transaction SU01D if the correct role was assigned to the Firefighter end user (GRCBIZZ-##). a) 6. Log on as user GRCFFADM-## and check in transaction SU01D if the correct firefighter role and a business roles were assigned to the Firefighter ID (GRCFFID-##). a) 7. Write down the business role. Log on as owner (GRCFFOWN-##) and verify the mapping inside the Firefighter Application (choose the Firefighters button). The business user (GRCBIZZ-##) should be able to use the Firefighter ID (GRCFFID-##) to start a payment run. Make sure the current date is covered by this time frame. a) 8. Write down the assigned Firefighter role. Identify the end user who is able to use your Firefighter ID. Log on as GRCBIZZ-## and start the payment run. What happens? a) Continued on next page 2009 © 2010 SAP AG. All rights reserved. 205 Unit 4: Superuser Privilege Management Overview 9. GRC300 As the same user (GRCBIZZ-##) go to the firefighter application (/n/virsa/vfat), log on as the available Firefighter, and execute a payment run in F110. a) 10. Try to open a second session of the same Firefighter ID. What happens? a) 11. Write a message to inform yourself that the Firefighter ID is requested by another user. Note: Before performing the next exercise, wait until the instructor has updated the Log Report manually due to have the recent activities available in reporting: Transaction: /n/VIRSA/ZVFAT_V01 -> button "Update Firefighter Log" a) Task 2: Act as an owner/controller. 1. Log on as Owner (GRCFFOWN-##) and start the firefighter application. a) You can find the logs in the toolbox area. Have a look at the log. What can you see? 2. 206 Use your Web browser to access the firefighter reporting information. a) Open the following URL and log on as user GRC300-##: http://servername:50000/webdynpro/dispatcher/sapgrc/ffappcomp/Firefighter. What is the most important difference between ABAP and the Web Interface? b) The Web Interface provides a single point of control, so it is possible to access the data of different firefighter installations on different SAP back-end systems. Consequently, it is not necessary to log on to each system to view the reports. © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Superuser Privilege Management Overview Lesson Summary You should now be able to: • Explain how Superuser Privilege Management works • Configure Superuser Privilege Management as a key mitigation control to ensure continuous compliance • Implement a workflow to improve the request for superuser access rights with help of SAP BusinessObjects Access Control 2009 © 2010 SAP AG. All rights reserved. 207 Unit Summary GRC300 Unit Summary You should now be able to: • List the required steps after installation of SAP BusinessObjects Access Control Superuser Privilege Management • Explain how Superuser Privilege Management works • Configure Superuser Privilege Management as a key mitigation control to ensure continuous compliance • Implement a workflow to improve the request for superuser access rights with help of SAP BusinessObjects Access Control 208 © 2010 SAP AG. All rights reserved. 2009 Unit Summary 209 GRC300 © 2010 SAP AG. All rights reserved. 2009 Unit Summary 210 GRC300 © 2010 SAP AG. All rights reserved. 2009 Unit 5 Enterprise Role Management Overview Unit Overview This unit discusses the configuration of Enterprise Role Management. You will learn how Enterprise Role Management can prevent the uncontrolled creation of noncompliant roles. This unit also describes and demonstrates the concepts of role ownership and change management approvals to support a controlled process of handling the life cycle of SAP roles within the customer landscape. Unit Objectives After completing this unit, you will be able to: • • • • • • • • • • • • • 2009 List the steps required after installation of SAP BusinessObjects Access Control Enterprise Role Management Explain how to connect the Enterprise Role Management component to a back-end system Explain the export and import configuration settings that are necessary to perform transports from development to production Explain how Enterprise Role Management can prevent the uncontrolled creation of noncompliant roles Describe and demonstrate the concept of role ownership and change management approvals to support a controlled process of handling the life cycle of SAP roles within the customer landscape Name the role attributes Configure a naming convention and enforcement Explain and configure organizational value mapping Set up a role creation methodology, condition groups, and role approvers Configure an approval workflow for role maintenance in the Workflow Engine Create a new role using the defined naming conventions Add transactions to the role Use the PFCG © 2010 SAP AG. All rights reserved. 211 Unit 5: Enterprise Role Management Overview • • • • • GRC300 Maintain the authorization objects of the role Create a derived role without using the organizational value map Perform a risk analysis Approve the newly created role within the Workflow Engine Generate the role in the back-end system Unit Contents Lesson: Enterprise Role Management Installation Verification and Configuration ........................................................................ 213 Lesson: Enterprise Role Management Overview............................... 225 Lesson: Enterprise Role Management Configuration Review ................ 229 Exercise 13: Enterprise Role Management ................................. 237 Lesson: Enterprise Role Management Workflow Steps ....................... 244 Exercise 14: Role Mass Maintenance ....................................... 247 212 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Installation Verification and Configuration Lesson: Enterprise Role Management Installation Verification and Configuration Lesson Overview This lesson discusses installation verification and post-install configuration for Enterprise Role Management. Lesson Objectives After completing this lesson, you will be able to: • • • List the steps required after installation of SAP BusinessObjects Access Control Enterprise Role Management Explain how to connect the Enterprise Role Management component to a back-end system Explain the export and import configuration settings that are necessary to perform transports from development to production Business Example In order to set up a project plan for the implementation of SAP BusinessObjects Access Control Enterprise Role Management in your organization, you need to familiarize yourself with the efforts required to set up the business scenario. Required Steps after Installation of SAP BusinessObjects Access Control for Enterprise Role Management (ERM) Enterprise Role Management allows you to create and maintain roles to reflect your business model and requirements. You should set up a functional environment and test it thoroughly before attempting to use it in a production environment. 2009 © 2010 SAP AG. All rights reserved. 213 Unit 5: Enterprise Role Management Overview GRC300 Configuring Enterprise Role Management SAP recommends that you configure certain functions before others in Enterprise Role Management. You should configure in the following order. 1. Set up initial logon to Enterprise Role Management. Note: This should have been done with the system install. 2. Import initial system data. Note: This should have been done with the system install. 3. 4. 5. 6. 7. 8. 9. 10. 11. Define the system landscape. Configure management of role attributes. Configure management of condition groups. Set up role creation methodology. Configure management of naming conventions. Configure management of organizational value mapping. Configure Risk Analysis and Remediation. Configure workflow management. Configure Compliant User Provisioning. You can configure the following functions in any order: • • • • Enterprise Role Management system logs Management of background jobs Mass role import Other functions Verify Installation Steps Verify that you are able to log on to Enterprise Role Management by accessing Enterprise Role Management from the SAP BusinessObjects Access Control launch pad. Verify that the initial system data has been uploaded. Select the Configuration tab and choose Methodology → Step. If there are steps identified, the initial system data has been uploaded. 214 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Installation Verification and Configuration System Landscape Definition A system landscape is a configuration of systems where role definition, creation, testing, and risk analysis are performed. Prior to creating a landscape, you must define the systems, determine which system for which you plan to generate roles, and decide which system you plan to use for risk analysis purposes only. Then you can create a system landscape where each system is associated with the actions to be used in the role management process. Caution: If you adhere to change control procedures in your ERP application (where all roles are created in development, then transported to quality assurance/production), you should not have a production system in your landscape associated with role generation. You can set up different types of connectors in Enterprise Role Management, including Enterprise, non-SAP, SAP, and SAP Enterprise Portal connectors. • • Enterprise, non-SAP, and SAP Enterprise Portal connectors are descriptive connectors used to document the landscape to which each role belongs. The SAP connector is a live system connector that facilitates the transfer of data between Enterprise Role Management and other SAP ABAP systems. A system landscape is a logical grouping of systems. A landscape contains more than one system and is populated by assigning systems and then associating them with a predefined action or actions. Associating actions with a system defines which action is performed in which system within a particular landscape. Hint: You can associate role risk analysis with a test system or a production system and a generation of roles to a development system. Note: The actions available for you to associate the connectors are delivered with Enterprise Role Management. You cannot create your own actions. Configuring Management of Role Attributes Role attributes are the details that define a role during the role definition and creation process. You determine values for each attribute during Enterprise Role Management configuration and then assign or input the defined attributes when you create a role. 2009 © 2010 SAP AG. All rights reserved. 215 Unit 5: Enterprise Role Management Overview GRC300 Role attributes you can manage include: • Business Processes A business process is a collection of related activities that produces something of value for your organization or business and is categorized according to the organizational structure of your enterprise. A business process can be managerial, operational, or supporting, and can be defined narrowly or broadly, depending on your business needs. When you create a role in Enterprise Role Management, the business process you assign to the role is one of the role’s defining attributes and determines which subprocesses you can assign to that role. • Business Subprocesses A business process can be divided into several business subprocesses, each with its own attributes. A business process typically contains one or more subprocesses. • Functional Areas A functional area is a classification of processes for a department or business process. Within SAP, a functional area is used to organize certain activities within a department or business process. In Enterprise Role Management, a functional area is a role attribute used to categorize roles and define the approval and role maintenance processes. In addition, a functional area is used to filter the results of a role search, identifying only those roles associated with a specific functional area. • Custom Fields Custom fields allow you to add attributes to a role that are specific to your company or organization. For example, if you want to distinguish a role by region, add a custom attribute and assign a specific region when you create the role. • Projects and Releases The project or release can be a project name, release name, or release number that you want to associate with a particular role. The Project or Release ID field allows you to track and filter roles by project or release, based on your organization’s requirements. Configuring Management of Condition Groups A condition group is defined from a set of role attributes (such as a business process, subprocess, functional area, role type, or role name) and is based on role values and conditions. After you create a condition group, the system applies it to a role creation 216 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Installation Verification and Configuration process to override the default role creation process when the criteria from the condition group are met. You can apply multiple condition groups in one role creation process, but you cannot associate multiple processes to one condition group. Setting Up Role Creation Methodology The role creation process consists of predefined methodology actions and the methodology steps associated with those actions. The steps then create a methodology, which guides you through the process of defining, generating, and testing a role during role creation. Enterprise Role Management is delivered with the predefined role methodology process “Virsa Default Process.” You can also configure your own role creation process according to your organization’s requirements. Methodology steps are the steps to create a role during the role creation process. Based on these steps, you can tell which phase of the role creation process a role is in. Enterprise Role Management allows you to create methodology steps and associate them with predefined actions provided within Enterprise Role Management. After you associate the steps with the predefined actions, you can create a role methodology process. Configuring the Management of Naming Conventions You create naming conventions to enforce role- and profile-naming standards during the role creation process. Naming conventions are specific to a system landscape and role type. The landscape and role type determine the attributes that can be assigned to a naming convention. Configuring the Management of Organizational Value Mapping If you want to restrict user access by organizational area, you can use the organizational value mapping feature to map roles to different organizational levels. To define all associated organizational values, you can create an organizational value map for each organizational area (such as North America, Europe, or Asia Pacific). Prior to creating an organizational value map, you must run a background job to import existing organizational fields and values from your SAP ERP system. After the initial import, you can create a background job to schedule periodic synchronization to keep the data updated. You always create an organizational value map with a primary organizational level and value, because Enterprise Role Management uses that to store and search for the organizational value. You can create multiple maps for the same primary organizational level and value combination. After the primary organizational level and value are set, you can define the values for all child organizational levels to complete the organizational value map. 2009 © 2010 SAP AG. All rights reserved. 217 Unit 5: Enterprise Role Management Overview GRC300 Configuration for Risk Analysis Integration with Risk Analysis and Remediation Enterprise Role Management works directly with Risk Analysis and Remediation to perform the following functions: • • • • 218 Risk analysis Risk mitigation Authorization function search Transaction usage © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Installation Verification and Configuration To configure Enterprise Role Management Web services for Risk Analysis and Remediation: 1. 2. 3. On the Configuration tab in Enterprise Role Management, navigate to Miscellaneous. Scroll to the Web Service Info. for CC Risk Analysis section. Determine if Risk Analysis and Remediation is deployed on the same SAP NetWeaver server. If it is on the same server, select Do not use Web Service and skip the configuration for CC Risk Analysis in step 4. For this option, Enterprise Role Management integrates with Risk Analysis and Remediation using a Web service within the Web server to facilitate faster integration. Configuration for all other Web services in step 4 is still required. If it is not on the same server, select Use Web Service and continue with step 4 to configure all Web services. 4. 5. On the Configuration tab, identify the correct Risk Analysis and Remediation Web service URLs, and then enter each in its corresponding field on the following screens: • Web Service Info. for CC Risk Analysis • Web Service Info. for CC Transaction Usage • Web Service Info. for Mitigation Control • Web Service Info. for CC Functions Enter the Web service user name and password in each of the Web Service Info. for CC screen fields. Hint: Obtain the Web service user name and password for the Web services from your system administrator. This user communicates across SAP BusinessObjects GRC solution capabilities through the Web services configured in each application. Use the same user name and password information from the connector and create a common Web user in the User Management Engine (UME) for all capabilities. Using the same user for all Web service configurations across the SAP BusinessObjects GRC solution helps avoid integration issues caused by incorrect user name, password, or authorizations. 6. 2009 Choose Save. © 2010 SAP AG. All rights reserved. 219 Unit 5: Enterprise Role Management Overview GRC300 Configuration for Workflow Management Enterprise Role Management integrates with Compliant User Provisioning for role approval workflow. As part of the integration, a role approver to be used by the approval workflow is defined during the role creation process. During the role creation process, you can manually define approvers and alternate approvers for each role, or you can allow Enterprise Role Management to automatically assign approvers and alternate approvers to that role based on the approval criteria you create and the role attributes the user selects. To create approval criteria, you assign approvers and alternate approvers for a set of role attributes or conditions. Configuration of Integration with Compliant User Provisioning Enterprise Role Management integrates with Compliant User Provisioning for the role approval workflow feature. During the approval phase, the role is submitted for approval using the Compliant User Provisioning approval workflow. To configure Enterprise Role Management's Web services for Compliant User Provisioning: 1. 2. On the Configuration tab in Enterprise Role Management, choose Miscellaneous. The Configuration screen appears. Identify the correct Compliant User Provisioning Web service URL. Copy the URL for AEWFRequestSubmissionService_5_2 and paste the URL into the Workflow URL field in the Web Service Info. for AE Workflow section. 3. Choose Save to save your selections. Connecting Enterprise Role Management to a Back-End System You can set up different types of connectors in Enterprise Role Management. These include Enterprise, non-SAP, SAP, and SAP EP connectors. • • 220 Enterprise, non-SAP, and SAP EP connectors are descriptive connectors used to document the landscape to which each role belongs. The SAP connector is a live system connector that facilitates the transfer of data between Enterprise Role Management and other SAP ABAP systems. © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Installation Verification and Configuration When setting up a landscape, you specify how you want Enterprise Role Management to communicate with the target systems by associating the connectors with predefined actions during the landscape creation process. Note: The actions available for you to associate the connectors with are delivered with Enterprise Role Management. You cannot create your own actions. 2009 © 2010 SAP AG. All rights reserved. 221 Unit 5: Enterprise Role Management Overview GRC300 Configuring a Connector for SAP To create a connector for SAP ABAP systems: 1. In Enterprise Role Management, select the Configuration tab and choose System Landscape → Systems. The Available Systems screen appears. Note: Until you create your first connector, the Available Systems screen is blank. 2. 3. 4. 5. Choose Create. The Create System screen appears. In the System Type menu, choose SAP. Select the SLD Connector checkbox to activate the System Landscape Directory. In the Name field, enter the target system name. This is the SAP connector name. Caution: The connector names are very important when integrating with other SAP BusinessObjects GRC solution products and Central User Administration (CUA). Make sure that the connector name for SAP BusinessObjects Access Control is the same as the one configured for CUA. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 222 In the Description field, enter a detailed description of the system connector, such as HR QA System. In the Application field, enter the name of the application or application server. In the Application Server Host field, enter the host name of the application server. In the System Number field, enter the number in the SAP system log. In the Client field, enter the SAP client number. In the User ID field, enter the SAP user name. In the Password field, enter the password associated with the SAP user. In the System Language field, enter the system language for the application server. In the Message Server Name field, enter the name of the message server, which is used for load balancing of your SAP clustered environment. In the Message Server Group field, enter the logon group name to which the message server belongs. In the Message Server Host field, enter the host name of the message server. In the SAP Version menu, choose the appropriate SAP version. Enterprise Role Management supports SAP 4.6c and higher. Choose Save. © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Installation Verification and Configuration Configuring a Connector for Enterprise, Non-SAP, or SAP EP You can use the following procedure to plan and document the connection between ERM and non-ABAP systems. ERM can only communicate with ABAP systems directly. To create a connector for Enterprise, non-SAP, or SAP Enterprise Portal: 1. 2. 3. 4. 5. 6. In Enterprise Role Management, select the Configuration tab and choose System Landscape → Systems. The Available Systems screen appears. Choose Create. In the System Type menu, choose Non SAP. In the Name field, enter the name of the system. In the Description field, enter a detailed description of the system. Choose Save. Exporting and Importing Configuration Settings This feature exports configuration settings from one Enterprise Role Management system and imports them into another. You must export the settings first and then use the generated file as the import source file for the other system. For example, after you configure the development system, you can export the configuration settings and import them into the production system, so you do not have to manually reconfigure the settings. Settings that can be exported or imported: • • • Initial Data: This data consists of all of the system configuration data when it is first set up. It includes all values and flags that were initially set. Connector: This data includes connector information for all systems (SAP, nonSAP, LDAP, and so on) that were configured. Roles: This data includes all roles that were created and imported to the system. Note: Role export does not export role attributes. Role attributes must exist in the system before roles can be imported. • • • 2009 Workflow Configuration: This data includes all information from initiator, custom approver determinator, stage, path, approvers, and the like. User Defaults: This data includes all mappings, values, and attribute settings. HR Triggers: This data includes all actions, rules, field mappings, and associated values and flag settings. © 2010 SAP AG. All rights reserved. 223 Unit 5: Enterprise Role Management Overview GRC300 Lesson Summary You should now be able to: • List the steps required after installation of SAP BusinessObjects Access Control Enterprise Role Management • Explain how to connect the Enterprise Role Management component to a back-end system • Explain the export and import configuration settings that are necessary to perform transports from development to production 224 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Overview Lesson: Enterprise Role Management Overview Lesson Overview This lesson provides an overview of SAP BusinessObjects Access Control Enterprise Role Management. Lesson Objectives After completing this lesson, you will be able to: • • Explain how Enterprise Role Management can prevent the uncontrolled creation of noncompliant roles Describe and demonstrate the concept of role ownership and change management approvals to support a controlled process of handling the life cycle of SAP roles within the customer landscape Business Example Your organization wants to evaluate how a central and enterprise-wide role development solution could help prevent the introduction of new SoD violations. 2009 © 2010 SAP AG. All rights reserved. 225 Unit 5: Enterprise Role Management Overview GRC300 Enterprise Role Management Enterprise Role Management simplifies the enterprise role engineering process: • • • • • • • • • • • • Provides a single enterprise role repository for role design, testing, and maintenance to enforce consistency and standardization Facilitates the role design process with a predefined (yet customizable) design methodology and workflow Supports the definition and documentation of role information, authorizations, and testing results Enforces the segregation-of-duties analysis during role design to prevent risks from entering application systems Provides change history for auditing and compliance Provides workflow approval for control checking and evaluation during role design Provides automatic SAP role generation Organizations can configure and enforce multiple role design processes within the company for different business purposes Companies can define multiple processes for different purposes, such as single role design process for all single roles Provides a central documentation repository for enterprise roles residing in SAP and non-SAP systems Naming convention to enforce role-naming standardization Enforces consistency, standardization, and ease of use for Enterprise Role Management Figure 66: What is Enterprise Role Management? 226 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Overview Role Ownership and Change Management in Enterprise Role Management Enterprise Role Management can help companies define and maintain role ownership throughout the life cycle of SAP roles. It enforces a company-defined role creation methodology, and helps support SAP best practices. Figure 67: Implementing Enterprise Role Management – Best Practice Use Case As shown above, since ERM will create role information in SAP application systems. As a best practice, Enterprise Role Management should have connectors (RTAs) set up to create roles in the company’s development system first. Then, use traditional Change and Transport System to migrate roles to QA and Production systems. 2009 © 2010 SAP AG. All rights reserved. 227 Unit 5: Enterprise Role Management Overview GRC300 Lesson Summary You should now be able to: • Explain how Enterprise Role Management can prevent the uncontrolled creation of noncompliant roles • Describe and demonstrate the concept of role ownership and change management approvals to support a controlled process of handling the life cycle of SAP roles within the customer landscape 228 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Configuration Review Lesson: Enterprise Role Management Configuration Review Lesson Overview This lesson will give you an overview of how to design a role using Enterprise Role Management. Lesson Objectives After completing this lesson, you will be able to: • • • • • Name the role attributes Configure a naming convention and enforcement Explain and configure organizational value mapping Set up a role creation methodology, condition groups, and role approvers Configure an approval workflow for role maintenance in the Workflow Engine Business Example Your organization wants to have a set standard for role creation. They want to be able to enforce a set methodology. Role Attributes Role attributes are the details used to define a role during the role creation process. You determine the values for each attribute during Enterprise Role Management configuration, and then assign the defined attributes when you create a role. Role attributes include: • • • • • 2009 Business Processes Subprocesses Functional Areas Custom Fields Projects / Releases © 2010 SAP AG. All rights reserved. 229 Unit 5: Enterprise Role Management Overview GRC300 Business Processes A business process is a collection of related activities that produces something of value for your organization or business and is categorized based on your enterprise's organizational structure. A business process can be managerial, operational, or supporting, and can be defined narrowly or broadly, depending on your business needs. When you create a role in Enterprise Role Management, the business process you assign to the role is one of the role's defining attributes and determines which subprocesses you can assign to the role. Examples of business processes are: • • • Finance Accounts Payable Procure to Pay Hint: Keep it simple. A sophisticated business process model might be a proper approach for process re-engineering, but the better approach for SAP BusinessObjects Access Control is to reduce complexity. Subprocesses A subprocess is a collection of related activities that produces something of value for your organization or business and is categorized based on your enterprise's organizational structure. It is a part of the business process. For example, if a company defines Procurement as a business process, then Purchasing would be a subprocess. A business process typically contains one or more subprocesses. Each subprocess must be linked to a business process. Functional Area A functional area is a classification of processes for a department or business process. Within SAP, a functional area is used to organize certain activities within a department or business process. For example, within your business you might have the business process Procurement, containing the functional areas Purchasing, Administration, and Receiving. However, one or more of these functional areas might also fall under the Finance business process. In Enterprise Role Management, a functional area is a role attribute used to categorize roles and define the approval and role maintenance processes. In addition, a functional area is used to filter the results of a role search, identifying only those roles associated with a specific functional area. 230 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Configuration Review Custom Fields Custom fields allow you to add attributes to a role that are specific to your company or organization. For instance, if you have a role that needs to be distinguished by region, adding a custom attribute allows you to assign a specific region when you create your role. Project / Release The project/release can be a project name, release name, or release number that you would like to associate with a particular role. Configure a Naming Convention and Enforcement You create naming conventions to enforce role and profile naming standards during the role creation process. Naming conventions are specific to a system landscape and role type. The landscape and role type determine the attributes you can assign to a naming convention. You can have different naming conventions for a single role type in the development system landscape and the test system landscape. You can also have different naming conventions for the composite role type in the development system landscape and the test system landscape, and so on. Creating a Naming Convention You create a naming convention by entering free text or text dynamically linked to your role attributes. The role attributes available for naming convention creation for all role types are Business Process, Subprocess, and Project/Release. For SAP derived roles, additional role attributes are available: Master Role Name, Derived Org Level, From Value, To Value. 1. 2. 3. 4. 5. On the Configuration tab, choose Naming Convention. Choose Create. In the Name field, enter a name for the new naming convention. From the System Landscape menu, select a system landscape. From the Role Type menu, select a role type. The role type you select determines the attributes available to you in the next step. Available role types are: • • • • 2009 Single Composite Derived Profile © 2010 SAP AG. All rights reserved. 231 Unit 5: Enterprise Role Management Overview 6. GRC300 From the Enforced field dropdown list, select Disabled or Enabled. • • Enabled: The naming convention is enforced and cannot be overridden by the user. Disabled The naming convention is suggested, but can be overridden by the user. The Expression field contains the format of the naming convention. It is auto-populated each time you assign an attribute or text character, but you decide the order and number of characters. The maximum number of characters allowed for a role name is 30 (with the exception of the profile name – role type Profile – which only allows 12 characters). Each time you add characters, the position of the assigned characters and number of characters still available is displayed on the right side of the Create Naming Convention screen. Two types of character appear in the Expression field: • 7. Variable characters represent the attribute value you select from the Attribute dropdown list and are represented in the Expression field as a dollar sign ($). When you create a user role, the variable character is either auto-populated or changed, depending on your business needs. • Free text characters allow you to enter whatever text best fulfills your business needs, but it is typically based on valid characters for SAP role names. Free text is represented in the Expression field by either a dollar sign ($) or the actual text you enter in the Text field. Populate the Expression field: a) b) Select an attribute from the Attribute dropdown list. Take one of the following actions: – Enter the number of characters needed to represent the selected attribute in the No. of Chars field, and choose the Add icon. – Enter text in the Text field, and choose Add. The characters that represent the variable or free text you enter appear in the Expression field, and the positions the characters hold in the expression appear in the screen on the right. In addition, you can see the number of characters that remain available for the naming convention. 8. 232 Choose Save. © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Configuration Review Organizational Value Mapping If you want to restrict user access by organizational area, you can use the organizational value mapping feature to map roles to different organizational levels. To define all associated organizational values, you can create an organizational value map for each organizational area (such as North America, Europe, or Asia Pacific). Prior to creating an organizational value map, you must run a background job to import existing organizational fields and values from your SAP ERP system. After the initial import, you can create a background job to schedule periodic synchronization to keep the data updated. You always create an organizational value map with a primary organizational level and value, because Enterprise Role Management uses that to store and search for the organizational value. You can create multiple maps for the same primary organizational level and value combination. After the primary organizational level and value are set, you can define the values for all child organizational levels to complete the organizational value map. After you create the organizational value map, it can be used by all users as a basis to derive any master role. Note: You must run the initial background jobs for Org Value Sync, Transaction/Object/Field Sync, and Activity Val Sync prior to configuring organizational value maps. These background jobs are a prerequisite for the organizational value mapping feature. Setting up a Role Creation Methodology, Condition Groups, and Roles Approvers A role creation methodology consists of predefined actions and the steps associated with those actions. The steps, in turn, are then used to create a methodology process, which is used to guide you, step by step, through the formalized process of defining, generating, and testing a role during role creation. The actual process step is shown in the process status in the role creation. The methodology process is configurable, but not the actions. For instance, you might refine a methodology without deriving roles because you will use only organizational value mapping. 2009 © 2010 SAP AG. All rights reserved. 233 Unit 5: Enterprise Role Management Overview GRC300 Methodology Steps Methodology steps are the steps used to create a role during the role creation process. Based on these steps, you can tell which phase of the role creation process a role is in. Enterprise Role Management allows you to create methodology steps and associate them with predefined actions within Enterprise Role Management. After you associate the steps with the predefined actions, you can create a role methodology process. Creating a Methodology Step 1. 2. 3. 4. 5. On the Configuration tab, choose Methodology → Step. Choose Create. In the Step ID field, enter a name for the step. In the Description field, enter a brief description for the step. From the Status dropdown list, select Enable or Disable. If you select Enable, the step is available for inclusion in a methodology process. If you select Disable, it is not available. 6. 7. From the Associate Action dropdown list, select an action with which to associate the step. Choose Save. Condition Groups A condition group is defined from a set of role attributes (such as a business process, subprocess, functional area, role type, or role name) and is based on role values and conditions. After you create a condition group, the system applies it to a role creation process to override the default role creation process when the criteria from the condition group are met. You can apply multiple condition groups in one role creation process, but you cannot associate multiple processes to one condition group. 234 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Configuration Review Creating a Condition Group 1. 2. 3. 4. 5. From the Configuration tab, choose Condition Groups. Choose Create. In the Condition Group ID field, enter a condition group ID. In the Description field, enter a brief description for the condition group. From the Status dropdown list, select Enable or Disable. If you select Enable, the condition group is available for association during the role methodology creation process. If you select Disable, it is not available. 6. To add role attributes to the condition group, choose Add. A dropdown lists appear under Role Attributes and Condition. 7. In the Role Attributes column, select the attribute that you want to assign to the condition group. After you select a role attribute, a dropdown list or text field appears in the Value column. The values in the dropdown list are specific to the selected role attribute. 8. 9. 10. 11. In the Value column, assign a value for the corresponding attribute. In the Condition column, select a condition for the role attribute. To add more role attributes to the condition group, repeat steps 6 through 9. Choose Save. Approval Workflow for Role Maintenance Enterprise Role Management integrates with Compliant User Provisioning for role approval workflow. As part of the integration, a role approver is defined during the role creation process to be used by the approval workflow. During the role creation process, you can manually define approvers and alternate approvers for each role, or you can allow Enterprise Role Management to automatically assign approvers and alternate approvers to that role based on the approval criteria you create and the user-selected role attributes. To create approval criteria, you assign approvers and alternate approvers for a set of role attributes or conditions. 2009 © 2010 SAP AG. All rights reserved. 235 Unit 5: Enterprise Role Management Overview GRC300 Creating Approval Criteria for a Workflow 1. 2. 3. 4. 5. 6. 7. 8. On the Configuration tab, choose Workflow → Approval Criteria. Choose Create. In the Group Name field, enter the name of the group for which you want to create approval criteria. Choose Add on the Attribute screen. From the dropdown list, select the attribute(s) required to specify your approval. Choose Assign Approvers. Choose Assign Approvers on the Approval Criteria Values screen. Under the Condition table, choose Add. a) In the Attribute column, select an attribute from the dropdown list. b) In the Value column, select a value from the dropdown list. c) Choose Add. d) Repeat steps a through c to add additional attributes and values. 9. Under the Approver table, choose Add. 10. In the Approver column, choose Search. 11. Choose Search. A list of potential approvers appears. 12. Select the radio button next to the user ID of the user you want to assign as an approver. 13. Choose Select. The Approver Search window closes, and the Approver field on the Change Approval Criteria screen is populated. 14. 15. 16. 17. Repeat steps 10 through 13 to select an alternate approver. Choose Add. Repeat steps 10 through 14 to add more approvers and alternate approvers. Choose Save. The Approval Criteria Values screen displays the Approver and Alternate Approver for the selected condition attributes. 236 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Configuration Review Exercise 13: Enterprise Role Management Exercise Objectives After completing this exercise, you will be able to: • Configure a role design methodology • Define a naming convention • Implement organizational value mapping • Test the complete role maintenance workflow Business Example Management asks for an alternative method of role development and maintenance to improve the current, manual, time-consuming, and expensive process, and to establish a more transparent and controlled way of implementing role changes within SAP. Task 1: Configure a role design methodology. 1. Access Enterprise Role Management from the SAP BusinessObjects Access Control launch pad. 2. Create a new methodology process. 3. Fill in the following information: 4. Process ID GRC300-xx, where xx is your student ID Description GRC300-xx, where xx is your student ID Status Set to Enable Click on the + to add a step. Add the following steps in the following order: 1. Definition 2. Risk Analysis 3. Approval 5. Choose Save. Continued on next page 2009 © 2010 SAP AG. All rights reserved. 237 Unit 5: Enterprise Role Management Overview GRC300 Task 2: Define a naming convention. 1. Create a new naming convention. 2. Fill in the following information: Name GRC300-xx, where xx is your student ID System Landscape TRAINING Role Type Single Enforced Disabled 3. Fill in the information for the naming convention. You can play around with this area, as we are not going to save this naming convention. 4. Choose the green arrow to go back. Do not save, as you will not be able to save this naming convention. Task 3: Implement organizational value mapping. 1. Select the Role Management tab. 2. Choose Roles → Search. 3. Perform a blank search to bring up all roles in Enterprise Role Management. 4. From the search results, select a role to copy, such as GRC300CREATE_VENDOR , and then choose the Change button. 5. Choose the Derived Roles button. 6. Next, choose Create. 7. Select Company Code (BURKS) from the dropdown of the Derived Org Level field. 8. Enter 5000 in the Value From field and delete -$$$$ from the Derived Role field. 9. Enter Create Vendor for Company Code 5000 in the Derived Role Description field. 10. In the Profile field, enter 5000 to replace open values #### and choose Continue. Continued on next page 238 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Configuration Review 11. Select all the check boxes in the next screen and click twice on the Delete icon. 12. Enter 5000 in the Company Code field and enter 50 in the Purchasing Organization field. 13. Choose Cancel and use the green arrow (twice) to exit without saving the role. 2009 © 2010 SAP AG. All rights reserved. 239 Unit 5: Enterprise Role Management Overview GRC300 Solution 13: Enterprise Role Management Task 1: Configure a role design methodology. 1. Access Enterprise Role Management from the SAP BusinessObjects Access Control launch pad. a) 2. Create a new methodology process. a) 3. Click the Enterprise Role Management link. Choose Configuration → Methodology → Process then choose Create to create a new methodology process. Fill in the following information: Process ID GRC300-xx, where xx is your student ID Description GRC300-xx, where xx is your student ID Status Set to Enable a) 4. Click on the + to add a step. Add the following steps in the following order: 1. Definition 2. Risk Analysis 3. Approval a) 5. Choose Save. a) Continued on next page 240 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Configuration Review Task 2: Define a naming convention. 1. Create a new naming convention. a) 2. Choose Configuration → Naming Convention, then choose Create to create a new naming convention. Fill in the following information: Name GRC300-xx, where xx is your student ID System Landscape TRAINING Role Type Single Enforced Disabled a) 3. Fill in the information for the naming convention. You can play around with this area, as we are not going to save this naming convention. a) 4. Choose the green arrow to go back. Do not save, as you will not be able to save this naming convention. a) Task 3: Implement organizational value mapping. 1. Select the Role Management tab. a) 2. Choose Roles → Search. a) 3. Perform a blank search to bring up all roles in Enterprise Role Management. a) Continued on next page 2009 © 2010 SAP AG. All rights reserved. 241 Unit 5: Enterprise Role Management Overview 4. GRC300 From the search results, select a role to copy, such as GRC300CREATE_VENDOR , and then choose the Change button. a) 5. Choose the Derived Roles button. a) 6. Next, choose Create. a) 7. Select Company Code (BURKS) from the dropdown of the Derived Org Level field. a) 8. Enter 5000 in the Value From field and delete -$$$$ from the Derived Role field. a) 9. Enter Create Vendor for Company Code 5000 in the Derived Role Description field. a) 10. In the Profile field, enter 5000 to replace open values #### and choose Continue. a) 11. Select all the check boxes in the next screen and click twice on the Delete icon. a) 12. Enter 5000 in the Company Code field and enter 50 in the Purchasing Organization field. a) 13. Choose Cancel and use the green arrow (twice) to exit without saving the role. a) 242 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Configuration Review Lesson Summary You should now be able to: • Name the role attributes • Configure a naming convention and enforcement • Explain and configure organizational value mapping • Set up a role creation methodology, condition groups, and role approvers • Configure an approval workflow for role maintenance in the Workflow Engine 2009 © 2010 SAP AG. All rights reserved. 243 Unit 5: Enterprise Role Management Overview GRC300 Lesson: Enterprise Role Management Workflow Steps Lesson Overview This lesson provides an overview of the workflow steps that are used to create a role using Enterprise Role Management. Lesson Objectives After completing this lesson, you will be able to: • • • • • • • • Create a new role using the defined naming conventions Add transactions to the role Use the PFCG Maintain the authorization objects of the role Create a derived role without using the organizational value map Perform a risk analysis Approve the newly created role within the Workflow Engine Generate the role in the back-end system Business Example In a proof of concept for Enterprise Role Management, you are named to implement an approval workflow for role changes. Furthermore, you need to evaluate the actual role creation, automated risk analysis, and back-end integration features before receiving final approval to run the implementation project. Creating a New Role This section will walk though the several steps of the Role Creation workflow. The instructor will demonstrate the different steps in the Methodology. Step 1 - Definition The first step in the role creation methodology is the definition of the role. In Enterprise Role Management, you are able to enforce a best practice for the definition and naming of the roles, based on the attributes that are selected. The instructor will walk though the definition of a role in this section. 244 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Workflow Steps Step 2a - Authorization Data The second step in the role creation methodology is the authorization data. You can select the transactions that you want inside this role, and assign the authorizations to them. Enterprise Role Management uses the SU24 data that was synced with the back-end system to suggest the authorizations. Step 2b - Authorization Data with PFCG Integration Enterprise Role Management in SAP BusinessObjects Access Control is now integrated with transaction PFCG, the profile generator, in SAP ERP back-end systems of in SAP R/3 4.6C and higher. This allows you to leverage the advanced maintenance features in PFCG and allows security administrators to work in a familiar environment while maintenance is synchronized in Enterprise Role Management. Step 3 - Role Derivation With SAP BusinessObjects Access Control Enterprise Role Management, you can now can derive a role during the role creation process by selecting the organizational level and inputting the organizational level value. You can push the role to all available organizational levels which exist in transactions in the master role you are deriving. This new feature gives you the ability to derive to multiple organizational levels during the role creation process without having to use the organizational map. Step 4 - Risk Analysis on a Role Segregation-of-duties risk simulation ensures that no SoD risks enter production during role creation and maintenance. Integration with Risk Analysis and Remediation allows SoD risks for single and composite SAP roles to be simulated at role design time You can perform risk analysis simulation at transaction or object levels in Enterprise Role Management, before the role is generated in the back-end systems. Before Enterprise Role Management generates a role, it always performs a risk analysis. If the role contains a risk, Enterprise Role Management can be configured to allow the role to be generated or not. Step 5 - Approval of the Newly Created Role With the integration with Compliant User Provisioning, approval workflow can be triggered within Enterprise Role Management for role creation and maintenance. The approval process allows collaboration among different stakeholders involved in the role engineering process. The approval process can also be maintained in Enterprise Role Management. The approver must be defined in the role. 2009 © 2010 SAP AG. All rights reserved. 245 Unit 5: Enterprise Role Management Overview GRC300 Step 6 - Generation of the New Role Enterprise Role Management will generate the new role in the back-end system that was defined in the role definition. The Generate Role step generates both master and derived roles at the same time. All the roles included should already be generated for composite roles. If not, the system will generate an error. This is standard PFCG functionality. 246 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Workflow Steps Exercise 14: Role Mass Maintenance Exercise Objectives After completing this exercise, you will be able to: • Use the mass maintenance functionality to update multiple roles Business Example Management would like to identify possibilities to shorten the project implementation time. For that reason, you decide to have a closer look at the mass maintenance functionalities of Enterprise Role Management. Task: Demonstrate the new Mass Role Update and Analysis functionality of Enterprise Role Management. Caution: Caution: Do not choose the Submit or Save buttons during this exercise. You are only viewing functionality. At the end of each process, choose Cancel to exit the function without saving any actions. 1. Log on to Enterprise Role Management via the SAP BusinessObjects Access Control launch pad. 2. Select the Role Management tab and choose Mass Maintenance → Update. 3. Perform a blank search to bring up all roles in Enterprise Role Management. 4. From the search results, select the following: 5. Maintenance Type Change Update Business Process/Sub-Process Select the two roles GRC300-ALL and GRC300-BASIS Choose Mass Update and then confirm that you want to update two roles. Note where you would select the old value and the new value for each role. Caution: Do not choose Change! Caution: DO NOT PRESS THE CHANGE BUTTON. 6. 2009 To return to the previous screen, click the green Back arrow. © 2010 SAP AG. All rights reserved. 247 Unit 5: Enterprise Role Management Overview GRC300 Solution 14: Role Mass Maintenance Task: Demonstrate the new Mass Role Update and Analysis functionality of Enterprise Role Management. Caution: Caution: Do not choose the Submit or Save buttons during this exercise. You are only viewing functionality. At the end of each process, choose Cancel to exit the function without saving any actions. 1. Log on to Enterprise Role Management via the SAP BusinessObjects Access Control launch pad. a) 2. Select the Role Management tab and choose Mass Maintenance → Update. a) 3. Perform a blank search to bring up all roles in Enterprise Role Management. a) 4. From the search results, select the following: Maintenance Type Change Update Business Process/Sub-Process Select the two roles GRC300-ALL and GRC300-BASIS a) 5. Choose Mass Update and then confirm that you want to update two roles. Note where you would select the old value and the new value for each role. Caution: Do not choose Change! Caution: DO NOT PRESS THE CHANGE BUTTON. a) 6. To return to the previous screen, click the green Back arrow. a) 248 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Enterprise Role Management Workflow Steps Lesson Summary You should now be able to: • Create a new role using the defined naming conventions • Add transactions to the role • Use the PFCG • Maintain the authorization objects of the role • Create a derived role without using the organizational value map • Perform a risk analysis • Approve the newly created role within the Workflow Engine • Generate the role in the back-end system 2009 © 2010 SAP AG. All rights reserved. 249 Unit Summary GRC300 Unit Summary You should now be able to: • List the steps required after installation of SAP BusinessObjects Access Control Enterprise Role Management • Explain how to connect the Enterprise Role Management component to a back-end system • Explain the export and import configuration settings that are necessary to perform transports from development to production • Explain how Enterprise Role Management can prevent the uncontrolled creation of noncompliant roles • Describe and demonstrate the concept of role ownership and change management approvals to support a controlled process of handling the life cycle of SAP roles within the customer landscape • Name the role attributes • Configure a naming convention and enforcement • Explain and configure organizational value mapping • Set up a role creation methodology, condition groups, and role approvers • Configure an approval workflow for role maintenance in the Workflow Engine • Create a new role using the defined naming conventions • Add transactions to the role • Use the PFCG • Maintain the authorization objects of the role • Create a derived role without using the organizational value map • Perform a risk analysis • Approve the newly created role within the Workflow Engine • Generate the role in the back-end system 250 © 2010 SAP AG. All rights reserved. 2009 Unit Summary 251 GRC300 © 2010 SAP AG. All rights reserved. 2009 Unit Summary 252 GRC300 © 2010 SAP AG. All rights reserved. 2009 Unit 6 Access Control Integration Unit Overview This unit explains the integration points between Risk Analysis and Remediation, Compliant User Provisioning, and Enterprise Role Management. It also discusses options for the implementation order of these capabilities Unit Objectives After completing this unit, you will be able to: • • • • • • • • • Explain the integration points between Risk Analysis and Remediation, Compliant User Provisioning, and Enterprise Role Management. Integrate and test the integration of the products Discuss options for the order of implementing the different capabilities Use reporting to analyze history data of the User Access Review and SoD Review Use the change history within Enterprise Role Management Execute the Master to Derived Role Relationship report List roles by the generation date Investigate discrepancies in roles by comparing transactions in the menu with included transaction codes in the role authorizations (S_TCODE) Use the Role Comparison report Unit Contents Lesson: Integration Between Access Control Components ................... 254 Lesson: Compliance Reporting ................................................... 261 Exercise 15: Compliance Reporting ......................................... 263 2009 © 2010 SAP AG. All rights reserved. 253 Unit 6: Access Control Integration GRC300 Lesson: Integration Between Access Control Components Lesson Overview This lesson will discuss how Web Services are used to integrate SAP BusinessObjects Access Control. Lesson Objectives After completing this lesson, you will be able to: • • • Explain the integration points between Risk Analysis and Remediation, Compliant User Provisioning, and Enterprise Role Management. Integrate and test the integration of the products Discuss options for the order of implementing the different capabilities Business Example Your organization plans to implement all the functionalities of SAP BusinessObjects Access Control, and you need to be able to explain how all the components work with each other. SAP BusinessObjects Access Control Web Services Each component in the SAP BusinessObjects Access Control application has specific Web Services available. These services must be used when configuring the components to communicate with each other. 254 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Integration Between Access Control Components Compliant User Provisioning In Compliant User Provisioning, you can configure several workflow scenarios with the available SAP BusinessObjects Access Control Web Services. For example, you can set up the following workflow types within Compliant User Provisioning: • For workflow type for creating and modifying mitigation control, you can use the following Web Service: /VirsaCCWFExitService5_2Service/Config1?wsdl&=document • For workflow type for creating/modifying mitigation control assignment: /VirsaCCWFExitService5_2Service/Config1?wsdl&=document • For Enterprise Role Management, you can configure the following Web Service: /AEWFExitServiceWS_5_2/Config1?wsdl&=document • This is a workflow type for creating and modifying risks: /VirsaCCWFExitService5_2Service/Config1?wsdl&=document • You can configure an SoD Review workflow: AEWFExitServiceWS_5_2/Config1?wsdl&=document If you navigate to http://servername:50<instance>00 and choose Web Services Navigation, you will find all of the available Web Services. In particular, you will see the Web Services listed above. If you are configuring Compliant User Provisioning along with the other SAP BusinessObjects Access Control components, you will need to configure these Web Services. Compliant User Provisioning Configuration of Web Services To configure the Web Services in Compliant User Provisioning, select the Configuration tab and choose Miscellaneous. Here you will be able to configure each of the Web Services discussed above. 2009 © 2010 SAP AG. All rights reserved. 255 Unit 6: Access Control Integration GRC300 Figure 68: Compliant User Provisioning Configuration In addition to Miscellaneous configuration, Web services are also configured under Mitigation. Figure 69: Web Services for Mitigation Controls The last Web Services configuration takes place in the Risk Analysis option. 256 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Integration Between Access Control Components Figure 70: Web Services Configuration for Risk Analysis from Compliant User Provisioning Risk Analysis and Remediation You can configure the workflow from Risk Analysis and Remediation to Compliant User Provisioning by selecting the Configuration tab and choosing Workflow. Under the workflow service URL, you can enter the following URL for Risk Analysis and Remediation Web Services: http://servername:50<instance>00/AEWFrequestSubmissionService_5_2/Config1?wsdl&style=document. In Risk Analysis and Remediation, you will notice that there is only one place where you have to enter a Web Service. Enterprise Role Management When configuring Web Services for Enterprise Role Management, you will also need to navigate through the SAP NetWeaver Administration page and go to Web Services Navigation. Within Enterprise Role Management, you can configure the following Web services: 2009 • Web Services Info. for CC Risk Analysis • Web Services Info. for CC Transaction Usage • Web Services Info. for CC Mitigation Control • Web Services Info. for CC Functions • Web Services Info. for AE Workflow © 2010 SAP AG. All rights reserved. 257 Unit 6: Access Control Integration GRC300 An ID and password are required when configuring these Web Services. When assigning an ID, make sure that the user ID has the SAP BusinessObjects Access Control roles assigned so that the user is able to access each of the areas listed above. Testing Web Services To test Web services, go to the NetWeaver Administration page ahd choose Web Services Navigation. Select a Web service, select a document, choose Test, and select the operation that you want to test. Depending on the Web Service that you are testing, you may need to enter the data to see if the Web Services respond. After entering data in the required fields and setting the ones that are not require to Null, choose Send. This will give you the results from the web services. Implementation When implementing SAP BusinessObjects Access Control, you can prioritize the components in the order that will best help your company get to a clean and compliant environment. An implementation approach can have one of two scenarios: • • The ERP system is new, and roles have not been defined. The ERP system is already in place, and the company needs to redesign their security architecture. New ERP Implementation If the ERP implementation is new, you can you can begin the security architecture by implementing Enterprise Role Management and Risk Analysis and Remediation. By implementing Enterprise Role Management and Risk Analysis and Remediation first, you can begin your security architecture by generating your roles through Enterprise Role Management and analyzing them for risk with Risk Analysis and Remediation. In this implementation approach, you save the time of having to perform the work all over again if roles were already defined. Existing ERP Environment In an existing ERP environment, the roles already exist, but SoDs have not been analyzed and resolved. In this approach you want to implement Risk Analysis and Remediation first because it will allow you to identify where SoDs exist. With an existing ERP environment, you redesign your roles first, by identifying where the SoDs exist. You can do this by removing transactions that are in conflict from roles; this will remove SoDs at the role level. Also, during role cleanup, you can eliminate 258 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Integration Between Access Control Components some of the user-level SoDs. However, to be able to remove most of the user-level SoDs, you will need to redesign business processes or implement mitigating controls so that employee functions are not in conflict. 2009 © 2010 SAP AG. All rights reserved. 259 Unit 6: Access Control Integration GRC300 Lesson Summary You should now be able to: • Explain the integration points between Risk Analysis and Remediation, Compliant User Provisioning, and Enterprise Role Management. • Integrate and test the integration of the products • Discuss options for the order of implementing the different capabilities 260 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliance Reporting Lesson: Compliance Reporting Lesson Overview This lesson will discuss the reporting capabilities of SAP BusinessObjects Access Control. Lesson Objectives After completing this lesson, you will be able to: • • • • • • Use reporting to analyze history data of the User Access Review and SoD Review Use the change history within Enterprise Role Management Execute the Master to Derived Role Relationship report List roles by the generation date Investigate discrepancies in roles by comparing transactions in the menu with included transaction codes in the role authorizations (S_TCODE) Use the Role Comparison report Business Example Your organization plans to review progress and effectiveness of the continuous compliance process. You are asked to analyze the recent adaptations in the areas of User Access Review and SoD Review. You are also responsible for checking the current compliance status of your SAP back-end roles, using the reports provided by SAP BusinessObjects Access Control. Risk Analysis and Remediation Reporting Risk Analysis and Remediatoin has several different reports available through the Informer tab. There, you can review audit reports or security reports. Audit Reports You can view action reports within audit reports. These action reports can be used to identify the rules in Risk Analysis and Remediation. 2009 © 2010 SAP AG. All rights reserved. 261 Unit 6: Access Control Integration GRC300 Security Reports The following options are available for security reports: • • • • Users by User ID User Authorization Count List Expired and Expiring Roles for Users Users by Organizational level Compliant User Provisioning A variety of Compliant User Provisioning reports are located under the Informer tab. Two very important reports are the SoD Review History report and the User Access Review History report. • • SoD Review History report: This report can assist you in determining the SoDs that have been remediated through the workflow process. User Access Review History Report: This report allows you to review user accesses. Enterprise Role Management There are several Enterprise Role Management reports available under the Informer tab, but there are some critical reports under the Role Management tab, which allow you to view the change history within ERM or PFCG. • • Enterprise Role Management Change History: This report allows you to view the changes made to roles through Enterprise Role Management. PFCG Change History: This report allows you to view changes made to roles through PFCG. By viewing both of these reports, you can view the history of changes to roles that occurred through ERM or through PFCG. You can determine discrepancies by comparing roles and their transaction codes. 262 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliance Reporting Exercise 15: Compliance Reporting Exercise Objectives After completing this exercise, you will be able to: • Execute and analyze the SoD Review and User Access Review reports • Execute and interpret the following authorization-management-relevant reports: Action Usage by Users, Invalid Mitigation Controls, and SoD Violations from Custom Programs Business Example Your organization wants to check the effectiveness of the most recent reviews in the areas of SoD and User Access Management. You also want to review how your current authorization concept supports the cleanup and continuous compliance phases of the project. Task 1: Locate and view the SoD Review and User Access Review reports. 1. Execute and analyze the SoD Review and User Access Review reports. 2. Execute and interpret the following authorization-management-relevant reports: Action Usage by Users, Invalid Mitigation Controls, and SoD Violations from Custom Programs. Task 2: Go to Risk Analysis and Remediation. Select the Informer tab and choose Security Reports→ Miscellaneous→ Action Usage by user report. 2009 © 2010 SAP AG. All rights reserved. 263 Unit 6: Access Control Integration GRC300 Solution 15: Compliance Reporting Task 1: Locate and view the SoD Review and User Access Review reports. 1. 2. Execute and analyze the SoD Review and User Access Review reports. a) Open Compliant User Provisioning. b) Select the Informer tab and choose Analytical reports → SOD Review History Report or User Access Review History Report. Execute and interpret the following authorization-management-relevant reports: Action Usage by Users, Invalid Mitigation Controls, and SoD Violations from Custom Programs. a) Task 2: Go to Risk Analysis and Remediation. Select the Informer tab and choose Security Reports→ Miscellaneous→ Action Usage by user report. 264 © 2010 SAP AG. All rights reserved. 2009 GRC300 Lesson: Compliance Reporting Lesson Summary You should now be able to: • Use reporting to analyze history data of the User Access Review and SoD Review • Use the change history within Enterprise Role Management • Execute the Master to Derived Role Relationship report • List roles by the generation date • Investigate discrepancies in roles by comparing transactions in the menu with included transaction codes in the role authorizations (S_TCODE) • Use the Role Comparison report 2009 © 2010 SAP AG. All rights reserved. 265 Unit Summary GRC300 Unit Summary You should now be able to: • Explain the integration points between Risk Analysis and Remediation, Compliant User Provisioning, and Enterprise Role Management. • Integrate and test the integration of the products • Discuss options for the order of implementing the different capabilities • Use reporting to analyze history data of the User Access Review and SoD Review • Use the change history within Enterprise Role Management • Execute the Master to Derived Role Relationship report • List roles by the generation date • Investigate discrepancies in roles by comparing transactions in the menu with included transaction codes in the role authorizations (S_TCODE) • Use the Role Comparison report 266 © 2010 SAP AG. All rights reserved. 2009 Test Your Knowledge 267 GRC300 © 2010 SAP AG. All rights reserved. 2009 Course Summary GRC300 Course Summary You should now be able to: • • • • 268 Explain the components of SAP BusinessObjects Access Control, and give a brief overview of each Explain the post-installation steps for SAP BusinessObjects Access Control Explain the new features of SAP BusinessObjects Access Control 5.3 Show how the different components of SAP BusinessObjects Access Controls 5.3 integrate with each other © 2010 SAP AG. All rights reserved. 2009 Feedback SAP AG has made every effort in the preparation of this course to ensure the accuracy and completeness of the materials. If you have any corrections or suggestions for improvement, please record them in the appropriate place in the course evaluation. 2009 © 2010 SAP AG. All rights reserved. 269