GRC300
SAP BusinessObjects Access
Control - Implementation and
Configuration
SAP Governance, Risk, and Compliance
Date
Training Center
Instructors
Education Website
Participant Handbook
Course Version: 84
Course Duration: 5 Day(s)
Material Number: 50093010
An SAP course - use it to learn, reference it for work
Copyright
Copyright © 2010 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software
components of other software vendors.
Trademarks
•
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are
registered trademarks of Microsoft Corporation.
•
IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®,
AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation.
•
ORACLE® is a registered trademark of ORACLE Corporation.
•
INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered trademarks
of Informix Software Incorporated.
•
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
•
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®,
VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of
Citrix Systems, Inc.
•
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide
Web Consortium, Massachusetts Institute of Technology.
•
JAVA® is a registered trademark of Sun Microsystems, Inc.
•
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for
technology invented and implemented by Netscape.
•
SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP
EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.com are
trademarks or registered trademarks of SAP AG in Germany and in several other countries all
over the world. All other products mentioned are trademarks or registered trademarks of their
respective companies.
Disclaimer
THESE MATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLY
DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDING WITHOUT
LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE, INFORMATION, TEXT,
GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTS CONTAINED HEREIN. IN
NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL,
CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY KIND WHATSOEVER, INCLUDING
WITHOUT LIMITATION LOST REVENUES OR LOST PROFITS, WHICH MAY RESULT FROM
THE USE OF THESE MATERIALS OR INCLUDED SOFTWARE COMPONENTS.
g201033023223
About This Handbook
This handbook is intended to complement the instructor-led presentation of this
course, and serve as a source of reference. It is not suitable for self-study.
Typographic Conventions
American English is the standard used in this handbook. The following typographic
conventions are also used.
Type Style
Description
Example text
Words or characters that appear on the screen. These
include field names, screen titles, pushbuttons as well as
menu names, paths, and options.
Also used for cross-references to other documentation
both internal and external.
2009
Example text
Emphasized words or phrases in body text, titles of
graphics, and tables
EXAMPLE TEXT
Names of elements in the system. These include report
names, program names, transaction codes, table names,
and individual key words of a programming language,
when surrounded by body text, for example SELECT
and INCLUDE.
Example text
Screen output. This includes file and directory names
and their paths, messages, names of variables and
parameters, and passages of the source text of a program.
Example text
Exact user entry. These are words and characters that
you enter in the system exactly as they appear in the
documentation.
<Example text>
Variable user entry. Pointed brackets indicate that you
replace these words and characters with appropriate
entries.
© 2010 SAP AG. All rights reserved.
iii
About This Handbook
GRC300
Icons in Body Text
The following icons are used in this handbook.
Icon
Meaning
For more information, tips, or background
Note or further explanation of previous point
Exception or caution
Procedures
Indicates that the item is displayed in the instructor's
presentation.
iv
© 2010 SAP AG. All rights reserved.
2009
Contents
Course Overview ............................................................................. vii
Course Goals.................................................................................vii
Course Objectives ...........................................................................vii
Unit 1: Course Overview ......................................................................1
Course Overview ............................................................................. 3
Business Challenge and Solution .......................................................... 6
SAP BusinessObjects Access Control Overview....................................... 11
SAP BusinessObjects Access Control Authorizations ................................. 28
Unit 2: Risk Analysis and Remediation Overview .................................... 41
Risk Analysis and Remediation - Verification of Installation and Configuration .... 44
Introduction to the SoD Risk Management Process ................................... 48
Rule Building and Validation .............................................................. 53
Rule Reporting ............................................................................. 64
Risk Analysis ................................................................................ 73
Risk Remediation ........................................................................... 84
Definition of Process-Related Mitigation Controls ...................................... 98
Risk Analysis and Remediation Reporting ............................................. 113
Continuous Compliance .................................................................. 119
Unit 3: Compliant User Provisioning Overview ......................................127
Compliant User Provisioning Installation Verification and Configuration ........... 129
Compliant User Provisioning Functionality ............................................. 142
Compliant User Provisioning – Additional Functionality .............................. 163
Workflow-Based Reviews ................................................................ 173
Compliant User Management Life Cycle ............................................... 180
Unit 4: Superuser Privilege Management Overview.................................195
Superuser Privilege Management Installation Verification and Configuration ..... 196
Superuser Privilege Management Overview ........................................... 200
Unit 5: Enterprise Role Management Overview ...................................... 211
Enterprise Role Management Installation Verification and Configuration .......... 213
Enterprise Role Management Overview ................................................ 225
Enterprise Role Management Configuration Review ................................. 229
2009
© 2010 SAP AG. All rights reserved.
v
Contents
GRC300
Enterprise Role Management Workflow Steps ........................................ 244
Unit 6: Access Control Integration ......................................................253
Integration Between Access Control Components .................................... 254
Compliance Reporting .................................................................... 261
vi
© 2010 SAP AG. All rights reserved.
2009
Course Overview
This course explains how SAP BusinessObjects Access Control (Risk Analysis and
Remediation, Superuser Privilege Management, Compliant User Provisioning, and
Enterprise Role Management) works in combination with SAP business processes.
You will learn how to implement SAP BusinessObjects Access Control following
best practices from SAP.
Target Audience
This course is intended for the following audiences:
•
SAP BusinessObjects Access Control consultants, administrators, and technical
users
Course Prerequisites
Required Knowledge
•
•
Previous working knowledge of SAP BusinessObjects Access Control 5.1 or 5.2
Authorization concepts for SAP ERP systems
Course Goals
This course will prepare you to:
•
Understand how SAP BusinessObjects Access Control can be implemented to
support the risk and compliance management processes within your organization,
and how it works in combination with SAP business processes
Course Objectives
After completing this course, you will be able to:
•
•
•
•
2009
Explain the components of SAP BusinessObjects Access Control, and give a
brief overview of each
Explain the post-installation steps for SAP BusinessObjects Access Control
Explain the new features of SAP BusinessObjects Access Control 5.3
Show how the different components of SAP BusinessObjects Access Controls
5.3 integrate with each other
© 2010 SAP AG. All rights reserved.
vii
Course Overview
viii
GRC300
© 2010 SAP AG. All rights reserved.
2009
Unit 1
Course Overview
Unit Overview
This unit gives an overview of SAP BusinessObjects Access Control.
Unit Objectives
After completing this unit, you will be able to:
•
•
•
•
•
•
•
•
•
•
•
•
Explain how SAP BusinessObjects Access Control (Risk Analysis and
Remediation, Superuser Privilege Management, Compliant User Provisioning,
and Enterprise Role Management) works in combination with SAP business
processes.
Implement SAP BusinessObjcts Access Control following best practices from
SAP
List some typical challenges for SAP customers in the areas of access and
authorization management
Explain how SAP BusinessObjects Access Control can solve these issues
List the main components of SAP BusinessObjects Access Control and their
integration points
Describe the functionality of Risk Analysis and Remediation and Risk
Terminator
Describe the functionality of Superuser Privilege Management
Describe the functionality of Enterprise Role Management
Describe the functionality of Compliant User Provisioning
List the authorizations and roles used in the Java-based parts of SAP
BusinessObjects Access Control
Explain the UME role concept
Access and use the UME administration tool
Unit Contents
Lesson: Course Overview ............................................................ 3
2009
© 2010 SAP AG. All rights reserved.
1
Unit 1: Course Overview
GRC300
Lesson: Business Challenge and Solution ......................................... 6
Lesson: SAP BusinessObjects Access Control Overview...................... 11
Exercise 1: SAP BusinessObjects Access Control - Overview............ 25
Lesson: SAP BusinessObjects Access Control Authorizations................ 28
Exercise 2: SAP BusinessObjects Access Control – Authorizations ..... 33
2
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Course Overview
Lesson: Course Overview
Lesson Overview
This course is designed to give a detailed overview of SAP BusinessObjects Access
Control. We will cover each of the four components, from post-installation activities
to configuration and functionality.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
Explain how SAP BusinessObjects Access Control (Risk Analysis and
Remediation, Superuser Privilege Management, Compliant User Provisioning,
and Enterprise Role Management) works in combination with SAP business
processes.
Implement SAP BusinessObjcts Access Control following best practices from
SAP
Business Example
Management is concerned about compliance because of negative internal audit results,
and asks your team to find out how compliance can be ensured by software support.
The main issues are authorization rights and the business-process-related risks
resulting from organizational fragmentation. The software should be able to link
business process knowledge with provisioning of authorization rights. You want to
find out whether SAP BusinessObjects Access Control is able to analyze, detect, and
remediate risks. Mitigation of unavoidable risks or superuser functionality should
be possible, and continuous compliance is another essential aspect. Consequently,
you want to demonstrate how Compliant User Provisioning and Enterprise Role
Management can support you in achieving these objectives.
2009
© 2010 SAP AG. All rights reserved.
3
Unit 1: Course Overview
GRC300
Access and Authorization Management
Figure 1: Access Control Overview - Compliance
4
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Course Overview
Lesson Summary
You should now be able to:
•
Explain how SAP BusinessObjects Access Control (Risk Analysis and
Remediation, Superuser Privilege Management, Compliant User Provisioning,
and Enterprise Role Management) works in combination with SAP business
processes.
•
Implement SAP BusinessObjcts Access Control following best practices from
SAP
2009
© 2010 SAP AG. All rights reserved.
5
Unit 1: Course Overview
GRC300
Lesson: Business Challenge and Solution
Lesson Overview
This lesson provides an overview of some typical challenges in the area of access
and authorization.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
List some typical challenges for SAP customers in the areas of access and
authorization management
Explain how SAP BusinessObjects Access Control can solve these issues
Business Example
A special topic in the audit report mentions a high risk in the area of authorization
management because the IT department is responsible for both provisioning and
approval at the same time. This leads to a wide range of authorizations because IT
has no overview of the risks concerning the business processes. You want to find
out whether it is possible to link the responsibilities of business lines and IT when
access rights are provided.
Access and Authorization Risks
Without proper controls, accidental activities and intentional activities due to
excessive access privileges can impact performance and reputation. Addressing
regulatory mandates with manual activities and fragmented processes increases cost
and complexity. Complexity impacts access and authorization management and makes
it inefficient. Consequently, risks are not identified and managed in time. No proper
remediation or mitigation is possible
Managers cannot own the responsibility for segregation of duties.
6
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Business Challenge and Solution
The current access and authorization approach leads to the following consequences:
•
•
•
IT does not own the responsibility for proper segregation of duties. However,
they cannot pass the responsibility to the business side, as they lack the
collaboration tools and language to effectively collaborate with the business
owners.
Line-of-business managers own the responsibility for segregation of duties
(SoD), but they lack the technical depth to manage user access, so they rely on IT.
Internal auditors are trying desperately to stay on top of the SoD issue. However,
with manually maintained spreadsheets listing the access and authorizations of
all employees, contractors, partners, and so on, they can only perform a very
limited audit at a very high cost.
Figure 2: Access and Authorization Risks
2009
© 2010 SAP AG. All rights reserved.
7
Unit 1: Course Overview
GRC300
Access and Authorization Management
Implementation of comprehensive risk-based access and authorization management:
•
•
•
Overcome fragmented authorization management processes
Effective and efficient cleanup of SoD conflicts and excessive authorizations
Prevent future violations via a risk-based approval process for new authorizations
within the organization
•
Business assumes ownership:
Who can access the data in my area?
What kind of authorizations do I want to assign?
Are all risks properly mitigated?
Ensure the mitigation is effective.
Figure 3: Access and Authorization Management
Governance
Corporate governance ensures ethical corporate behavior together with management
practices in the creation of wealth for all stakeholders. It spells out the rules and
procedures for making decisions about corporate affairs.
IT governance helps to ensure the alignment of IT and enterprise objectives so that IT
resources are used responsibly and its risks are properly managed.
8
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Business Challenge and Solution
Risk Management
Risk management identifies, classifies, documents, and reduces risks to an acceptable
level. Risk is a result of three different parameters:
•
•
•
Existence of a threat for a business process
Likelihood of occurrence
Impact on the business process
Compliance
Corporate policies represent the corporate philosophy and strategic thinking on a high
level. Low-level policies focus on the operational layer. Policies need to be in sync
with the overall business strategy and legal requirements.
National and international legal requirements:
•
•
•
Sarbanes-Oxley Act (U.S.)
Data Protection Law (Germany)
J-SOX (Japan)
Figure 4: Access and Authorization Management
2009
© 2010 SAP AG. All rights reserved.
9
Unit 1: Course Overview
GRC300
Lesson Summary
You should now be able to:
•
List some typical challenges for SAP customers in the areas of access and
authorization management
•
Explain how SAP BusinessObjects Access Control can solve these issues
10
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Overview
Lesson: SAP BusinessObjects Access Control Overview
Lesson Overview
This lesson provides an overview of the four components that comprise the SAP
BusinessObjects Access Control application.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
•
•
List the main components of SAP BusinessObjects Access Control and their
integration points
Describe the functionality of Risk Analysis and Remediation and Risk
Terminator
Describe the functionality of Superuser Privilege Management
Describe the functionality of Enterprise Role Management
Describe the functionality of Compliant User Provisioning
Business Example
Management requires both detective and preventative controls to address currently
existing risks. You need to check the different functions of SAP BusinessObjects
Access Control to ensure its ability remove risks from your system and to keep it clean.
SAP BusinessObjects Access Control Suite Components
The SAP BusinessObjects Access Control application is a suite of four components
that work together to provide a comprehensive and integrated, risk-based access and
authorization management solution.
These components are:
•
•
•
•
Risk Analysis and Remediation (RAR)
Compliant User Provisioning (CUP)
Superuser Privilege Management (SPM)
Enterprise Role Management (ERM)
The figure below shows a high-level overview of the relationships between the various
components.
2009
© 2010 SAP AG. All rights reserved.
11
Unit 1: Course Overview
GRC300
Figure 5: SAP GRC Access Control Components
As of SAP BusinessObjects Access Control 5.3, there is now one integrated launch
pad to utilize any of the four Access Control capabilities. There is one single URL for
the capabilities instead of four different URLs.
12
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Overview
Figure 6: SAP BusinessObjects Access Control Launch Pad
Note: The integrated launch pad supports single sign-on as provided by SAP
NetWeaver Application Server, such as UME, Windows, SAP Logon ticket,
X.509, Siteminder, and Netegrity.
Access requests and password reset requests will continue to be initiated via
the Compliant User Provisioning URL.
Administrators and other access control users, such as role owners, can use
either the single launch pad or the Compliant User Provisioning URL.
Risk Analysis and Remediation: The Foundation
The Risk Analysis and Remediation (RAR) component is a fully automated security
audit and segregation of duties (SoD) analysis tool designed to identify, analyze, and
resolve all SoD and audit issues related to regulatory compliance. It includes an
expandable starter set of rules. Risks can be identified and created in a system that
can be correlated with functions, and each function can be associated with a business
process.
Risk Analysis and Remediation produces SoD analytical reports (both summary and
detail) for selected users, user groups, roles, and profiles. It also produces reports on
critical actions, critical permissions, critical roles, and profiles.
2009
© 2010 SAP AG. All rights reserved.
13
Unit 1: Course Overview
GRC300
Risk Analysis and Remediation provides comprehensive risk management
functionality and powerful, easy to use, functionality to document risk mitigation
controls.
The SoD rule set created in this business scenario is used as the basis for all SoD
analysis for the access control components.
Figure 7: Risk Analysis and Remediation
Compliant User Provisioning: The Workflow Engine
The Compliant User Provisioning (CUP) component provides a new approach to
provisioning that allows administrators of enterprise systems to automate the process,
to manage the various types of business risks, and to reduce the workload for IT
staff. It is the workflow engine for all of the SAP BusinessObjects Access Control
components.
With its configurable workflow capabilities, Compliant User Provisioning automates
and expedites user provisioning throughout an employee’s life cycle. By integrating
with the Risk Analysis and Remediation SoD rules, Compliant User Provisioning
prevents SoD violations and helps to ensure corporate accountability and compliance
with the Sarbanes-Oxley Act and other laws and regulations.
14
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Overview
Figure 8: Compliant User Provisioning Overview
Enterprise Role Management: Centralizing Role
Documentation
The Enterprise Role Management (ERM) component automates role definition and
management of roles. This capability enables preferred practices to ensure that role
definitions, development, testing, and maintenance are consistent across the entire
enterprise, resulting in lower ongoing maintenance and painless knowledge transfer.
It provides SAP security administrators, role designers, and role owners with a
simplified means of documenting and maintaining important role information for
better role management.
2009
© 2010 SAP AG. All rights reserved.
15
Unit 1: Course Overview
GRC300
Figure 9: Enterprise Role Management Overview
Superuser Privilege Management: Monitoring the
Firefighter
The Superuser Privilege Management (SPM) component tracks, monitors, and logs the
activities that are performed by a superuser with a privileged user ID. In emergencies
or extraordinary situations, Superuser Privilege Management enables users to perform
activities outside their role under superuser-like privileges in a controlled, auditable
environment.
16
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Overview
Figure 10: Superuser Privilege Management Overview
Integration Points in SAP BusinessObjects Access
Control
The components of BusinessObjects Access Control work together to provide
seamless integration for maintaining compliance in your ERP landscape. Although
Risk Terminator is configured only in SAP ABAP systems, it also works with Risk
Analysis and Remediation to provide another tool to manage SoD violations as they
occur during role development and user provisioning.
2009
© 2010 SAP AG. All rights reserved.
17
Unit 1: Course Overview
GRC300
Figure 11: SAP BusinessObjects Access Control Integration Points
By using the workflow engine from Compliant User Provisioning, approval for
changes to roles can be initiated from Enterprise Role Management through Web
services provided as part of SAP BusinessObjects Access Control. Role information
that is uploaded into Compliant User Provisioning can be synchronized with the roles
and the attendant role details in Enterprise Role Management.
18
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Overview
Figure 12: Compliant User Provisioning and Enterprise Role Management
Integration
Compliant User Provisioning uses the SoD rules configured in Risk Analysis and
Remediation to provide user analysis functionality at the time of user provisioning.
Risk Analysis and Remediation can use the Compliant User Provisioning workflow
functions for approval processes and change management of mitigation controls
around business risks that are configured in Risk Analysis and Remediation.
2009
© 2010 SAP AG. All rights reserved.
19
Unit 1: Course Overview
GRC300
Figure 13: Compliant User Provisioning and Risk Analysis and Remediation
Integration
Running risk analysis in Enterprise Role Management for role development uses the
SoD rules configured in Risk Analysis and Remediation.
20
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Overview
Figure 14: Risk Analysis and Remediation and Enterprise Role Management
Integration
When configured in an SAP ABAP system, Risk Terminator uses the SoD rules from
Risk Analysis and Remediation during maintenance of roles (PFCG) and users (SU01)
to analyze for risk violations.
2009
© 2010 SAP AG. All rights reserved.
21
Unit 1: Course Overview
GRC300
Figure 15: Risk Analysis and Remediation and Risk Terminator Integration
Just as with Risk Terminator, Superuser Privilege Management configuration happens
in an SAP ABAP system. Superuser Privilege Management also uses the Risk
Analysis and Remediation rules to analyze for SoD violations, and checks for critical
actions use monitoring of superuser access.
22
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Overview
Figure 16: Superuser Privilege Management and Risk Analysis and Remediation
Integration
SAP BusinessObjects Access Control has a central repository for access-based and
authorization-based risks and controls. This repository:
•
•
•
2009
Provides risk analysis for every process that can be covered by the solution
Supports the creation and assignment of a mitigation control out of an approval
workflow via the mitigation service
Supports the role maintenance life cycle in Enterprise Role Management by
using an event-driven, multilevel approval process
© 2010 SAP AG. All rights reserved.
23
Unit 1: Course Overview
GRC300
Figure 17: Management Takes Responsibility for Compliance
Figure 18: SAP BusinessObjects Access Control: Solution Integration
24
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Overview
Exercise 1: SAP BusinessObjects Access
Control - Overview
Exercise Objectives
After completing this exercise, you will be able to:
•
Use the launch pad to access the different functionalities within SAP
BusinessObjects Access Control
•
Navigate between the different tabs within all applications in SAP
BusinessObjects Access Control
Business Example
To evaluate changes in the most recent version of SAP BusinessObjects Access
Control compared to the older versions, you must log on and familiarize yourself with
the launch pad and some elementary functionalities.
Task:
Log on to the application and familiarize yourself with the launch pad, access the four
components and navigate to the different tabs in each one.
2009
1.
Launch the SAP BusinessObjects Access Control 5.3 launch pad, and log on
to the system.
2.
Review the launch pad links to the various components
3.
Review the Risk Analysis and Remediation component.
4.
Review the Compliant User Provisioning component.
5.
Review the Enterprise Role Management component.
6.
Review the Superuser Privilege Management component.
7.
Exit the application.
© 2010 SAP AG. All rights reserved.
25
Unit 1: Course Overview
GRC300
Solution 1: SAP BusinessObjects Access
Control - Overview
Task:
Log on to the application and familiarize yourself with the launch pad, access the four
components and navigate to the different tabs in each one.
1.
2.
Launch the SAP BusinessObjects Access Control 5.3 launch pad, and log on
to the system.
a)
Enter the SAP BusinessObjects Access Control training system URL
(provided by your instructor) into a browser window and choose Go.
b)
Log on to the system with the user ID GRC300-xx (xx is your user
number, and its provided by instructor) and password.
Review the launch pad links to the various components
a)
3.
Review the Risk Analysis and Remediation component.
a)
4.
Choose Superuser Privilege Management. Click on each of the visible
tabs: Reports and Configuration.
Exit the application.
a)
26
Choose Enterprise Role Management. Click on each of the visible tabs:
Role Management, Informer, and Configuration.
Review the Superuser Privilege Management component.
a)
7.
Choose Compliant User Provisioning. Click on each of the visible tabs:
My Work, Informer, and Configuration.
Review the Enterprise Role Management component.
a)
6.
Choose Risk Analysis and Remediation. Click on each of the visible tabs:
InformerRule Architect, Mitigation, Alert Monitor, CCADstatus, BJstatus,
and Configuration.
Review the Compliant User Provisioning component.
a)
5.
Notice that all the links are activated. If the user does not have access to a
specific component, does it still show?
Exit the application by closing all browser windows or by choosing Log off.
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Overview
Lesson Summary
You should now be able to:
•
List the main components of SAP BusinessObjects Access Control and their
integration points
•
Describe the functionality of Risk Analysis and Remediation and Risk
Terminator
•
Describe the functionality of Superuser Privilege Management
•
Describe the functionality of Enterprise Role Management
•
Describe the functionality of Compliant User Provisioning
2009
© 2010 SAP AG. All rights reserved.
27
Unit 1: Course Overview
GRC300
Lesson: SAP BusinessObjects Access Control
Authorizations
Lesson Overview
This lesson explains the authorization concept of SAP BuinessObjects Access Control
in the user management engine (UME).
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
List the authorizations and roles used in the Java-based parts of SAP
BusinessObjects Access Control
Explain the UME role concept
Access and use the UME administration tool
Business Example
You are asked to evaluate the Java-based authorization concept within SAP
BusinessObjects Access Control to ensure the correct technical implementation of
roles and responsibilities and to be prepared for future audits.
User Management Engine
The user management engine (UME) is where users are assigned roles for the different
SAP BusinessObjects Access Control products. During the installation of the SAP
BusinessObjects Access Control products, the roles.txt file is imported. This generates
the necessary roles for Risk Analysis and Remediation, Compliant User Provisioning,
and Enterprise Role Management.
28
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Authorizations
Figure 19: User Management Engine Import Screen
After the roles text file is imported, you can choose the Identity Management button in
the UME and begin creating users or assigning roles to users.
Caution: When creating users, you should verify with your Basis team if the
user data source has been set to UME, ABAP, or LDAP. If the user source is
not UME, you will not be able to create the users in the UME.
Figure 20: User Management Engine
2009
© 2010 SAP AG. All rights reserved.
29
Unit 1: Course Overview
GRC300
Once in the UME, you can search for roles or users in the system. The concept of
roles in the UME is based on actions. Actions are assigned to roles within the UME,
and this makes up a role in the UME. The following roles are delivered with SAP
BusinessObjects Access Control:
•
Compliant User Provisioning is comprised of three roles: AEAdmin, AESecurity,
and AEApprover. All of these roles are made up of different actions.
–
•
Some of the actions delivered with Compliant User Provisioning include:
ViewAccessEnforcer, AE.ModifyBackgroundJobsConfiguration, and
AE.ModifyChangeLogConfiguration.
Risk Analysis and Remediation is comprised of four roles:
VIRSA_CC_Administrator, VIRSA_CC_Report, VIRSA_CC_Security_Admin,
and VIRSA_CC_Business_Owner.
–
•
Some of the actions delivered with Risk Analysis and Remediation
are com.virsa.cc.CreateRuleSet, com.virsa.cc.ChangeRuleSet, and
com.virsa.cc.DeleteRuleSet.
Enterprise Role Management is comprised of six roles: RE Admin,
REBusinessuser, RERoleDesigner, RESecurity, RESuperuser, and
REConfigurator.
–
•
Some of the actions delivered with Enterprise Role Management are
ViewConfiguration, RE.ViewRoleExpert, and RE.ViewRoleLibrary.
Superuser Privilege Management is made up of one SAP role: FF_Admin.
This is the administrator role and should only be used by the administrator.
You can create additional roles by assigning some of the following actions:
ViewreportsTab, ViewReaffirms, and SODReport.
All of these roles are standard SAP-delivered roles. If you want to replicate or modify
the roles, use a copy so the integrity of the SAP-delivered roles is maintained.
30
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Authorizations
Figure 21: SAP BusinessObjects Access Control Roles in UME
2009
© 2010 SAP AG. All rights reserved.
31
Unit 1: Course Overview
32
GRC300
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Authorizations
Exercise 2: SAP BusinessObjects Access
Control – Authorizations
Exercise Objectives
After completing this exercise, you will be able to:
•
Explain the authorizations and rules used in the Java-based parts of SAP
BusinessObjects Access Control
•
Explain how to access and use UME administration
Business Example
An internal auditor is part of your SAP BusinessObjects Access Control team. He is
only interested in running reports and viewing authorizations. You need to create a
user for him in the UME.
Task:
Use the UME to create users, create roles, and assign them to users.
2009
1.
Log on to the UME using your user ID, GRC300-##.
2.
Create the user and the role for the auditor in UME. Use the ID AUDIT-## and
create and assign the reporting role CC.ReportingView.## to the user. Test the
logon by logging into Risk Analysis and Remediation.
© 2010 SAP AG. All rights reserved.
33
Unit 1: Course Overview
GRC300
Solution 2: SAP BusinessObjects Access
Control – Authorizations
Task:
Use the UME to create users, create roles, and assign them to users.
1.
Log on to the UME using your user ID, GRC300-##.
a)
2.
Open a browser and enter http://servername:5<instance
number>00, then choose User Management Engine.
Create the user and the role for the auditor in UME. Use the ID AUDIT-## and
create and assign the reporting role CC.ReportingView.## to the user. Test the
logon by logging into Risk Analysis and Remediation.
a)
Choose Create user and enter the following information:
Field Name
Value
Logon ID
AUDIT##
Define Password
audit##
Confirm Password
audit##
Last Name
Bazemore
First Name
Molly
Language
English
b)
Choose Save.
c)
Create the role CC.ReportingView.##.
d)
Enter the following information:
Field Name
Value
Unique Name
CC.ReportingView#
Description
Role for Internal
Auditors
e)
Choose Save.
f)
Choose Modify.
Continued on next page
34
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: SAP BusinessObjects Access Control Authorizations
g)
Add the following five actions from the service/application com.virsa.cc
and then save the role.
Field Name
Field Name
Field Name
UME
com.virsa.cc
RunAuditReports
UME
com.virsa.cc
RunRiskAnalysis
UME
com.virsa.cc
RunSecurityReport
UME
com.virsa.cc
ViewInformer
UME
com.virsa.cc
ViewMgmtReport
h)
Assign AUDIT-## to role CC.ReportingView.## and test the new user.
i)
Search for the user AUDIT-## in the UME. Select and modify AUDIT-##
by assigning role CC.ReportingView.##.
j)
Log off from UME.
k)
Open a browser and enter http://servername:5<instancenumber>00/webdynpro/dispatcher/sap.com/grc~ccappcomp/ComplianceCalibrator.
l)
Enter the following data:
m)
Field Name
Value
User ID
AUDIT-##
Password
audit##
Enter and confirm a new password. What is the difference between
GRC300-## and user AUDIT-##?
AUDIT-## can only see the Informer, CCADstatus, and BJstatus tabs,
while GRC300-## can see all of the other tabs.
2009
© 2010 SAP AG. All rights reserved.
35
Unit 1: Course Overview
GRC300
Lesson Summary
You should now be able to:
•
List the authorizations and roles used in the Java-based parts of SAP
BusinessObjects Access Control
•
Explain the UME role concept
•
Access and use the UME administration tool
36
© 2010 SAP AG. All rights reserved.
2009
GRC300
Unit Summary
Unit Summary
You should now be able to:
•
Explain how SAP BusinessObjects Access Control (Risk Analysis and
Remediation, Superuser Privilege Management, Compliant User Provisioning,
and Enterprise Role Management) works in combination with SAP business
processes.
•
Implement SAP BusinessObjcts Access Control following best practices from
SAP
•
List some typical challenges for SAP customers in the areas of access and
authorization management
•
Explain how SAP BusinessObjects Access Control can solve these issues
•
List the main components of SAP BusinessObjects Access Control and their
integration points
•
Describe the functionality of Risk Analysis and Remediation and Risk
Terminator
•
Describe the functionality of Superuser Privilege Management
•
Describe the functionality of Enterprise Role Management
•
Describe the functionality of Compliant User Provisioning
•
List the authorizations and roles used in the Java-based parts of SAP
BusinessObjects Access Control
•
Explain the UME role concept
•
Access and use the UME administration tool
2009
© 2010 SAP AG. All rights reserved.
37
Unit Summary
38
GRC300
© 2010 SAP AG. All rights reserved.
2009
Unit Summary
39
GRC300
© 2010 SAP AG. All rights reserved.
2009
Unit Summary
40
GRC300
© 2010 SAP AG. All rights reserved.
2009
Unit 2
Risk Analysis and Remediation
Overview
Unit Overview
As a business expert, you are responsible for organizing and supporting the
risk-recognition and rule-building phases of the project in order to identify, classify,
and document potential risks to your organization's processes. Furthermore, it is your
task to evaluate the change management controls within the new solution. This unit
will discuss the post installation steps of setting up Risk Analysis and Remediation, as
well as business uses of this component.
Unit Objectives
After completing this unit, you will be able to:
•
•
•
•
•
•
•
•
•
•
•
•
•
2009
List the required steps after installation of SAP BusinessObjects Access Control
Risk Analysis and Remediation
Explain how to connect Risk Analysis and Remediation to a back-end system
Explain the possibility of exporting and importing configuration settings in order
to perform transports from development to production
List the main process in identifying and resolving SoD issues
Describe the people involved in the process and their responsibilities
Name each step of the process and explain the required activities in each phase
Explain the key terminology related to risks within SAP BusinessObjects Access
Control
Create and maintain functions and risk, build the resulting rules, and explain the
concept of organizational rules
Discuss what is delivered in the delivered rule set
List the systems for which a rule set is provided
View or locate function change history
View or locate risk change history
Compare rule sets
© 2010 SAP AG. All rights reserved.
41
Unit 2: Risk Analysis and Remediation Overview
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
GRC300
Define the relevant management views
Run a risk analysis at role level
Run a risk analysis at user level
List the relevant report types
Explain the use of different report formats
Schedule a risk analysis as a background job
Perform simulations based on roles and users
Explain the best approach for risk remediation and system cleanup
Simulate cleanup activities in SAP BusinessObjects Access Control
Perform cleanup activities in SAP ERP
Explain how mitigation controls can support you in reducing access risks in
your landscape
Describe the difference between preventative and detective controls, and
implement mitigation controls in SAP BusinessObjects Access Control
Define alerting as a powerful detective control
Locate and view the Action Usage by Users report
Locate and view the Invalid Mitigation Controls report
Locate and view the SoD Violations from Custom Programs report
Discuss SoD management as an ongoing process
Explain how the Risk Terminator can support continuous compliance
List the steps to activate Risk Terminator within SAP BusinessObjects Access
Control
List additional possibilities for continuous compliance
Unit Contents
Lesson: Risk Analysis and Remediation - Verification of Installation and
Configuration ......................................................................... 44
Lesson: Introduction to the SoD Risk Management Process .................. 48
Lesson: Rule Building and Validation ............................................. 53
Exercise 3: Rule Building and Validation ..................................... 59
Lesson: Rule Reporting ............................................................. 64
Exercise 4: Rule-Set-Relevant Reporting .................................... 69
Lesson: Risk Analysis ............................................................... 73
Exercise 5: Perform a Risk Analysis .......................................... 79
Lesson: Risk Remediation.......................................................... 84
Exercise 6: Risk Remediation ................................................. 91
Lesson: Definition of Process-Related Mitigation Controls..................... 98
42
© 2010 SAP AG. All rights reserved.
2009
GRC300
Unit 2: Risk Analysis and Remediation Overview
Exercise 7: Definition of Risk-Related Mitigation Controls ................ 105
Lesson: Risk Analysis and Remediation Reporting ............................ 113
Exercise 8: Remediation-Relevant Reporting .............................. 115
Lesson: Continuous Compliance ................................................. 119
2009
© 2010 SAP AG. All rights reserved.
43
Unit 2: Risk Analysis and Remediation Overview
GRC300
Lesson: Risk Analysis and Remediation - Verification of
Installation and Configuration
Lesson Overview
In this lesson, you will learn how to verify installation and configuration of Risk
Analysis and Remediation.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
List the required steps after installation of SAP BusinessObjects Access Control
Risk Analysis and Remediation
Explain how to connect Risk Analysis and Remediation to a back-end system
Explain the possibility of exporting and importing configuration settings in order
to perform transports from development to production
Business Example
To set up a project plan for the implementation of SAP BusinessObjects Access
Control Risk Analysis and Remediation, you need to familiarize yourself with the
efforts required for setup.
After Technical Installation
When implementing Risk Analysis and Remediation, there are several items that
must be configured for the system to work properly. Following is a list of items that
must be checked.
44
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Analysis and Remediation - Verification of Installation and Configuration
Figure 22: Background Job Daemon Verification
Figure 23: UME - Verification of Imported Role
2009
© 2010 SAP AG. All rights reserved.
45
Unit 2: Risk Analysis and Remediation Overview
GRC300
Steps to Verify Installation
•
•
Confirm that the Internet Graphics Sever (IGS) is running. Go to
http://servername:40080/; this location will tell you if the IGS is running or
not. If you see a message that says SAP IGS is running, this confirms it has
been configured properly.
Confirm that the job daemon is running. To verify that it is
running, go to http://servername:port/sap/CCBgStatus.jsp and to
http://servername:port/sap/CCADStatus.jsp.
If you experience issues with the job deamon you will need to verify that
the lines 105, 106 and 107 are inserted in the table virsa_cc_config. Use the
debugger: http://servername:50000/webdynpro/dispatcher/sap.com/grc~ccappcomp/CCDebugger for this.
•
•
•
Verify that the roles have been imported to the UME. It is important to make sure
that the roles text file was imported during the installation of Risk Analysis and
Remediation. Do this by going to the User Management Engine (UME)
Ensure that the Real Time Agents (RTA) have been installed through transaction
code SPAM.
Ensure that the SAP Java Connectors (JCo) have been activated. Two JCos are
required for Risk Analysis and Remediation; one is for metadata and one is
for model. To check them, choose Webdynpro → Administrator Content →
Maintain JCo Connectors.
Caution: During installation of the RTAs, use transaction SPAM to identify if
there are any HR components installed on that system. If there are any HR
components, you will need to install the HR RTA. If this is not done, the risk
analysis will not complete when you attempt to run it from Risk Analysis
and Remediation.
46
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Analysis and Remediation - Verification of Installation and Configuration
Lesson Summary
You should now be able to:
•
List the required steps after installation of SAP BusinessObjects Access Control
Risk Analysis and Remediation
•
Explain how to connect Risk Analysis and Remediation to a back-end system
•
Explain the possibility of exporting and importing configuration settings in order
to perform transports from development to production
2009
© 2010 SAP AG. All rights reserved.
47
Unit 2: Risk Analysis and Remediation Overview
GRC300
Lesson: Introduction to the SoD Risk Management Process
Lesson Overview
This lesson will review the SoD risk management process.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
List the main process in identifying and resolving SoD issues
Describe the people involved in the process and their responsibilities
Name each step of the process and explain the required activities in each phase
Business Example
As a business expert, you are responsible for guiding the other project team members
through the segregation of duties risk management process to clean up your system.
Consequently, you need to familiarize yourself with the process steps.
Risk Management Phase approach
SAP has developed a three-phase approach to risk management. By applying this
method, it is possible to implement a process for segregation of duties (SoD) risk
management.
Figure 24: SoD Risk Management Process
The process begins by defining the risks, rule building, and validation.
48
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Introduction to the SoD Risk Management Process
Risk Recognition
In the risk recognition phase, identify authorization risks and approve exceptions.
Clarify and classify risk as high, medium, or low. Identify new risks and conditions
for monitoring in the future.
Rule Building and Validation
In the rule building and validation process, reference best practices rules for your
environment. Validate rules, customize rules, then test. Verify against test user and
role cases.
Analysis
During analysis, run analytical reports. Estimate cleanup efforts. Analyze roles and
users. Modify rules based on analysis. Set alerts to distinguish executed risks.
Remediation
In the remediation process, determine alternatives for eliminating risks. Present
analysis and select corrective actions. Document approval of corrective actions.
Modify or create roles or user assignments.
Mitigation
During mitigation, determine alternative controls to mitigate risk. Educate
management about conflict approval and monitoring. Document a process to monitor
mitigation controls. Implement controls.
Continuous Compliance
In continuous compliance, communicate changes in roles and user assignments.
Simulate changes to roles and users. Implement alerts to monitor for selected risks
and mitigate control testing.
Roles and Responsibilities
During the SoD risk management process, there are a number of roles that need to be
involved if you are to have a successful remediation plan.
2009
© 2010 SAP AG. All rights reserved.
49
Unit 2: Risk Analysis and Remediation Overview
GRC300
Figure 25: Roles and Responsibilities
In defining the roles and responsibilities, you should think about the individuals in
your company that meet some of these responsibilities.
Business Process Owner
During the risk management process, you will need to identify process owners in
areas such as finance, sales, purchasing, and materials management, depending on
where the SoD risks are located. Involving the business process owners from the
beginning of the project is important because they will understand the impact of the
risks after the rules have been defined.
Senior Officers
One of the main reasons senior officers should be involved is to approve or reject risks
between areas and approve mitigating controls. By having senior officers involved,
you maintain focus on the identified risks and how those risks affect the company
financially.
Security Administrators and Technical Liaisons
Security administrators and technical liaisons assume responsibility of the application
from a maintenance point of view. They grant access to users, troubleshoot problems,
and can remediate SoD conflicts at role level.
50
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Introduction to the SoD Risk Management Process
Auditors and Regulators
Internal audit can assist in running a risk analysis on a regular basis. They can provide
guidance to other team members as to which risks are true conflicts and what might
be considered a false positive.
SoD Rule Keeper
The rule keeper is involved in making necessary configuration changes to rules. The
rule keeper can also maintain mitigating controls for control owners and be a liaison
between Basis and the SAP GRC team.
Caution: When setting your rule set, make sure that you consider critical
actions that will also need to be maintained in the rule set.
2009
© 2010 SAP AG. All rights reserved.
51
Unit 2: Risk Analysis and Remediation Overview
GRC300
Lesson Summary
You should now be able to:
•
List the main process in identifying and resolving SoD issues
•
Describe the people involved in the process and their responsibilities
•
Name each step of the process and explain the required activities in each phase
52
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Rule Building and Validation
Lesson: Rule Building and Validation
Lesson Overview
This lesson will explain the terminology related to risks within SAP BusinessObjects
Access Control Risk Analysis and Remediation.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
•
Explain the key terminology related to risks within SAP BusinessObjects Access
Control
Create and maintain functions and risk, build the resulting rules, and explain the
concept of organizational rules
Discuss what is delivered in the delivered rule set
List the systems for which a rule set is provided
Business Example
As a business process expert, you are responsible for implementing the identified risks
inside SAP BusinessObjects Access Control. Your organization decides to build a new
rule set from the scratch, using the standard rule set delivered from SAP as a template.
Rule Building and Validation
After risk recognition, the second part of phase one is rule building and validation.
2009
© 2010 SAP AG. All rights reserved.
53
Unit 2: Risk Analysis and Remediation Overview
GRC300
Figure 26: Rule Building and Validation
Key Terminology
Business Process: The business area categories in which you would like to report
risk analysis results in Risk Analysis and Remediation
Function: A grouping of one or more related actions or permissions for a specific
business area
Risk: An opportunity for physical loss, fraud, process disruption, or productivity
loss that occurs when individuals exploit a specific condition; functions are
the main components of risks
Action: An activity that is performed in the system in order to fulfill a specific
function, for example, Create Purchase Order or Create Material Master Record
Permission: Authorizations that allow a user to perform a particular activity in
a system
System: Refers to a system in which risk analysis is performed, for example,
SAP ERP, Oracle, SAP CRM, PeopleSoft, or Hyperion
54
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Rule Building and Validation
Figure 27: Rule Structure
Rule Building
Figure 28: Main Components of the Rule-Building Process
2009
© 2010 SAP AG. All rights reserved.
55
Unit 2: Risk Analysis and Remediation Overview
GRC300
Figure 29: Functions
Figure 30: Risks
Organizational Rules
The organizational rule functionality eliminates false positives based on
organizational-level restrictions. Use this functionality for exception-based reporting
only.
56
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Rule Building and Validation
Companies should perform an analysis prior to implementation to ensure their situation
warrants the use of organizational rules, and should not institute organizational rules
until the remediation phase of their project.
Only after identifying a possible organizational rule scenario that you should create
the organization rules.
Using organizational rules to group users into reports by organizational levels to
distribute SoD reports to various management levels is not recommended. Rather, use
the organization level rules exclusively for exception-based reporting to remove false
positive conflicts that result from organization-level segregation.
Because of the sizable performance impact that organization level rules can have, use
them for only those situations in which the company has made a conscious decision to
segregate via organization levels.
Delivered Rule Set from SAP
The SAP delivered rule set provides a list of SoD risks that have been accumulated
from best practices, clients, and SAP's own experience You should review these rules
to determine if they are applicable to your clients. They are a recommendation only.
The delivered rule set includes rules for:
2009
•
ERP
•
•
•
•
–
Basis
–
Finance
–
HR / Payroll
–
MM / PP / QM
–
Order-to-cash
–
Procure-to-pay
SRM / EBP
CRM
Consolidation
APO
© 2010 SAP AG. All rights reserved.
57
Unit 2: Risk Analysis and Remediation Overview
58
© 2010 SAP AG. All rights reserved.
GRC300
2009
GRC300
Lesson: Rule Building and Validation
Exercise 3: Rule Building and Validation
Exercise Objectives
After completing this exercise, you will be able to:
•
Implement the identified issues from the Risk Recognition Workshop in your
own rule set
•
Create critical functions inside SAP BusinessObjects Access Control
•
Create and describe risks resulting from the critical respectively conflicting
functions
Business Example
As a business process expert, you are responsible for implementing the identified risks
inside SAP GRC Access Control. Your organization decided to build a new rule set
from scratch while using the standard rule set delivered from SAP as a template only.
Task:
Create and generate your own rule set.
1.
Log on to SAP BusinessObjects Access Control (Risk Analysis and Remediation)
and select the tab Rule Architect to create a new rule set. Expand Rules Sets in
the left menu pane and click Create.
2.
Log on to SAP BusinessObjects Access Control (Risk Analysis and
Remediation) and select the tab Rule Architect to create your own business
process for purchase-to-pay.
Expand Business Processes in the left menu pane and click Create.
3.
4.
Create a function with the following information.
Function ID
Func1_XX (where XX is your group
number)
Description
Func1_XX
Business Process
<XX> Procure to Pay
Analysis Scope
Single
Actions
XK01
Create a function with the following information.
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
59
Unit 2: Risk Analysis and Remediation Overview
5.
6.
60
GRC300
Function ID
Func2_XX (Where XX is your group
number)
Description
Func2_XX
Business Process
<XX> Procure to Pay
Analysis Scope
Single
Actions
ME21N
Create a risk with the two functions from above and the following information.
Risk ID
<XX>NN (Where XX is your group
number and NN is free to be changed.)
Description
Risk_XX
Risk Type
Segregation of Duties
Risk Level
Medium
Business Process
PP<XX>
Status
Enable
Generate rules for the risk you just created.
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Rule Building and Validation
Solution 3: Rule Building and Validation
Task:
Create and generate your own rule set.
1.
Log on to SAP BusinessObjects Access Control (Risk Analysis and Remediation)
and select the tab Rule Architect to create a new rule set. Expand Rules Sets in
the left menu pane and click Create.
a)
2.
Enter the information from the table below. Replace XX with your group
number.
Rule Set ID
RS<XX>
Description
<XX> rule set
Log on to SAP BusinessObjects Access Control (Risk Analysis and
Remediation) and select the tab Rule Architect to create your own business
process for purchase-to-pay.
Expand Business Processes in the left menu pane and click Create.
a)
3.
Enter the information from the table below. Replace XX with your group
number.
Business Process ID
PP<XX>
Description
<XX> Procure to Pay
Create a function with the following information.
Function ID
Func1_XX (where XX is your group
number)
Description
Func1_XX
Business Process
<XX> Procure to Pay
Analysis Scope
Single
Actions
XK01
a)
4.
Create a function with the following information.
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
61
Unit 2: Risk Analysis and Remediation Overview
GRC300
Function ID
Func2_XX (Where XX is your group
number)
Description
Func2_XX
Business Process
<XX> Procure to Pay
Analysis Scope
Single
Actions
ME21N
a)
5.
6.
Create a risk with the two functions from above and the following information.
Risk ID
<XX>NN (Where XX is your group
number and NN is free to be changed.)
Description
Risk_XX
Risk Type
Segregation of Duties
Risk Level
Medium
Business Process
PP<XX>
Status
Enable
a)
Add your two functions as the two conflicting functions.
b)
Select the rule set that you created, Rule set XX.
Generate rules for the risk you just created.
a)
62
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Rule Building and Validation
Lesson Summary
You should now be able to:
•
Explain the key terminology related to risks within SAP BusinessObjects Access
Control
•
Create and maintain functions and risk, build the resulting rules, and explain the
concept of organizational rules
•
Discuss what is delivered in the delivered rule set
•
List the systems for which a rule set is provided
2009
© 2010 SAP AG. All rights reserved.
63
Unit 2: Risk Analysis and Remediation Overview
GRC300
Lesson: Rule Reporting
Lesson Overview
This lesson discusses reporting within the risk library.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
View or locate function change history
View or locate risk change history
Compare rule sets
Business Example
Audit demands lists of recent changes to the rule set in order to check if the
implemented change management process is effective. Only approved changes will be
actually implemented in SAP BusinessObjects Access Control.
Change History
Choose Change History to view the changed functions log for functions and the risk
history in the change log for risks.
Viewing the logs permits managers and administrators to determine which functions
and risks were changed and who changed them. Whether or not you will have the
ability to see the logs is determined during configuration.
64
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Rule Reporting
Figure 31: Function Change History
Function Change History
To view change log information for functions, choose Rule Architect → Change
History → Functions. In the displayed Functions-Change History Results screen,
select your settings and choose Execute to run a search to view the change log results.
The Functions Change History Results log includes:
•
•
•
•
•
•
•
•
•
2009
Changed On: The date and time
Changed by: The user ID
Function (ID)
Change Type: This is either Insert Function or Delete Function
System
Action
Item
Value
Status
© 2010 SAP AG. All rights reserved.
65
Unit 2: Risk Analysis and Remediation Overview
GRC300
Figure 32: Risk Change History
Risk Change History
To view change log information for risks, choose Rule Architect → Change History →
Risks. In the displayed Risks-Change History Results screen, you select your settings
and choose Execute to run a search to view the change log results.
The Risks Change History Results log includes:
•
•
•
•
•
•
•
Changed On: The date and time
Changed by: The user ID
Risk ID
Change Type: The type is either Insert or Delete
Field
Old Value
New Value
Comparing Rule Sets
This report compares the contents of two rule sets and displays the results.
66
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Rule Reporting
Figure 33: Rule Set Comparison
The rule sets can be compared in two ways:
•
•
A comparison of just the risks in the designated rule sets
A comparison of risks and actions/permissions
To perform a comparison of rule sets, chooseRule Architect → Rule Sets → Compare.
A comparison of risks is always performed, and these results are displayed initially.
The Summary button on the risk comparison screen drills down to an action rule
comparison. The Detail button in the action rule comparison drills down to a
permission rule comparison.
2009
© 2010 SAP AG. All rights reserved.
67
Unit 2: Risk Analysis and Remediation Overview
68
© 2010 SAP AG. All rights reserved.
GRC300
2009
GRC300
Lesson: Rule Reporting
Exercise 4: Rule-Set-Relevant Reporting
Exercise Objectives
After completing this exercise, you will be able to:
•
Execute and interpret the Function Change History and Risk Change History
reports
•
Use the rule set comparison
Business Example
As the owner of the rule set, you are responsible for reviewing changes to ensure the
integrity and proper documentation of access-relevant risks in SAP BusinessObjects
Access Control.
Task 1:
Demonstrate the Function Change History report.
1.
Demonstrate the Function Change History report.
Task 2:
Demonstrate the Risk Change History report.
1.
Demonstrate the Risk Change History report.
Task 3:
Demonstrate the Rule Set Comparison report.
1.
2009
Demonstrate the Rule Set Comparison report.
© 2010 SAP AG. All rights reserved.
69
Unit 2: Risk Analysis and Remediation Overview
GRC300
Solution 4: Rule-Set-Relevant Reporting
Task 1:
Demonstrate the Function Change History report.
1.
Demonstrate the Function Change History report.
a)
Log on to Risk Analysis and Remediation via the SAP BusinessObjects
Access Control launch pad.
b)
Choose Rule Architect → Change History → Functions.
c)
In the Function ID field, enter the function that you created in the Rule
Building and Validation exercise (Func1_XX).
d)
Choose Execute.
e)
Look at the changes that are identified on the results screen.
Task 2:
Demonstrate the Risk Change History report.
1.
Demonstrate the Risk Change History report.
a)
Log on to Risk Analysis and Remediation via the SAP BusinessObjects
Access Control launch pad.
b)
Choose Rule Architect → Change History → Risks.
c)
In the Risk ID field, enter the risk that you created in the “Rule Building
and Validation” exercise (<XX>NN).
d)
Choose Execute.
e)
Look at the changes that are identified on the results screen.
Continued on next page
70
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Rule Reporting
Task 3:
Demonstrate the Rule Set Comparison report.
1.
2009
Demonstrate the Rule Set Comparison report.
a)
Log on to Risk Analysis and Remediation via the SAP BusinessObjects
Access Control launch pad.
b)
Choose Rule Architect → Rule Set → Compare.
c)
Compare the Global rule set to the rule set you created in the “Rule
Building and Validation” exercise (<XX> RuleSet).
d)
Select Actions and Permissions. Note that Risks are automatically selected.
e)
Look at the results that are identified on the Results screen. Switch between
the Actions and Permission reports.
© 2010 SAP AG. All rights reserved.
71
Unit 2: Risk Analysis and Remediation Overview
GRC300
Lesson Summary
You should now be able to:
•
View or locate function change history
•
View or locate risk change history
•
Compare rule sets
72
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Analysis
Lesson: Risk Analysis
Lesson Overview
This lesson will give you an overview of the management reports in the RAR Informer
tab in SAP BusinessObjects Access Control.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
•
•
•
Define the relevant management views
Run a risk analysis at role level
Run a risk analysis at user level
List the relevant report types
Explain the use of different report formats
Schedule a risk analysis as a background job
Business Example
As leading risk management expert, you need to improve the process of checking the
current risk situation in the system, and estimate the required cleanup effort inside
your organization.
SoD Risk Management Process Phase Two: Analysis
The purpose of this phase is to provide business process analysts and business process
owners with alternatives for correcting or eliminating risks by:
•
•
Performing a security analysis to confirm risks for:
–
Simple roles
–
Composite roles
–
Users
Reviewing the role to determine how certain personnel might be restricted from
performing undesired activities by checking:
–
–
–
2009
Objects
Fields
Values
© 2010 SAP AG. All rights reserved.
73
Unit 2: Risk Analysis and Remediation Overview
GRC300
Figure 34: Analysis Phase of the SoD Risk Management Process
Management View
The Management view in the Informer tab of Risk Analysis and Remediation provides
a compact overview of risk violations grouped by time, severity, and business process.
74
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Analysis
Figure 35: Management View - Risk Violations
Management View: Reports
Start from the overview level and concentrate on the details afterward.
•
SoD Violations report
–
2009
•
Displays a pie chart and a bar chart to represent current and past violations
in the system landscape
–
Supports two different views: Violations by risk level and violations by
process
User Analysis report
•
–
Risks by user resulting from SoD conflicts
–
Risks by user resulting from critical actions and roles
Role Analysis report
© 2010 SAP AG. All rights reserved.
75
Unit 2: Risk Analysis and Remediation Overview
GRC300
Provides an overview of the remediation progress:
•
Comparisons report
–
•
Choose quarterly or monthly comparisons of user, role, and profile
violations
–
Check remediation progress and percent completion
Alerts report
–
•
•
Provides an accumulated view of conflicting action alerts per business
process
Rules Library report
Controls Library report
Figure 36: Reports in the Management View
Risk Analysis
Analyze risks based on users, roles, HR objects, and other factors:
•
Specify the parameters of the analysis
–
–
–
76
Cross-system analysis is possible
Specific roles or users can be selected for risk analysis
Restrict by business process or risk level if required
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Analysis
Figure 37: Analyzing a Risk
Report Types
Depending on the required analysis, select:
•
Action Level
•
–
Performs SoD analysis only at action level
Permission Level
•
–
Performs SoD analysis at action and permission levels
Critical Actions
–
•
Analyzes users having access to one critical function (actions and
permissions)
Critical Permissions
•
–
Analyzes users having access to one critical function (permissions only)
Critical Roles/Profiles
–
•
2009
Analyzes users having access to critical roles or profiles
Assignment of Mitigation Controls
© 2010 SAP AG. All rights reserved.
77
Unit 2: Risk Analysis and Remediation Overview
GRC300
Report Formats
Depending on the required level of detail, choose:
•
Executive Summary report
–
•
Provides a description of the risks and a count of the number of rules that
are causing the conflict
Management Summary report
•
–
Displays users causing the conflicts, but no actions
Summary report
•
–
Displays the users or roles and action conflicts involved
Detail report
–
Provides the highest level of detail, including transactions
Note: It is possible to change the report format after a risk analysis is
completed.
Scheduling a Background Job
Large background jobs should be scheduled to run overnight:
•
•
•
•
78
Type in a descriptive name.
Decide whether to run the job immediately or if it should be delayed.
Schedule periodically if required.
Only the scheduler and the administrator should be able to see the result of the
job (check UME actions).
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Analysis
Exercise 5: Perform a Risk Analysis
Exercise Objectives
After completing this exercise, you will be able to:
•
Run a risk analysis against a business user using the recently designed rule set
containing the risk identified in the Risk Recognition Workshop
•
Schedule a risk analysis job to check conflicts inside a composite role
Business Example
You want to use the Risk Analysis and Remediation capabilities of SAP
BusinessObjects Access Control to improve the process of checking the current risk
situation in the system and to estimate the required cleanup efforts.
Task 1:
User Risk Analysis report
1.
Use the Risk Analysis and Remediation functionality of SAP BusinessObjects
Access Control to identify the risks of your business user, GRCBIZZ-xx.
2.
Use the icons in the result screen of the risk analysis to toggle the different report
formats.
Task 2:
Role risk analysis
1.
Use the Risk Analysis and Remediation functionality of SAP BusinessObjects
Access Control to identify the risks inside the composite role
GRC300-CR_PURCHASE_TO_PAY-<XX>.
2.
Check the result of your background job analysis, toggle to report format Detail
Report, and download the result in a Microsoft Excel file.
Result
Congratulations! Now you can use the result of your analysis for further
discussions with the role and authorizations team within your company.
2009
© 2010 SAP AG. All rights reserved.
79
Unit 2: Risk Analysis and Remediation Overview
GRC300
Solution 5: Perform a Risk Analysis
Task 1:
User Risk Analysis report
1.
Use the Risk Analysis and Remediation functionality of SAP BusinessObjects
Access Control to identify the risks of your business user, GRCBIZZ-xx.
a)
Log on to SAP BusinessObjects Access Control and perform a risk analysis
at user level.
Hint: Replace xx with your group number.
b)
Enter the following information.
User: GRCBIZZ-xx
Rule Set: Global
Report Type: Permission Level
Report Format: Executive Summary
c)
Choose Execute.
How many high or critical rated risks came up for your user?
2.
Use the icons in the result screen of the risk analysis to toggle the different report
formats.
a)
Display Management Summary report: Review business risks identified
by report.
Display Summary report: Review the risk description and the transaction
combinations of the first three risks.
Display Detail report: Review roles identified by the report that cause
SoD conflicts within the user's account.
Continued on next page
80
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Analysis
Task 2:
Role risk analysis
1.
Use the Risk Analysis and Remediation functionality of SAP BusinessObjects
Access Control to identify the risks inside the composite role
GRC300-CR_PURCHASE_TO_PAY-<XX>.
a)
Log on to SAP BusinessObjects Access Control and schedule a risk
analysis background job at role level.
Hint: Replace xx with your group number.
b)
Enter the following information.
Role: GRC300-CR_PURCHASE_TO_PAY-<xx>
Rule Set: Global
Report Type: Permission Level
Report Format: Summary
c)
Choose Background.
d)
Enter Job Name: “xx” Risk Analysis GRC300PURCHASE_TO_PAY
e)
Choose Immediate Start.
f)
Choose Schedule.
What is the ID of the job you scheduled?
Hint: Check the message at the bottom of the screen.
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
81
Unit 2: Risk Analysis and Remediation Overview
2.
GRC300
Check the result of your background job analysis, toggle to report format Detail
Report, and download the result in a Microsoft Excel file.
a)
Select the Informer tab and choose Background Job → Search from the
right menu panel.
b)
Specify the Job ID from exercise 5 and choose Search.
c)
In the next screen, choose the Result icon and toggle to the various report
formats.
d)
Choose the Export icon and save the result as an Excel file.
Result
Congratulations! Now you can use the result of your analysis for further
discussions with the role and authorizations team within your company.
82
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Analysis
Lesson Summary
You should now be able to:
•
Define the relevant management views
•
Run a risk analysis at role level
•
Run a risk analysis at user level
•
List the relevant report types
•
Explain the use of different report formats
•
Schedule a risk analysis as a background job
2009
© 2010 SAP AG. All rights reserved.
83
Unit 2: Risk Analysis and Remediation Overview
GRC300
Lesson: Risk Remediation
Lesson Overview
This lesson describes a remediation strategy using Risk Analysis and Remediation in
SAP BusinessObjects Access Control.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
•
Perform simulations based on roles and users
Explain the best approach for risk remediation and system cleanup
Simulate cleanup activities in SAP BusinessObjects Access Control
Perform cleanup activities in SAP ERP
Business Example
To reach an important milestone in your organization’s SoD management project,
you need to restructure access rights in the SAP back-end system. The simulation
functionality of SAP BusinessObjects Access Control makes it easy to verify the
appropriate role and authorization concept.
SoD Risk Management Process Phase Two: Risk
Remediation
The purpose of the remediation phase is to determine alternatives for eliminating
issues in roles. The recommended approach is to resolve issues in the following order:
1.
Single roles
2.
3.
•
Simplest place to start
•
Prevents SoD violations from being reintroduced
Composite roles
Users
A remediation plan should be documented by the security administrators. Business
process owners should be involved in its development and approve the plan.
84
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Remediation
Figure 38: Remediation Phase of SoD Risk Management Process
Remediation Strategy
•
•
•
•
Analyze report results to determine the extent of remediation efforts.
Discuss potential remediation methodologies to address identified security
violations.
Use a simulation to estimate remediation efforts.
Perform walkthroughs of the remediation strategies using live examples.
Note: Use the Management View or Risk Analysis reports for analysis.
Use a simulation to perform a “what if” analysis on the assignment or removal
of user actions.
2009
© 2010 SAP AG. All rights reserved.
85
Unit 2: Risk Analysis and Remediation Overview
GRC300
Simulation
Simulation takes place in the Risk Analysis screen:
•
Decide whether to add or remove a value:
•
–
To add, choose Exclude = No.
–
To remove, choose Exclude = Yes.
Decide which objects should be included in the simulation:
•
–
Add or remove an action.
–
Add or remove a role.
–
Add or remove a profile.
Specify the values for simulation.
Start Small and Work Big
A customer can often become overwhelmed at the beginning of a remediation project.
The best strategy is to start small and work big.
Figure 39: Start Small and Work Big!
86
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Remediation
Reality check:
•
Most customers are only focused on one question:
“How many users have SoD violations?”
•
•
Focusing on fixing SoD violations at user level makes the process much more
complex than it should be.
First, have a look at the roles:
–
–
Using and tailoring authorization objects and values helps define specific
access privileges and avoid risks
Reporting and simulation help to find the correct authorization settings to
remediate risks
Make sure the rule set matches business and audit requirements:
•
The SAP GRC technology foundation provides a standard rule set out of the box
with SAP BusinessObjects Access Control:
–
–
Rule architect allows you to create, change, and enhance the rule set to
match customer-specific business, policy, and system requirements.
Adapt the rule set to the customer’s business processes to avoid false
positives.
Perform risk analysis against single roles:
•
Identify SoD violations within the smallest building blocks of a customer’s
security structure:
–
•
If one role has three SoD violations, and 3,000 users have that role assigned
to them, it translates into 9,000 violations!
–
Prioritize risks as critical, high, medium, or low, and report specifically on
those levels that matter most to your organization.
Identify issues that can be resolved quickly and significantly reduce SoD
violations
–
2009
Not used transactions or change activity in display-only roles
© 2010 SAP AG. All rights reserved.
87
Unit 2: Risk Analysis and Remediation Overview
GRC300
Focus on composite roles after single roles are clean:
•
•
Perform risk analysis against composite roles.
Re-structure the role concept using the information from the simulation.
–
•
Remove access for functionalities that are not used within your
organization.
–
Clean up SoD violations caused by multiple roles coming together under a
composite role by using simulation functionality.
Re-run risk analysis at role level.
Analyze access rights for individual users:
•
•
•
•
Perform risk analysis against users after all single roles and composite roles
have been remedied.
Target specific functionality and business areas that contain the most critical
areas of risk, such as purchase-to-pay, financial accounting, and so on.
Adapt role assignments at user master record level to avoid risks caused by
SoD conflict.
Re-run risk analysis at user level.
Remediation
Remediation means correcting or eliminating SoD violations.
1.
Is this SOD violation caused by an incorrect rule?
If so, modify rule to resolve false positive.
2.
3.
Can access be removed from the role or user?
Address SoD violation by using alternatives:
4.
•
SAP workflow
•
User exits
•
Configuration modifications
•
Business process change
Check if superuser privilege management is possible.
Note: If the SoD violation is not resolved in steps 1 to 4, mitigation is
required.
88
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Remediation
Run Simulations and Split Responsibilities
1.
2.
2009
Use the simulation functionality in SAP BusinessObjects Access Control to
identify possible ways to remediate risks.
Log on to SAP and redesign your business user’s role assignments to ensure that
any possible SoD violation is solved.
© 2010 SAP AG. All rights reserved.
89
Unit 2: Risk Analysis and Remediation Overview
90
© 2010 SAP AG. All rights reserved.
GRC300
2009
GRC300
Lesson: Risk Remediation
Exercise 6: Risk Remediation
Exercise Objectives
After completing this exercise, you will be able to:
•
Use the simulation functionality inside SAP BusinessObjects Access Control
due to identify possible ways to remediate risks
•
Re-design the role assignments to your business user to ensure the possible
SoD violation is solved
Business Example
To reach a big milestone in your organization's SoD management project, you need to
restructure the access rights in the SAP back-end system. The simulation function of
SAP BusinessObjects Access Control plays an important role in investing the work to
have the building block of the role and authorization concept.
Task 1:
In the previous risk analysis exercise you identified the composite role
GRC300-CR_PURCHASE_TO_PAY-## as the main source of risk for user
GRCBIZZ-##. To resolve the SoD risks for all users who are assigned to this role, use
the most efficient method of remediation at role level.
Perform a role analysis on a composite role.
1.
Log on to SAP BusinessObjects Access Control with user GRC300-## and
perform a risk analysis at role level due to assess the current risk situation.
Hint: Replace xx with your group number.
Task 2:
Perform a role analysis on a single role.
1.
Log on to SAP BusinessObjects Access Control and perform a simulation on
role level. Simulate the removal of the single role GRC300-PAYMENT_RUN
from the composite role GRC300-CR_PURCHASE_TO_PAY-##. Compare
the results with the first part of this exercise.
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
91
Unit 2: Risk Analysis and Remediation Overview
GRC300
Task 3:
Removal of the single role GRC300-PAYMENT_RUN from the composite role
GRC300-CR_PURCHASE_TO_PAY-## will automatically remediate the risk for
all users assigned to this composite role. As a consequence, the risk situation in the
system can be improved significantly.
1.
Log on to the SAP back-end system with the user GRC300-## and adapt the
role in the Profile Generator.
2.
Log on to SAP BusinessObjects Access Control with user GRC300-## and
perform a risk analysis on user level.
Result
The removal of the single role for payment run from the composite role was
performed and the total number of risks for your business user GRCBIZZ-##
has decreased.
The real-time capabilities of SAP BusinessObjects Access Control allow you to
check the results of your work immediately.
92
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Remediation
Solution 6: Risk Remediation
Task 1:
In the previous risk analysis exercise you identified the composite role
GRC300-CR_PURCHASE_TO_PAY-## as the main source of risk for user
GRCBIZZ-##. To resolve the SoD risks for all users who are assigned to this role, use
the most efficient method of remediation at role level.
Perform a role analysis on a composite role.
1.
Log on to SAP BusinessObjects Access Control with user GRC300-## and
perform a risk analysis at role level due to assess the current risk situation.
Hint: Replace xx with your group number.
a)
Enter the following information.
Role: GRC300-CR_PURCHASE_TO_PAY-##
Rule Set: Global
Report Type: Permission Level
Report Format: Executive Summary
b)
Choose Execute.
c)
Write down the risk descriptions.
Risk No
Risk Description
##01
##02
##03
##04
##05
##06
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
93
Unit 2: Risk Analysis and Remediation Overview
GRC300
Task 2:
Perform a role analysis on a single role.
1.
Log on to SAP BusinessObjects Access Control and perform a simulation on
role level. Simulate the removal of the single role GRC300-PAYMENT_RUN
from the composite role GRC300-CR_PURCHASE_TO_PAY-##. Compare
the results with the first part of this exercise.
a)
Select the Informer tab and choose Risk Analysis → Role Level.
b)
Enter the following information.
Rule Set: Global
Report Format: Executive Summary
c)
Choose Simulation.
d)
In the next screen, specify the following values.
Role: GRC300-CR_PURCHASE_TO_PAY-##
Report Type: Permission Level
Type: Role
Value: GRC300-PAYMENT_RUN
Exclude Values: YES (Meaning simulation of a removal)
Risks from Simulation only: NO
e)
Choose Background Simulation.
f)
Enter Job Name: ## Risk Analysis GRC300-PURCHASE_TO_PAY
g)
Choose Immediate Start.
h)
Choose Schedule.
i)
Write down the risk descriptions.
Risk No
Risk Description
##01
##02
##03
##04
Continued on next page
94
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Remediation
Risk No
Risk Description
##05
j)
Which risks disappeared compared with the previous exercise?
Note: The removal of the single role for payment run from the
composite role will minimize the risk situation in the system.
Task 3:
Removal of the single role GRC300-PAYMENT_RUN from the composite role
GRC300-CR_PURCHASE_TO_PAY-## will automatically remediate the risk for
all users assigned to this composite role. As a consequence, the risk situation in the
system can be improved significantly.
1.
Log on to the SAP back-end system with the user GRC300-## and adapt the
role in the Profile Generator.
a)
b)
Enter the following information.
Client: Ask instructor for logon setup details
User: GRC300-##
c)
Enter transaction code PFCG and enter Role: GRC300CR_PURCHASE_TO_PAY-##.
d)
Switch to Change mode (pencil icon).
e)
In the next screen, choose the Roles tab and select the single role
GRC300-PAYMENT_RUN. Remove the assignment of this role to the
composite role by choosing Delete Row.
f)
Choose Save to save your changes.
Note: Update Role Information in Risk Analysis and Remediation
tables: Schedule an incremental role synchronization job to update
the composite roles in SAP BusinessObjects Access Control.
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
95
Unit 2: Risk Analysis and Remediation Overview
2.
GRC300
Log on to SAP BusinessObjects Access Control with user GRC300-## and
perform a risk analysis on user level.
a)
Enter the following information.
User: GRCBIZZ-##
Rule Set: Global
Report Type: Permission Level
Report Format: Executive Summary
b)
Choose Execute.
Result
The removal of the single role for payment run from the composite
role was performed and the total number of risks for your business user
GRCBIZZ-## has decreased.
The real-time capabilities of SAP BusinessObjects Access Control allow
you to check the results of your work immediately.
96
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Remediation
Lesson Summary
You should now be able to:
•
Perform simulations based on roles and users
•
Explain the best approach for risk remediation and system cleanup
•
Simulate cleanup activities in SAP BusinessObjects Access Control
•
Perform cleanup activities in SAP ERP
2009
© 2010 SAP AG. All rights reserved.
97
Unit 2: Risk Analysis and Remediation Overview
GRC300
Lesson: Definition of Process-Related Mitigation Controls
Lesson Overview
This lesson provides an overview of the mitigation function in SAP BusinessObjects
Access Control Risk Analysis and Remediation.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
Explain how mitigation controls can support you in reducing access risks in
your landscape
Describe the difference between preventative and detective controls, and
implement mitigation controls in SAP BusinessObjects Access Control
Define alerting as a powerful detective control
Business Example
Due to organizational restrictions, not all risks could be avoided via remediation
activities. As a consequence, you need to find mitigation controls to properly handle
the remaining risks.
SoD Risk Management Process Phase Two: Mitigation
The purpose of the mitigation phase is to determine what mitigation controls are
needed for those duties that cannot be segregated.
98
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Definition of Process-Related Mitigation Controls
Figure 40: Mitigation Phase of SoD Risk Management Process
Mitigation Controls when Remediation Fails
Mitigation controls are required when it is not possible to segregate duties within the
business process. For example, in a small office, one person has to take over two roles
within the business process, which causes a missing SoD conflict.
•
Examples of mitigation controls:
–
–
–
–
–
2009
Release strategies and authorization limits
Review of user logs
Review of exception reports
Detailed variance analysis
Establish insurance to cover impact of a security incident
© 2010 SAP AG. All rights reserved.
99
Unit 2: Risk Analysis and Remediation Overview
GRC300
Types of Mitigation Controls
There are two types of mitigation controls:
•
Preventative controls
•
–
Minimize the likelihood or impact of a risk before it actually occurs.
Detective controls
–
Alert when a risk takes place and enable the responsible person to initiate
corrective measures.
Figure 41: Types of Mitigation Controls
Mitigation Controls: Leading Practices
Best practices include:
•
•
Segregate creation and approval from assignment.
Use mitigation as a last resort.
–
•
100
Exceptions left over from remediation efforts that have legitimate business
reasons to not use SoD controls.
Controls can be preventative or detective.
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Definition of Process-Related Mitigation Controls
Setting Up Mitigation Controls: Overview
Required steps:
•
•
•
•
•
•
Naming convention for controls
Definition: Who / what / how often / why (control objective)
Approval: The person who is responsible for approving setup of mitigation
controls, for example, the Sarbanes-Oxley Act team
Monitors: The person who is in charge of performing the mitigation control
Assignment to roles
Assignment to users
Setting Up Mitigation Controls
Definition of responsibilities:
•
Define administrators and select applicable role.
–
Approver
- Approve the control and identify appropriate mitigation monitors.
- Ensure monitors are executing applicable controls within the period
frequency stated in a mitigation control.
–
Monitor
- Perform the actions identified in the control to monitor users and identify
inappropriate actions.
–
Risk owner
- Responsible for monitoring the use of actions and permissions associated
with a risk
•
2009
Create business units and assign monitors to each.
© 2010 SAP AG. All rights reserved.
101
Unit 2: Risk Analysis and Remediation Overview
GRC300
Control creation:
•
Specify control ID.
–
Sample naming convention:
- Character 1 – Business area designation
- Character 2 – User or role group letter
- Characters 3 to 10 – Sequential number
•
Enter description.
•
•
•
–
Definition: Who / what / how often / why (control objective)
Assign business unit.
Assign approver from available approvers for the entered business unit.
Assign associated risk IDs as preselection.
Document control monitoring:
•
•
Assign one or more monitors.
Assign one or more mitigation reports (optional).
–
–
–
–
Select the system from which you will run the reports.
Enter associated action.
Assign a monitor to each report.
The frequency must be established in number of days, for example, enter
30 for monthly reports.
Alerts: Overview
Alerts are used for the following scenarios:
•
•
•
•
102
As a temporary mitigation control
To display users accessing multiple conflicting actions
To display users accessing critical actions
To ensure effectiveness of mitigation control by showing delays in starting
mitigation reports
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Definition of Process-Related Mitigation Controls
Alert Setup
Enablement and scheduling:
•
Enter an application server location to store executed action information:
•
–
Choose Configuration→ Miscellaneous.
Schedule background jobs for alert generation:
•
–
Action log
–
Conflicting action
–
Critical action
–
Mitigation monitoring
Schedule background jobs for alert notification:
–
–
2009
Risk owner assigned to the associated risk is notified by e-mail (maintained
in Mitigation tab)
Monitors can also review the list of alerts through the Alert module
© 2010 SAP AG. All rights reserved.
103
Unit 2: Risk Analysis and Remediation Overview
104
© 2010 SAP AG. All rights reserved.
GRC300
2009
GRC300
Lesson: Definition of Process-Related Mitigation Controls
Exercise 7: Definition of Risk-Related
Mitigation Controls
Exercise Objectives
After completing this exercise, you will be able to:
•
Create control responsibilities (monitor and approver)
•
Define mitigation controls within SAP BusinessObjects Access Control
•
Mitigate a composite role and check the result of the mitigation
Business Example
Due to organizational restrictions, not all risks could be avoided via remediation
activities. As a consequence, you need to find the proper way to handle the remaining
risks via mitigation controls. Before the implementation of a mitigation control can
be performed, you need to create a responsible approver and monitor, as well as a
business unit as a container for the controls, in SAP BusinessObjects Access Control.
Furthermore, all responsible approvers and monitors need to be pre-assigned to a
business user to simplify the process of finding the right persons when creating
a control.
Task 1:
Create an approver for the new mitigation control.
1.
Create an approver for the new mitigation control.
2.
Create a monitor for the new mitigation control.
3.
Define a business unit as container for the mitigation controls.
Task 2:
SAP offers a dual-control principle to protect sensitive fields in the vendor master
record from direct manipulations performed by one user. This preventative mitigation
control can be used to mitigate the risk of fraudulent manipulation of bank accounts.
After the security measure is activated in customizing by the IT department, the
mitigation control needs to be implemented in SAP BusinessObjects Access Control.
1.
Implement the mitigation control in SAP BusinessObjects Access Control.
2.
After the security measure is activated in customizing by the IT department,
implement the mitigation control in SAP BusinessObjects Access Control.
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
105
Unit 2: Risk Analysis and Remediation Overview
3.
106
GRC300
Check the assignment of the mitigation control by performing a new risk analysis
on GRC300-CR_PURCHASE_TO_PAY-##.
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Definition of Process-Related Mitigation Controls
Solution 7: Definition of Risk-Related
Mitigation Controls
Task 1:
Create an approver for the new mitigation control.
1.
Create an approver for the new mitigation control.
a)
Log on to SAP BusinessObjects Access Control with user GRC300-##.
b)
Select the Mitigation tab and choose Administrators → Create.
c)
Enter the following information.
Administrator ID: ##-Approver
Full Name: Approved Approver ##
Email: Enter a fictitious mail address
Role: Approver
2.
Create a monitor for the new mitigation control.
a)
Log on to SAP BusinessObjects Access Control.
b)
Select the Mitigation tab and choose Administrators → Create .
c)
Enter the following information.
Administrator ID: ##-Monitor
Full Name: Watching Monitor ##
Email: Enter a fictitious mail address
Role: Monitor
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
107
Unit 2: Risk Analysis and Remediation Overview
3.
GRC300
Define a business unit as container for the mitigation controls.
a)
Log on to SAP BusinessObjects Access Control.
b)
Select the Mitigation tab and choose Business Units → Create.
c)
Enter the following information.
Business Unit ID: PP##
Description: ## Purchase-to-Pay
Approver ID: Enter the approver ID that you created
in the previous step
Monitor ID: Enter the monitor ID that you created in
the previous step
Continued on next page
108
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Definition of Process-Related Mitigation Controls
Task 2:
SAP offers a dual-control principle to protect sensitive fields in the vendor master
record from direct manipulations performed by one user. This preventative mitigation
control can be used to mitigate the risk of fraudulent manipulation of bank accounts.
After the security measure is activated in customizing by the IT department, the
mitigation control needs to be implemented in SAP BusinessObjects Access Control.
1.
Implement the mitigation control in SAP BusinessObjects Access Control.
a)
Log on to SAP BusinessObjects Access Control.
b)
Select the Mitigation tab and choose Mitigation Controls → Create.
c)
Mitigation Control ID: MCVEN##
To ensure the effectiveness of the control, the monitor needs to check
the critical vendor on a weekly basis to investigate the result of
S_ALR_87012090 (Display / Confirm critical vendor changes).
d)
Description: A vendor master data field marked in customizing table
T055F as sensitive can only be changed after it is confirmed by a second
party. Before approval takes place, a payment run block is activated
for that account, and the confirmation status “To be confirmed” is set.
Consequently, the likelihood of fraudulent manipulation is lower because
an extra confirmation is required.
e)
Business Unit: Purchase-to-Pay
Management Approver: ##-Approver
Risk ID: Choose all risks ##NN you built in exercise, Rule Building and
Validation, containing “vendor master data maintenance” as one of the
conflicting functions
Monitor ID: ##-Monitor
System: Select the appropriate system
Action: S_ALR_87012090
Frequency: To run the report once a week (every seven days), enter 7.
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
109
Unit 2: Risk Analysis and Remediation Overview
2.
GRC300
After the security measure is activated in customizing by the IT department,
implement the mitigation control in SAP BusinessObjects Access Control.
a)
Select the Informer tab and choose Risk Analysis → Role Level. Enter the
following data.
Role: GRC300-CR_PURCHASE_TO_PAY-##
Rule Set: Global
Report Type: Permission Level
Report Format: Management Summary
b)
In the resulting report, select the risk you want to mitigate with the control
and choose Execute.
Hint: It should contain “vendor master data maintenance” as one
of the conflicting functions. To see more details, toggle to the
Summary report.
c)
Select the risk description and select Mitigate the Risk in the Options area.
d)
Choose Continue. In the Risk Mitigation screen, and enter the following
data.
Mitigation Control: MCVEN##
Monitor ID: ##-Monitor
Status: Enable
e)
Check if the role name and the risk ID are correct.
f)
Choose Save.
Result: The mitigation control is now assigned to risks.
Continued on next page
110
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Definition of Process-Related Mitigation Controls
3.
Check the assignment of the mitigation control by performing a new risk analysis
on GRC300-CR_PURCHASE_TO_PAY-##.
a)
Select the Informer tab and choose Risk Analysis.
b)
Enter the following data.
Role Level
Role: GRC300-CR_PURCHASE_TO_PAY-##
Rule Set: Global
Report Type: Permission Level
Report Format: Management Summary
c)
Choose More Options.
d)
Set Exclude Mitigated Risks to YES to make the mitigated risks invisible
in the result screen of the analysis.
e)
Choose Execute.
In the results screen, all mitigated risks have vanished and the composite
role is much cleaner than before our remediation and mitigation activities
started.
2009
© 2010 SAP AG. All rights reserved.
111
Unit 2: Risk Analysis and Remediation Overview
GRC300
Lesson Summary
You should now be able to:
•
Explain how mitigation controls can support you in reducing access risks in
your landscape
•
Describe the difference between preventative and detective controls, and
implement mitigation controls in SAP BusinessObjects Access Control
•
Define alerting as a powerful detective control
112
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Analysis and Remediation Reporting
Lesson: Risk Analysis and Remediation Reporting
Lesson Overview
This lesson will cover some new reports in SAP BusinessObjects Access Control
Risk Analysis and Remediation.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
Locate and view the Action Usage by Users report
Locate and view the Invalid Mitigation Controls report
Locate and view the SoD Violations from Custom Programs report
Business Example
You are asked to use the reporting functionalities within SAP BusinessObjects
Access Control to identify possibilities to accelerate the decision-making and cleanup
processes in the Remediation phase. Your first task is to find out how often critical
transactions included in standard roles are actually used by the business users. You
next have to investigate the validity of your mitigation controls in the system. Finally,
it is important to identify and remediate hidden risks in the custom programs resulting
from "call transaction" statements.
Action Usage by User Report
The Action Usage by User report is useful during remediation. Situations where
users have risks that are the result of rarely used transactions are often “easy wins”
in a remediation effort, allowing you to remove or substitute roles with little or no
impact on operations.
This report is produced based on transaction usage information that is obtained from
the back-end system via the Alert Generation function. The accuracy of the report
depends on that function being executed on a regular basis.
Is accessible by choosing Informer → Security Reports → Miscellaneous.
Invalid Mitigation Controls
The Invalid Mitigation Controls report is available from both the user and
role-risk-analysis features within the Informer tab.
2009
© 2010 SAP AG. All rights reserved.
113
Unit 2: Risk Analysis and Remediation Overview
GRC300
When this new report type is selected, a validity date field appears, which defaults
to the current date.
A given role or user appears if any of the following conditions exists:
•
•
•
•
The validity date is not within the range associated with the mitigating control
assignment.
The user account has expired or has been deleted.
The role has been deleted.
The user or role no longer contains the risk.
You can find the Invalid Mitigation Controls report by choosing Informer → Risk
Analysis → Role Level or Informer → Risk Analysis → User Level
Report Type = Invalid Mitigating Controls
SoD Violations from Custom Programs
The SoD Violations from Custom Programs report is useful when customizing a
rule set. Often, clients will build custom “Z” transactions that contain calls to SAP
transactions. If those SAP transactions are critical or are SoD-relevant, the “Z”
transaction may need to be included in the rule set. The report can also be executed
against standard programs.
There are two report types:
•
•
Any critical action in any program
Conflicting actions in one program
Each report type is available in both a Summary and a Detail version. You can select
the desired report type of the selection criteria screen, and when a report is displayed
you can switch to the alternate version by choosing the Summary or Detail buttons.
You can access this report by choosing Informer → Audit Reports → Miscellaneous.
114
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Analysis and Remediation Reporting
Exercise 8: Remediation-Relevant Reporting
Exercise Objectives
After completing this exercise, you will be able to:
•
Execute and interpret the Action Usage by Users, Invalid Mitigation Controls,
and SoD Violations from Custom Programs reports
Business Example
As of the main business process experts for the remediation phase, you want to identify
possibilities to improve the remediation results by checking the current solution setup.
Task 1:
Demonstrate the Action Usage by Users report.
1.
Demonstrate the Action Usage by Users report.
Task 2:
Demonstrate the Invalid Mitigation Controls report.
1.
Demonstrate the Invalid Mitigation Controls report.
Task 3:
Demonstrate the SoD Violations from Custom Programs report.
1.
2009
Demonstrate the SoD Violations from Custom Programs report.
© 2010 SAP AG. All rights reserved.
115
Unit 2: Risk Analysis and Remediation Overview
GRC300
Solution 8: Remediation-Relevant Reporting
Task 1:
Demonstrate the Action Usage by Users report.
1.
Demonstrate the Action Usage by Users report.
a)
Log on to Risk Analysis and Remediation via the SAP BusinessObjects
Access Control launch pad.
b)
Choose Informer → Security Reports → Miscellaneous.
c)
Select the Action Usage by Users report.
d)
In the selection criteria, enter the following data.
System
TRN
Date
Use default
Action
SU01
Report Type
All
e)
Choose Execute.
f)
Look at the results of the search.
Continued on next page
116
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Risk Analysis and Remediation Reporting
Task 2:
Demonstrate the Invalid Mitigation Controls report.
1.
Demonstrate the Invalid Mitigation Controls report.
a)
Log on to Risk Analysis and Remediation via the SAP BusinessObjects
Access Control launch pad.
b)
Choose Informer Risk → Analysis → User Level.
c)
In the selection criteria, enter the following data.
System
TRN
Risk ID
9901*
Report Type
Invalid Mitigation
Controls
d)
Choose Execute . If you see a runtime warning, choose OK.
e)
Look at the results of the report.
Task 3:
Demonstrate the SoD Violations from Custom Programs report.
1.
2009
Demonstrate the SoD Violations from Custom Programs report.
a)
Log on to Risk Analysis and Remediation via the SAP BusinessObjects
Access Control launch pad.
b)
Choose Informer → Audit Reports → Miscellaneous.
© 2010 SAP AG. All rights reserved.
117
Unit 2: Risk Analysis and Remediation Overview
GRC300
Lesson Summary
You should now be able to:
•
Locate and view the Action Usage by Users report
•
Locate and view the Invalid Mitigation Controls report
•
Locate and view the SoD Violations from Custom Programs report
118
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Continuous Compliance
Lesson: Continuous Compliance
Lesson Overview
This lesson discusses SoD management as an ongoing process.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
•
Discuss SoD management as an ongoing process
Explain how the Risk Terminator can support continuous compliance
List the steps to activate Risk Terminator within SAP BusinessObjects Access
Control
List additional possibilities for continuous compliance
Business Example
Your organization plans to ensure continuous compliance. In order to achieve a “quick
win”, you want to evaluate Risk Terminator as a possible measure to increase risk
awareness in the role development and user assignment process, as well as to force
better documentation of reasons for activating critical roles inside your SAP system.
Risk Terminator
There are some necessary configuration settings when implementing Risk Terminator.
You need to make these settings before Risk Terminator will work. Start transaction
/n/VIRSA/ZRTCNFG to configure Risk Terminator.
2009
© 2010 SAP AG. All rights reserved.
119
Unit 2: Risk Analysis and Remediation Overview
GRC300
Figure 42: Risk Terminator Configuration
120
•
Select the CC release to be used. In this scenario, we use Risk Analysis and
Remediation 5.3 to connect to Risk Terminator.
•
RFC destination for release CC5.X. This RFC is required so that Risk Terminator
can run a risk analysis when a role is developed or a user's master record is
modified.
•
PFCG Plugin (Yes/No). If you set this parameter to Yes, it will analyze changes
that occur through PFCG, such as new roles that are created and roles that are
modified.
•
PFCG user assignment Plug-in (Yes/No). With this setting set to Yes, if you make
a user assignment through PFCG, Risk Terminator will analyze the user's access
with the new role assigned and determine if there are any new risks involved.
•
SU01 Role assignment (Yes/No). If this is set to Yes, Risk Terminator will
analyze role assignment through SU01 and determine if there are any new SoD
violations generated from that change.
•
SU10 Multiple-user Role assignment Plug-in (Yes/No). If this is set to Yes when
you make changes under SU10, Risk Terminator will analyze those changes.
This is also helpful because mass changes through SU10 could produce SoD
conflicts with users through mass maintenance changes.
•
Stop generation if violations exist. This setting will stop any role generation if
there are risks generated by any change or transaction codes that are introduced
to the role.
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Continuous Compliance
Caution: When activating stop generation, be mindful on which system (QA,
DEV, or PROD) it should be activated. If it is activated for all, it can impact
the security team's response time to making changes to roles or creating new
roles.
2009
•
Comments are required in case of violations. If this is set to Yes, a Comments
screen will appear if there are SoD violations during the risk analysis of a new
role, or a role change.
•
Send notification in case of violations
© 2010 SAP AG. All rights reserved.
121
Unit 2: Risk Analysis and Remediation Overview
GRC300
Lesson Summary
You should now be able to:
•
Discuss SoD management as an ongoing process
•
Explain how the Risk Terminator can support continuous compliance
•
List the steps to activate Risk Terminator within SAP BusinessObjects Access
Control
•
List additional possibilities for continuous compliance
122
© 2010 SAP AG. All rights reserved.
2009
GRC300
Unit Summary
Unit Summary
You should now be able to:
•
List the required steps after installation of SAP BusinessObjects Access Control
Risk Analysis and Remediation
•
Explain how to connect Risk Analysis and Remediation to a back-end system
•
Explain the possibility of exporting and importing configuration settings in order
to perform transports from development to production
•
List the main process in identifying and resolving SoD issues
•
Describe the people involved in the process and their responsibilities
•
Name each step of the process and explain the required activities in each phase
•
Explain the key terminology related to risks within SAP BusinessObjects Access
Control
•
Create and maintain functions and risk, build the resulting rules, and explain the
concept of organizational rules
•
Discuss what is delivered in the delivered rule set
•
List the systems for which a rule set is provided
•
View or locate function change history
•
View or locate risk change history
•
Compare rule sets
•
Define the relevant management views
•
Run a risk analysis at role level
•
Run a risk analysis at user level
•
List the relevant report types
•
Explain the use of different report formats
•
Schedule a risk analysis as a background job
•
Perform simulations based on roles and users
•
Explain the best approach for risk remediation and system cleanup
•
Simulate cleanup activities in SAP BusinessObjects Access Control
•
Perform cleanup activities in SAP ERP
•
Explain how mitigation controls can support you in reducing access risks in
your landscape
•
Describe the difference between preventative and detective controls, and
implement mitigation controls in SAP BusinessObjects Access Control
•
Define alerting as a powerful detective control
•
Locate and view the Action Usage by Users report
•
Locate and view the Invalid Mitigation Controls report
2009
© 2010 SAP AG. All rights reserved.
123
Unit Summary
GRC300
•
•
•
•
•
124
Locate and view the SoD Violations from Custom Programs report
Discuss SoD management as an ongoing process
Explain how the Risk Terminator can support continuous compliance
List the steps to activate Risk Terminator within SAP BusinessObjects Access
Control
List additional possibilities for continuous compliance
© 2010 SAP AG. All rights reserved.
2009
Unit Summary
125
GRC300
© 2010 SAP AG. All rights reserved.
2009
Unit Summary
126
GRC300
© 2010 SAP AG. All rights reserved.
2009
Unit 3
Compliant User Provisioning Overview
Unit Overview
Regular compliance checks and special measures are necessary to “stay clean”
after the segregation of duties (SoD) project is complete. Consequently, your
organization is interested in evaluating how the workflow and the functionalities
Superuser Privilege Management, Enterprise Role Management, and Compliant User
Provisioning can be used as preventative measures to support this phase. This Unit
will give an overview of the post installation steps, configuration, and setting up of
workflows to support this preventative compliance phase.
Unit Objectives
After completing this unit, you will be able to:
•
•
•
•
•
•
•
•
•
•
•
•
2009
List the required steps after installation of SAP BusinessObjects Access Control
Compliant User Provisioning
Upload initial data
Explain how to configure the user data source
Define the authentication system for requestors
Describe how to configure the Web service call to Risk Analysis and Remediation
Explain how to connect Compliant User Provisioning to a back-end system
Explain how to export and import configuration settings in order to perform
transports from development to production
Explain the workflow basics: initiator, stage, path, approver determinator
Explain stage customizing options
Name other areas for which the workflow functionality of SAP BusinessObjects
Access Control can be used: risk maintenance, control maintenance, mitigation
activities, user maintenance, role maintenance, and requesting superuser access
Use the workflow functionality to ensure a comprehensive and compliant change
management process for risk and control maintenance
Describe the required configuration steps and the business background of using
this functionality
© 2010 SAP AG. All rights reserved.
127
Unit 3: Compliant User Provisioning Overview
•
•
•
•
•
•
•
•
•
•
GRC300
Configure the workflow for User Access Review
Configure the workflow for User SoD Review
Explain the main advantages of Compliant User Provisioning and discuss how it
can be used to ensure continuous compliance within your organization
Describe and demonstrate a typical request initiated by an end user, the required
approval steps and risk analysis, and the final provisioning in the back-end
system
Describe the workflow creation process (plan, implement, test, and adjust)
Describe the password-sending options
Explain the usage of default roles, role mapping, and user defaults
Describe the LDAP connector and LDAP mapping to retrieve manager
information
Explain and configure workflow exception handling using escalations, detours,
rerouting, and forwarding
Configure an advanced user provisioning workflow
Unit Contents
Lesson: Compliant User Provisioning Installation Verification and
Configuration ........................................................................ 129
Lesson: Compliant User Provisioning Functionality ............................ 142
Exercise 9: Multi-stage Workflow with Detour for SoD Violations
Workflow ......................................................................... 149
Lesson: Compliant User Provisioning – Additional Functionality ............. 163
Exercise 10: Workflow-Controlled Risk Maintenance ..................... 169
Lesson: Workflow-Based Reviews ............................................... 173
Lesson: Compliant User Management Life Cycle .............................. 180
Exercise 11: Workflow Creation Workshop (Group Exercise) ............ 187
128
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Installation Verification and Configuration
Lesson: Compliant User Provisioning Installation
Verification and Configuration
Lesson Overview
This lesson discusses installation verification and configuration for compliant user
provisioning.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
•
•
•
•
List the required steps after installation of SAP BusinessObjects Access Control
Compliant User Provisioning
Upload initial data
Explain how to configure the user data source
Define the authentication system for requestors
Describe how to configure the Web service call to Risk Analysis and Remediation
Explain how to connect Compliant User Provisioning to a back-end system
Explain how to export and import configuration settings in order to perform
transports from development to production
Business Example
In order to set up a project plan for the implementation of SAP BusinessObjects
Access Control Compliant User Provisioning in your organization, you need to
familiarize yourself with the efforts required for the setup of the solution.
2009
© 2010 SAP AG. All rights reserved.
129
Unit 3: Compliant User Provisioning Overview
GRC300
Required Steps for Compliant User Provisioning After
Installation of SAP BusinessObjects Access Control
•
Ensure that you have applied all real-time agents (RTAs) have been applied to all
Compliant User Provisioning systems.
There must be RTAs for GRC BusinessObjects Access Control installed on any
system to which Compliant User Provisioning will be provisioning. The RTAs
are installed by the Basis team.
•
Choose the authentication system and ensure that all necessary user accounts
exist.
Choose the Configuration tab, choose Authentication, and then choose System.
This is the system that Compliant User Provisioning will use to authenticate
users. When a user signs in from the Compliant User Provisioning Request for
Access screen, this setting determines where Compliant User Provisioning will
look to validate that user. This is not for Administrator access.
•
Verify that all directories have the correct permissions.
Make sure that all tabs in Compliant User Provisioning are available and all
the options are listed.
Figure 43: Choosing the Authentication System
130
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Installation Verification and Configuration
Uploading Initial Data
Before you begin configuring Compliant User Provisioning, you must import initial
system data. This data is the default system data that is prepackaged with the system.
It is the minimum set of data required for the application to function properly and is
imported directly from the application itself.
Caution: Import initial data only if it was not done during the post-installation
phase of the SAP BusinessObjects Access Control installation process.
You can verify that the initial data was already imported by checking if there are
request types on the main request page for users.
Figure 44: Verification of Upload of Initial Data
2009
© 2010 SAP AG. All rights reserved.
131
Unit 3: Compliant User Provisioning Overview
GRC300
Procedure to Upload Initial Data
•
On the Configuration tab, choose Initial System Data. The Initialize DB screen
appears.
•
Choose Browse.
•
Navigate to the directory containing the Compliant User Provisioning installation
files.
•
In the Browse window, double-click the appropriate XML file.
There are three options for import: (1) Insert, (2) Append, and (3) Clean and
Insert. Each delivered initial load file will specify how to load.
•
The files to import are:
AE_init_append_data.xml – Select Append.
AE_init_append_data_ForSODUARReview.xml – Select Append.
AE_init_clean_and_insert_data.xml – Select Clean and Insert.
•
Choose Import..
User Data Source
Use the User Data Source option to increase the scope of SAP back-end systems that
you configured in the Connectors screen. Define the primary source for extracting user
data on the User Data Source screen. Mapping the data source allows Compliant User
Provisioning to search for all users, managers, and approvers. However, keep in mind
that this is not an authorization mechanism to check for existing users and managers.
The data source that you map (such as LDAP, SAPHR, SAP, or SAPUME) also
determines how certain types of data are handled through the assigned protocols and
from specific systems. Therefore, once you select a user data source, you do not need
to perform any additional configuration to map the user ID.
132
© 2010 SAP AG. All rights reserved.
2009
GRC300
2009
Lesson: Compliant User Provisioning Installation Verification and Configuration
© 2010 SAP AG. All rights reserved.
133
Unit 3: Compliant User Provisioning Overview
GRC300
Figure 45: User Data Source
•
Using UME as the user data source:
The SAP UME is the most common data source to find user and approver data
in an enterprise portal environment. UME is also used a data source by SAP
NetWeaver for other applications that are integrated into the SAP system.
The SAP UME is a central management repository for retrieving SAP user data
through Compliant User Provisioning.
•
Using LDAP as the user data source:
Using LDAP as the user data source is preferable, because LDAP is normally the
first point of entry for users accessing the enterprise system. LDAPs generally
contain as much information about the user as the SAP business system.
If you set the user detail data source to LDAP, the user’s manager listed on the
LDAP record can automatically populate the request during the request creation.
•
Using multiple data sources as the user details data source:
When you select Multiple Datasources, the Multiple Datasources screen appears,
and you can select the systems involved with the search. You can also order
the sequence in which the data sources should be searched. Compliant User
Provisioning searches the systems in the specified order until it finds the user ID
and retrieves the user’s details from that system. For example, all employee user
information can be fetched from SAP HCM. However, part-time and contract
personnel detail information exists in an LDAP system. In this case, you can
configure multiple data sources with SAP HCM and LDAP systems which fetch
detail information for both employees and contractors.
Integrating Compliant User Provisioning and Risk
Analysis and Remediation with Web Service Calls
You integrate Compliant User Provisioning with Risk Analysis and Remediation
to enable risk analysis, mitigation, transaction usage, and other Risk Analysis and
Remediation functions.
To integrate Compliant User Provisioning for risk analysis and mitigation, follow
the steps below.
134
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Installation Verification and Configuration
Figure 46: Web Services for Risk Analysis
2009
© 2010 SAP AG. All rights reserved.
135
Unit 3: Compliant User Provisioning Overview
GRC300
Integrating Risk Analysis and Remediation
•
Retrieve the URL for Risk Analysis Web service configuration.
a. From the SAP NetWeaver Web Application Server start page, choose Web
Service Navigator.
b. Expand VirsaCCRiskAnalysisService Web service.
c. Choose Document.
d. Right click on the URL address under the WSDL heading to copy as a shortcut.
•
Choose Compliant User Provisioning, choose the Configuration tab, and choose
Risk Analysis.
•
In the Select Analysis and Remediation Version pane, choose 5.3 Web Service
from the Version menu.
•
In the URL field, enter the risk analysis URL. You can paste in the copied
shortcut you obtained in the first step.
•
Enter a User Name and a Password.
Note: This user must have the Admin role for Risk Analysis and
Remediation.
•
Choose Save.
Connecting Compliant User Provisioning to a Back-End
System
After installing Compliant User Provisioning, you must configure the interactions
with the appropriate back-end systems via connectors. This is essential to provision
approved users to the back-end systems. Compliant User Provisioning supports
several connector types for back-end systems.
Connectors facilitate the transfer of data between Compliant User Provisioning and
SAP systems, non-SAP systems, SAP Enterprise Portal, LDAP, and other systems.
By configuring the connectors, you specify how Compliant User Provisioning
communicates with these back-end systems.
136
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Installation Verification and Configuration
Compliant User Provisioning supports multiple data sources where you can define
data sources, including their sequence order for extracting data. The supported
multiple data sources include the following system types:
•
•
•
•
•
•
•
SAP
SAPHR
LDAP
JDE (JD Edwards)
SAPEP (SAP Enterprise Portal)
ORAAPPS (Oracle Applications)
PEOPLESOFT
For multiple LDAPs, Compliant User Provisioning supports:
•
•
•
•
•
2009
Microsoft Active Directory
Sun Microsystems SunOne
Novell E-Directory
IBM Tivoli
Any other LDAP supported in SAP NetWeaver
© 2010 SAP AG. All rights reserved.
137
Unit 3: Compliant User Provisioning Overview
GRC300
Defining Connectors for SAP
Figure 47: Connecting to an SAP System
To define connectors for SAP systems:
•
•
Choose Compliant User Provisioning, select the Configuration tab, and choose
Connectors → Create Connectors.
In the Connector Type menu, choose SAP.
Note: Any field name denoted with an asterisk (*) is required.
•
In the Name field, enter a name for the connector.
Note: The connector names are important when integrating with other
Access Control Components and Central User Administration (CUA).
Make sure that the connector name for SAP BusinessObjects Access
Control is the same as the one configured for CUA.
•
•
•
•
138
In the Short Description field, enter a brief description of the connector.
In the Description field, enter a long-text description of the connector.
In the Application field, enter the name of the application or application server.
In the Application Server Host field, enter the host name of the application server.
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Installation Verification and Configuration
•
•
•
In the System Number field, enter the number in the SAP system log.
In the Client field, enter the SAP client number.
In the User ID field, enter the user ID you are configuring to have access to
the back-end system.
Note: The user ID must have the security access to perform the tasks
required. If provisioning is configured for this connector, this user ID
must have authorization access to maintain users in the SAP system. If
provisioning is configured, this user ID appears on each change record
on the SU01 user master record.
•
•
•
•
•
•
•
•
•
•
•
In the Password field, enter the specified password for the SAP user ID.
In the System Language field, enter the language for the system.
In the Message Server Name field, enter the name of the message server, which
is used for load balancing of your SAP clustered environment.
In the Message Server Group field, enter the logon group name to which the
message server belongs.
In the Message Server Host field, enter the host name of your message server.
In the SAP Version menu, select the appropriate SAP version. Compliant User
Provisioning supports SAP 4.6C, SAP 4.7, and SAP ECC 6.0.
Select the SLD Connector checkbox to enable the Standard Landscape Directory.
In the Connector Category menu, select the category to which the connector
belongs. Possible values are Production, Non-Production, or Other. This
selection is used to classify the servers into categories on the access request
forms.
In the Role menu, select whether or not role information comes from Enterprise
Role Management or the SAP back end.
Choose Create.
Choose Test Connection to ensure that the connection is valid.
Note: Executing this test verifies that the information on the connector
is valid and initial communications can be established. It also verifies
the user ID and password. This test, however, does not verify that the
correct RTAs are installed on this connector.
Exporting and Importing Configuration Settings
Compliant User Provisioning now supports the export and import of configuration
settings. This is not a transport mechanism to move changes from the development
system to production, but can be used to create a production system for the first time
by making a copy of the development system.
2009
© 2010 SAP AG. All rights reserved.
139
Unit 3: Compliant User Provisioning Overview
GRC300
Figure 48: Export Settings
Items that can be exported or imported:
•
•
•
•
•
•
140
Initial Data
Connectors
Roles
Workflow Configuration
User Defaults
HR Triggers
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Installation Verification and Configuration
Lesson Summary
You should now be able to:
•
List the required steps after installation of SAP BusinessObjects Access Control
Compliant User Provisioning
•
Upload initial data
•
Explain how to configure the user data source
•
Define the authentication system for requestors
•
Describe how to configure the Web service call to Risk Analysis and Remediation
•
Explain how to connect Compliant User Provisioning to a back-end system
•
Explain how to export and import configuration settings in order to perform
transports from development to production
2009
© 2010 SAP AG. All rights reserved.
141
Unit 3: Compliant User Provisioning Overview
GRC300
Lesson: Compliant User Provisioning Functionality
Lesson Overview
This lesson will explain the basic workflow options, customizing of a stage, and
additional workflow functionality of SAP BusinessObjects Access Control Compliant
User Provisioning.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
Explain the workflow basics: initiator, stage, path, approver determinator
Explain stage customizing options
Name other areas for which the workflow functionality of SAP BusinessObjects
Access Control can be used: risk maintenance, control maintenance, mitigation
activities, user maintenance, role maintenance, and requesting superuser access
Business Example
Your organization wants to make sure that all changes to users are compliant with
the current rule set and are approved by a dedicated owner. For that reason, you
need to implement this control before the go live takes place. Furthermore, you are
responsible for evaluating other areas of the workflow functionality that can help to
support continuous compliance.
Workflow in Compliant User Provisioning
Compliant User Provisioning is an automated end-to-end user request, approval, and
compliant provisioning solution that is Web-based and workflow configurable with
proactive SoD compliance checking.
142
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Functionality
Figure 49: How Does It Work?
Components of a Workflow
A workflow in Compliant User Provisioning is made up of three basic components:
the initiator, the stage, and the path.
Figure 50: Workflow Overview
Every workflow is started by an unique initiator that is defined in the request. The
following figures shows an example of a three-stage workflow.
2009
© 2010 SAP AG. All rights reserved.
143
Unit 3: Compliant User Provisioning Overview
GRC300
Figure 51: Workflow Example
Approver Determinator for a Stage
The primary purpose of any stage is to pass a request to an approver. When you create
a stage, you define the user who must approve or deny a request when the request
reaches that stage. When you define a stage, you specify the approver for that stage.
The term “approver determinator” defines the approvers for the request and indentifies
the approver(s) of the stage. You can choose from several approver determinators on
any stage. These are all delivered standard with Compliant User Provisioning.
Figure 52: Approver Determinator Options
144
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Functionality
Stage Customizing Options
There are various optional configurations you can add to a stage to specify
notifications, require risk analysis, and manage security. When you configure a stage,
you determine which options apply.
There are three configuration areas:
•
•
•
Notification Configuration
Additional Configuration
Additional Security Configuration (Approval Reaffirm)
Note: If the user, requestor, and approver are the same, each receives multiple
e-mail notifications. When sending an e-mail notification to the user and the
requestor if the user is the requestor, the system sends two e-mail notifications.
If the requestor and the manager are the same user, that person receives two
e-mails.
Notification Configuration
The Notification Configuration screen configures e-mail notifications for a stage to
determine whether and to whom the system sends notifications about the actions taken
at this stage. There are four possible actions:
1.
2.
3.
4.
Approved: The system sends the e-mail notification configured on the Approved
tab when the approver approves the request.
Rejected: The system sends the e-mail notification configured on the Rejected
tab when the approver rejects or denies the request.
Escalation: The system sends the e-mail notification configured on the Escalation
tab when the approver fails to respond to the request within the allotted wait
time and an escalation has occurred.
Next Approver: The system sends the e-mail notification to the approver(s) of
the stage when the request enters this stage. The next approver is the approver of
the current stage.
Additional Configuration
The Additional Configuration screen refines the behavior of a stage. The options
available depend on the workflow type you select when you initially define your stage.
2009
© 2010 SAP AG. All rights reserved.
145
Unit 3: Compliant User Provisioning Overview
GRC300
Decide what functions you need, and select the appropriate option from each
drop-down list. Several of these settings work in conjunction with each other. When
you make a selection, all future options are based on that selection. Some fields
become available and others become unavailable.
•
•
Risk Analysis Mandatory: Select Yes or No to determine whether the approver is
required to perform a risk analysis before approving the request.
Change Request Content: An approver has the authority to change the content of
the request.
If set to Yes, the Add Roles field becomes available for selection. Select
Yes or No to allow roles to be added during this stage.
–
If set to Yes, the Path Evaluation For New Roles field becomes available
for selection. This setting determines how the roles are evaluated to see if
they are on the correct path (this is necessary only if you configure your
initiators by roles).
–
All Roles in Evaluation Path: All roles are re-evaluated against the
initiators. New Roles Only: These new roles are analyzed against the
initiators to determine if another parallel workflow mist be created for
the newly added roles.
–
If the Change Request Content configuration option is set to Yes but Add
Roles is set to No, the approver can remove roles from the request but not
add additional roles.
–
If the Change Request Content configuration option is set to No, the
approver cannot change the roles on the request. They cannot reject or
remove roles, nor can they add additional roles to the request.
Approval Level: The approver has the authority to approve the request at the
Request, Role, or System and Role levels.
Reject Level: The approver has the authority to reject the request at the Request,
Role, or System and Role levels.
Approval Type: Select whether any one approver can approve at this stage– or
whether all approvers must approve at this stage– for the request to move on
to the next stage.
Email Group: This feature is no longer used. It remains on the screen for
backward compatibility.
Comments Mandatory: Select whether the approver is required to enter
comments when approving or rejecting the request. If you set this option to Yes,
checkboxes appear to allow the user to specify when comments are required (on
approvals, request rejections, or both).
–
•
•
•
•
•
146
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Functionality
•
•
•
•
•
Request Rejection: If you set this option to Yes, the approver is allowed to reject
the entire request. The Reject button appears next to the Approve button, so the
approver can reject the entire request without individually rejecting each role.
If No, the approvers can reject roles on the request without the ability to reject
the entire request.
Re-Route: The approver has the authority to re-route the request to a previous
stage as an alternative to rejecting the request entirely. Re-routing does not apply
if the approver chooses to approve the request.
Confirm Approval: The approver must answer an additional question if he or she
wants to confirm the approval action.
Confirm Rejection: The approver must answer an additional question if he or she
wants to confirm the rejection action.
Reject by Email and Approve by Email: The approver can reject or approve
the request by e-mail.
If you set this option to Yes, there could be two additional links on the e-mail
when the approver gets the e-mail notification for this stage stating that there is a
request waiting for action. If Approve by Email is set to Yes, one link will be the
Approve Request action. If Reject by Email is set to Yes, another link will be
present for Reject Request. These buttons will transfer the approver to Compliant
User Provisioning. The approver must still be the valid approver for this stage of
the request and must enter his or her user ID and password.
•
•
•
•
Reject by Email: The approver can reject the request by e-mail. This setting is
not an option if actions are required, for example, if risk analysis or comments
are required.
Approve by Email: Options will allow the approver to approve the request by
e-mail. This setting will not be an option if actions are required, for instance, if
risk analysis or comments are required.
Forward: The approver has the authority to forward the request to someone
else for approval.
Approve request despite risks:
If you set this option to Yes, the approver is allowed to approve this stage, even
if there are SoD violations that have not been mitigated.
If you set this option to No, the approver at this stage must remediate (remove)
or mitigate the violation before he or she can approve the request. The approver
is required to enter comments when approving or denying the request.
•
2009
Forward Type: Options are Any One Approver or All Approvals: If you select
the Forward option, you can specify whether:
© 2010 SAP AG. All rights reserved.
147
Unit 3: Compliant User Provisioning Overview
GRC300
Any one of the approvers that the request is forwarded to can approve and the
request can continue.
All approvers listed on the Forward are required to approve before the request
can continue on.
Additional Security Configuration
The Additional Security Configuration screen specifies whether the approver needs
to confirm his or her identity to take an action at this stage. Approvers confirm their
identities (reaffirm their decisions) by entering their password at a prompt when they
take an action. The actions that can be configured to require reaffirmation are:
•
•
•
Approve
Reject
Create User
Other Areas of Workflow Functionality
SAP BusinessObjects Access Control Compliant User Provisioning can be used for:
•
•
•
•
•
•
148
Risk maintenance
Control maintenance
Mitigation activities
User maintenance
Role maintenance
Requesting superuser access
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Functionality
Exercise 9: Multi-stage Workflow with
Detour for SoD Violations Workflow
Exercise Objectives
After completing this exercise, you will be able to:
•
Set up a multistage workflow with a detour for SoD, run an SoD check, then
auto-provision to a SAP system
•
Verify that the change to the user was auto provisioned
Business Example
You are responsible for evaluating the implementation of the compliant workflow
change management process.
Task:
Set up a basic workflow with one stage to make a change to a user, run an SoD check,
then have the change auto-provisioned to an SAP system.
1.
Log on to the back-end system assigned by your instructor, into client TBD with
your user ID, and create the following roles:
a. Z_##_FB50 and assign transaction FB50 with full authorizations
i. Description:
Post Journal Entry
b. Z_##_OB52 and assign transaction OB52 with full authorizations
i. Description: Open and Close Accounting Period
2.
Log on to SAP BusinessObjects Access Control Compliant User
Provisioning through http://servername:5<instancenumber>00/webdynpro/dispatcher/sap.com/grc~acappcomp/AC.
3.
Choose Configuration → Roles → Import Roles and import the roles you created
using the Selected Roles option.
Select Role Source: Back End
Select Roles:
Z_##_FB50
Z_##_OB52
Select Roles: Z_##_FB50
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
149
Unit 3: Compliant User Provisioning Overview
4.
GRC300
Log on to the UME using your User ID and create the following users in the
UME:
a. Manager<XX>
b. RoleOwner<XX>
c. Security<XX>
d. Sox<XX>
5.
Log on to SAP BusinessObjects Access Control Compliant User
Provisioning through http://servername:5<instancenumber>00/webdynpro/dispatcher/sap.com/grc~acappcomp/AC.
6.
Choose Configuration → Roles → Attributes and create a functional area.
a. Name: ##FI
b. Short Description: ##FI
c. Description: ##FI Functional Area
7.
Choose Configuration → Roles → Role Search and select the roles imported into
Compliant User Provisioning in Step 1 above. Verify/assign the following:
a. Z_##_FB50
i. Business Process Finance
ii. Critical Level High
iii. Role Approver Tab RoleOwner (XX)
b. Z_##_OB52
i. Business Process Finance
ii. Critical Level High
iii. Role Approver Tab RoleOwner(XX)
8.
Go to the workflow configuration and create an initiator. Choose Configuration
→ Workflow → Initiator.
9.
Choose Create and enter the following data.
Name
##_Initiator
Short Description
##_Initiator
Workflow Type
CUP
Continued on next page
150
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Functionality
Condition
AND
Attribute
Functional Area
Value
##FI
Condition
AND
10. Choose Save to save the initiator.
11. Create three stages. Choose Configuration → Workflow → Stage.
12. Choose Create and enter the following data.
Name
##_Manager
Short Description
##_Manager
Workflow Type
CUP
Approver Determinator
Manager
Name
##_RoleOwner
Short Description
##_RoleOwner
Workflow Type
CUP
Approver Determinator
Role
Name
##_ Security
Short Description
##_ Security
Workflow Type
CUP
Approver Determinator
Security
13. For the notification configuration, select the Next Approver tab and fill in the
information for approval.
14. Select the following options for the Additional Configuration section.
Risk Analysis Mandatory
Yes
Change Request Content
No
Add Role
Should not be able to change. Why?
Path Revaluation for New Roles
Should not be able to change. Why?
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
151
Unit 3: Compliant User Provisioning Overview
GRC300
Approval Level
Request
Rejection Level
Request
Approval Type
Any one Approver
Comments Mandatory
Yes or no
Request rejected
No
Re-route
No
Confirm Approval
No
Confirm Rejection
No
Reject by Email
No
Approve By Email
No
Forward Allowed
No
Approve Request Despite Risks
Yes
15. Choose Save to save each stage.
16. Create a path. Choose Configuration → Workflow → Path.
17. Choose Create, then enter the following data.
Name
##_Path
Short Description
##_Path
Workflow Type
CUP
Number of Stages
3
Initiator
##_Initiator
Be sure to make the path Active.
18. Select the three stages (##_Manager, ##_RoleOwner, ##_Security) that you
created in this exercise.
19. Choose Save to save the path.
20. Create a Custom Approver Determinator for detour. Choose Configuration →
Workflow → Custom Approver Determinators and create a custom approver
determinator.
Continued on next page
152
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Functionality
Name
##_SOD_CAD
Short Description
##_SOD_CAD
CAD Type
Attribute
Workflow Type
CUP
Attribute
Functional Area
Choose the Approvers button and choose Add.
Functional Area
##FI
Approver
Sox## User
Choose Save.
21. Define a stage for SoD violation. Choose Configuration → Workflow → Stage
and enter the following data.
Name
##_ SOD_Stage
Short Description
##_ SOD_Stage
Workflow Type
CUP
Approver Determinator
##_SOD_CAD
Choose Save.
Hint: It is not possible to directly log in to CUP with a UME user who
has the “initial” password. The user has to change his or her password
first.
22. Define a detour path. Choose Configuration → Workflow → Path and create
the following path.
Name
##_Detour
Short Description
##_Detour
Workflow Type
CUP
Number of Stages
`
2̀`
Initiator
None
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
153
Unit 3: Compliant User Provisioning Overview
GRC300
Be sure to make the path Active
Detour checkbox
Select Yes
Stage 1
##_SOD_STAGE
Stage 2
##_Security
Choose Save.
23. Define a detour for SoD violations. Choose Configuration → Workflow →
Detour/Fork and create a detour.
Workflow Type
CUP
Path
##_Path
Stage
##_RoleOwner
Action
Save
Condition
SOD Violations
Value
Yes
Detour Path
##_Detour
Choose Save.
24. Test your workflow by creating several requests and verify that the path and
detour you created work properly.
Hint: Create multiple AE requests to create users for the back-end
system. Assign each user to one or both of the roles you created in
Step 1, above.
It is not possible to directly log in to CUP with a UME user who has the
“initial” password. The user has to change his or her password first.
154
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Functionality
Solution 9: Multi-stage Workflow with
Detour for SoD Violations Workflow
Task:
Set up a basic workflow with one stage to make a change to a user, run an SoD check,
then have the change auto-provisioned to an SAP system.
1.
Log on to the back-end system assigned by your instructor, into client TBD with
your user ID, and create the following roles:
a. Z_##_FB50 and assign transaction FB50 with full authorizations
i. Description:
Post Journal Entry
b. Z_##_OB52 and assign transaction OB52 with full authorizations
i. Description: Open and Close Accounting Period
a)
2.
Log on to SAP BusinessObjects Access Control Compliant User
Provisioning through http://servername:5<instancenumber>00/webdynpro/dispatcher/sap.com/grc~acappcomp/AC.
a)
3.
Choose Configuration → Roles → Import Roles and import the roles you created
using the Selected Roles option.
Select Role Source: Back End
Select Roles:
Z_##_FB50
Z_##_OB52
Select Roles: Z_##_FB50
a)
4.
Log on to the UME using your User ID and create the following users in the
UME:
a. Manager<XX>
b. RoleOwner<XX>
c. Security<XX>
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
155
Unit 3: Compliant User Provisioning Overview
GRC300
d. Sox<XX>
a)
5.
Log on to SAP BusinessObjects Access Control Compliant User
Provisioning through http://servername:5<instancenumber>00/webdynpro/dispatcher/sap.com/grc~acappcomp/AC.
a)
6.
Choose Configuration → Roles → Attributes and create a functional area.
a. Name: ##FI
b. Short Description: ##FI
c. Description: ##FI Functional Area
a)
7.
Choose Configuration → Roles → Role Search and select the roles imported into
Compliant User Provisioning in Step 1 above. Verify/assign the following:
a. Z_##_FB50
i. Business Process Finance
ii. Critical Level High
iii. Role Approver Tab RoleOwner (XX)
b. Z_##_OB52
i. Business Process Finance
ii. Critical Level High
iii. Role Approver Tab RoleOwner(XX)
a)
8.
Go to the workflow configuration and create an initiator. Choose Configuration
→ Workflow → Initiator.
a)
9.
Choose Create and enter the following data.
Name
##_Initiator
Short Description
##_Initiator
Workflow Type
CUP
Continued on next page
156
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Functionality
Condition
AND
Attribute
Functional Area
Value
##FI
Condition
AND
a)
10. Choose Save to save the initiator.
a)
11. Create three stages. Choose Configuration → Workflow → Stage.
a)
12. Choose Create and enter the following data.
Name
##_Manager
Short Description
##_Manager
Workflow Type
CUP
Approver Determinator
Manager
Name
##_RoleOwner
Short Description
##_RoleOwner
Workflow Type
CUP
Approver Determinator
Role
Name
##_ Security
Short Description
##_ Security
Workflow Type
CUP
Approver Determinator
Security
a)
13. For the notification configuration, select the Next Approver tab and fill in the
information for approval.
a)
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
157
Unit 3: Compliant User Provisioning Overview
GRC300
14. Select the following options for the Additional Configuration section.
Risk Analysis Mandatory
Yes
Change Request Content
No
Add Role
Should not be able to change. Why?
Change Request Content set to No.
Path Revaluation for New Roles
Should not be able to change. Why?
Change Request Content set to No.
Approval Level
Request
Rejection Level
Request
Approval Type
Any one Approver
Comments Mandatory
Yes or no
Request rejected
No
Re-route
No
Confirm Approval
No
Confirm Rejection
No
Reject by Email
No
Approve By Email
No
Forward Allowed
No
Approve Request Despite Risks
Yes
a)
15. Choose Save to save each stage.
a)
16. Create a path. Choose Configuration → Workflow → Path.
a)
17. Choose Create, then enter the following data.
Continued on next page
158
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Functionality
Name
##_Path
Short Description
##_Path
Workflow Type
CUP
Number of Stages
3
Initiator
##_Initiator
Be sure to make the path Active.
a)
18. Select the three stages (##_Manager, ##_RoleOwner, ##_Security) that you
created in this exercise.
a)
19. Choose Save to save the path.
a)
20. Create a Custom Approver Determinator for detour. Choose Configuration →
Workflow → Custom Approver Determinators and create a custom approver
determinator.
Name
##_SOD_CAD
Short Description
##_SOD_CAD
CAD Type
Attribute
Workflow Type
CUP
Attribute
Functional Area
Choose the Approvers button and choose Add.
Functional Area
##FI
Approver
Sox## User
Choose Save.
a)
21. Define a stage for SoD violation. Choose Configuration → Workflow → Stage
and enter the following data.
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
159
Unit 3: Compliant User Provisioning Overview
GRC300
Name
##_ SOD_Stage
Short Description
##_ SOD_Stage
Workflow Type
CUP
Approver Determinator
##_SOD_CAD
Choose Save.
Hint: It is not possible to directly log in to CUP with a UME user who
has the “initial” password. The user has to change his or her password
first.
a)
22. Define a detour path. Choose Configuration → Workflow → Path and create
the following path.
Name
##_Detour
Short Description
##_Detour
Workflow Type
CUP
Number of Stages
`
2̀`
Initiator
None
Be sure to make the path Active
Detour checkbox
Select Yes
Stage 1
##_SOD_STAGE
Stage 2
##_Security
Choose Save.
a)
23. Define a detour for SoD violations. Choose Configuration → Workflow →
Detour/Fork and create a detour.
Workflow Type
CUP
Path
##_Path
Stage
##_RoleOwner
Continued on next page
160
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning Functionality
Action
Save
Condition
SOD Violations
Value
Yes
Detour Path
##_Detour
Choose Save.
a)
24. Test your workflow by creating several requests and verify that the path and
detour you created work properly.
Hint: Create multiple AE requests to create users for the back-end
system. Assign each user to one or both of the roles you created in
Step 1, above.
It is not possible to directly log in to CUP with a UME user who has the
“initial” password. The user has to change his or her password first.
a)
2009
© 2010 SAP AG. All rights reserved.
161
Unit 3: Compliant User Provisioning Overview
GRC300
Lesson Summary
You should now be able to:
•
Explain the workflow basics: initiator, stage, path, approver determinator
•
Explain stage customizing options
•
Name other areas for which the workflow functionality of SAP BusinessObjects
Access Control can be used: risk maintenance, control maintenance, mitigation
activities, user maintenance, role maintenance, and requesting superuser access
162
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning – Additional Functionality
Lesson: Compliant User Provisioning – Additional
Functionality
Lesson Overview
This lesson provides an overview of Compliant User Provisioning workflow capability
for change management of the SoD rule and the control libraries in Risk Analysis
and Remediation.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
Use the workflow functionality to ensure a comprehensive and compliant change
management process for risk and control maintenance
Describe the required configuration steps and the business background of using
this functionality
Business Example
Your organization wants to make sure that all changes to the risk and control library
within SAP BusinessObjects Access Control are properly managed and approved by a
dedicated owner. For that reason, you need to implement this control before the go
live takes place. You are also responsible for evaluating other areas in which the
workflow functionalities can help to support continuous compliance.
Risk Recognition
The first phase of the SoD risk management process is to identify and classify
the risks. The SoD rule library in Risk Analysis and Remediation is built on the
foundation of the risk identification process. The mitigation controls for these risks
are also documented as part of the Risk Analysis and Remediation control library for
mitigation of user access.
After the rule and control libraries have been implemented per business requirements,
the next step is the process of managing changes to both of these libraries. This is
where the workflow functions of Compliant User Provisioning can be integrated with
Risk Analysis and Remediation to implement a change management process where
the business risk owners can be closely involved in any changes going forward.
2009
© 2010 SAP AG. All rights reserved.
163
Unit 3: Compliant User Provisioning Overview
GRC300
Figure 53: SoD Risk Management Process – Phase One
Figure 54: Types of Risks: SoD vs. Critical Actions
164
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning – Additional Functionality
Figure 55: Risks Identified: SoD Rule Set Building Blocks
Risk and Mitigation Change Management
To begin implementation of a change management process for risks, the business
process owner must assume ownership for the process and the resulting risk in his or
her areas of access and authorizations.
The business then initiates and approves any updates to the risks built into the SoD
rules library. A business owner associated with a risk within the library is set up to
receive a workflow request from Compliant User Provisioning when changes are
made to those risks. Changes will not take effect until the risk owner has approved the
workflow request.
The same business risk owners can also be set up with mitigation ownership as the
control library is configured. Or a different set of business owners can be associated
with the mitigation controls as they are documented within the control library. This
will depend on the company's business needs and internal controls structure.
As with changes to risks, changes to a mitigating control or creation of new additions
to the control library can be configured in Compliant User Provisioning to send
workflow approvals to the appropriate responsible parties. The changes take effect
only after the owners have confirmed their approval.
2009
© 2010 SAP AG. All rights reserved.
165
Unit 3: Compliant User Provisioning Overview
GRC300
Figure 56: Risk Analysis and Remediation and Compliant User Provisioning
Workflow Integration for Change Management
Configuring Workflow for Change Management
The delivered workflow configuration options in Compliant User Provisioning
include request types and Web services. These must be activated and applied in the
proper settings. The rest of workflow configuration must be set up and tested by the
designated application administrators.
Workflow components that must be set up in the Compliant User Provisioning
Configuration tab for risk and mitigation control changes include:
166
•
Activating request types:
•
•
•
•
•
•
–
Create / Update / Delete Mitigation Control
–
Create / Update / Delete Mitigation Object
–
Create / Update / Delete Risk
Activating mitigation URL settings
Activating mitigation and risk workflows in miscellaneous
Creating workflow initiators for risk and mitigation changes
Creating custom approver determinators for risk and mitigation changes
Creating stages for risk and mitigation changes
Creating paths for risk and mitigation changes
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning – Additional Functionality
Similarly, in Risk Analysis and Remediation, certain configuration settings must be
completed to integrate the workflow functions.
•
•
•
•
Mitigation and risk maintenance workflow settings must be activated in the
Configuration tab.
In the Mitigation tab, the Administrators table must be populated with the
designated risk owners.
When a mitigating control is created for the control library, a management
approver and risks must be associated with the control being documented.
When a risk is created in the Rule Architect tab, a risk owner must be associated
with the risks.
Note: The SAP BusinessObjects Access Control Configuration Guide
delivered with the application documentation provides detailed steps on how
to configure workflows in Compliant User Provisioning. You can find this in
the Compliant User Provisioning section, under Workflow Management.
Conclusion
SAP BusinessObjects Access Control is used as the central workflow engine to ensure
a compliant change management process.
SAP BusinessObjects Access Control provides request submission service to initiate
workflow for risk maintenance, mitigation maintenance, remediation activities, and
mitigation activities out of the risk analysis and remediation process. It also supports
the change management by using an event-driven, multilevel approval process that
allows for close business involvement and responsibility.
2009
© 2010 SAP AG. All rights reserved.
167
Unit 3: Compliant User Provisioning Overview
GRC300
Figure 57: Change Management with SAP BusinessObjects Access Control
168
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning – Additional Functionality
Exercise 10: Workflow-Controlled Risk
Maintenance
Exercise Objectives
After completing this exercise, you will be able to:
•
Change the description of a risk
•
Approve your change within the workflow engine
Business Example
You are responsible for evaluating the correct implementation of the
workflow-supported risk change management process.
Task:
Use the Compliant User Provisioning workflow function to manage changes made to
the SoD rule set in Risk Analysis and Remediation through the Rule Architect.
2009
1.
Use the Compliant User Provisioning workflow function to manage changes
made to the SoD rule set.
2.
Open a new browser window and log on to SAP BusinessObjects Access Control
with the approver User ID.
3.
Review change history of Risk ID.
© 2010 SAP AG. All rights reserved.
169
Unit 3: Compliant User Provisioning Overview
GRC300
Solution 10: Workflow-Controlled Risk
Maintenance
Task:
Use the Compliant User Provisioning workflow function to manage changes made to
the SoD rule set in Risk Analysis and Remediation through the Rule Architect.
1.
Use the Compliant User Provisioning workflow function to manage changes
made to the SoD rule set.
a)
Log on to SAP BusinessObjects Access Control, select the Compliant User
Provisioning link, and select the Configuration tab. Choose Workflow
Custom → Approver Determinator and change approver determinator
RISKUPDATE. Add a User ID as approver and the Risk ID that you want
to change on update.
b)
Log on to SAP BusinessObjects Access Control, select Risk Analysis and
Remediation link, and select the Configuration tab.
c)
Choose Workflow and set parameter Risk Maintenance to YES.
d)
Select the Configuration tab. From the menu on the left, select Risks (arrow
down) and choose Search.
e)
Enter your Risk ID in the Risk IF field.
f)
Choose the Change button in the Search Results screen.
g)
Select the Control Objective tab and enter a statement describing the
control objective for the selected risk ID.
Hint: You can use any descriptive statement you wish for this
exercise. You can also replace any statement already in place.
h)
Choose Save.
Note: This action will create a request for approval which will
workflow to the risk owner associated with the changed risk ID.
Continued on next page
170
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Provisioning – Additional Functionality
i)
The application will give you the message Workflow request
submitted, request id is xxxx, where xxx is the number of
the request.
Hint: Write down the request number.
j)
2.
Exit this screen by selecting Search again on the left-hand menu.
Open a new browser window and log on to SAP BusinessObjects Access Control
with the approver User ID.
a)
In the launch pad, select the Compliant User Provisioning link.
Note: The default should be the My Work tab in Compliant User
Provisioning, where you will see the number of the request created
by your change to the risk in the previous steps.
3.
b)
Click on the link to request # xxxx (created by risk change).
c)
Review the request detail. For example, select the Control Objective tab
to view the statement you added.
d)
Choose Approve.
e)
On the next screen you should get a successful message that says the
request has been approved and closed.
Review change history of Risk ID.
a)
Log on to SAP BusinessObjects Access Control, select the Risk Analysis
and Remediation link, and select the Rule Architect tab.
b)
Select Change History and choose Risk ID and review the results.
c)
Search for your changed Risk ID and review the results.
Result
You have successfully updated a risk in Risk Analysis and Remediation, sent an
approval request to the risk owner through workflow, and documented an approved
change to a risk with an audit trail of the change.
2009
© 2010 SAP AG. All rights reserved.
171
Unit 3: Compliant User Provisioning Overview
GRC300
Lesson Summary
You should now be able to:
•
Use the workflow functionality to ensure a comprehensive and compliant change
management process for risk and control maintenance
•
Describe the required configuration steps and the business background of using
this functionality
172
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Workflow-Based Reviews
Lesson: Workflow-Based Reviews
Lesson Overview
This lesson discusses the configuration of workflow for the User Access Review and
the User SoD Review capabilities of SAP BusinessObjects Access Control Compliant
User Provisioning.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
Configure the workflow for User Access Review
Configure the workflow for User SoD Review
Business Example
Your organization plans to ensure continuous compliance by investigating and
remediating risks that arise from excessive user access to company systems. For that
reason, the organization plans to use SAP BusinessObjects Access Control to automate
periodic reviews of user access and resulting risk violations. The internal audit
department recommends implementing both workflows to improve risk awareness and
compliance procedures within your company.
User Access Review: Process Overview
Managers and role approvers use User Access Review (UAR) to automate the periodic
process of reviewing and reaffirming end-user role assignments. The system notifies
managers to review their direct reports access to applications. Approvers must review
the list of user role assignments and determine if the user still needs those roles based
on their current responsibilities. Approvers either approve or remove the roles that
are assigned to each user.
If the user no longer requires a role, the role is de-provisioned from back-end systems
automatically or manually. If the reviewer does not complete the review in the defined
period, the process can be escalated. Escalation could include the deactivation of a
user’s account until the review is completed.
2009
© 2010 SAP AG. All rights reserved.
173
Unit 3: Compliant User Provisioning Overview
GRC300
Highlights of this process include:
•
•
•
•
•
•
Automated decentralized user access review by business managers or role owners
Reports generated automatically based on the company's internal control policy
Workflow-request-based review and approval process
Automatic de-provisioning for role removal
Audit trail and reports for review details
Allow manager to approve or remove roles based on employee’s business
function
Benefits:
•
•
Streamline the internal control process with collaboration among business
managers, internal control team, and IT team
Provide efficiency and visibility to a company’s Sarbanes-Oxley Act compliance
Configuring Workflow for User Access Review
To produce requests for reviewers User Access Review, the following configurations
must be set in place in Compliant User Provisioning and Enterprise Role Management.
Figure 58: UAR Configuration
174
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Workflow-Based Reviews
Configuring Workflow for User Access Review
•
Activate and configure UAR workflow.
•
–
Define an initiator.
–
Define a stage (one stage for reviewer and another stage for security).
–
Define a path (one path for a reviewer and another path for security).
–
Define a detour with condition (for role removals).
Set up User Review options for UAR in the Configuration tab.
•
–
Select if Admin Review is required.
–
Select the reviewers: manager or role owner.
–
Define number of lines items per request.
–
Select the default request type.
–
Select the default priority of the request.
Populate the Coordinator-Reviewer Relationships table if a coordinator is to
be configured for the UAR.
–
•
•
•
•
•
The coordinator is optional; it is possible to perform the review without a
coordinator.
–
In addition, one coordinator might have many reviewers.
Define the e-mail reminder.
Define the service level for UAR.
Schedule a role usage synchronization to perform the User Access Review in
Enterprise Role Management.
Schedule the UAR Review Load Data background job in Compliant User
Provisioning.
Schedule the UAR Review Update Workflow background job in Compliant
User Provisioning.
Note: You can schedule new background jobs to create workflow requests for
manager or risk-owner review only after all previous UAR requests are closed.
Note: The SAP BusinessObjects Access Control Configuration Guide
delivered with the application documentation provides detailed steps on how
to configure UAR in Compliant User Provisioning. Check the Compliant User
Provisioning section under User Review.
2009
© 2010 SAP AG. All rights reserved.
175
Unit 3: Compliant User Provisioning Overview
GRC300
User SoD Review Process Overview
Business managers and risk owners use the segregation of duties (SoD) review process
to automate periodic reviews of SoD conflicts. Once Risk Analysis and Remediation
identifies user SoD conflicts, they must be remediated to ensure Sarbanes-Oxley-Act
compliance. The system uses Risk Analysis and Remediation batch analysis data to
update management graphics and to generate these SoD Review workflow requests in
Compliant User Provisioning.
The reviewer can either be the user’s manager or the risk owner (as defined by the
Rule Architect of Risk Analysis and Remediation). Once the request is created, the
system sends an e-mail notification for SoD violations to the reviewer. Depending
on your configuration, requests may contain unmitigated SoD conflicts only, or both
unmitigated and mitigated conflicts.
Highlights of this process include:
•
•
•
•
Automates the decentralized SoD review by business managers or risk owners
Real-time detection of SoD violations with reports generated and submitted
to reviewers
Workflow-request-based and approval process
Audit trail and reports for review details
Benefits:
•
•
•
Real time SoD management by exception
Streamline the internal control process with collaboration among business
managers, internal control team, and IT team
Provide efficiency and visibility to a company’s internal control process
Configuring Workflow for User SoD Review
To produce requests for reviewers User SoD Review, the following configurations
must be set in place in Compliant User Provisioning and Enterprise Role Management.
176
© 2010 SAP AG. All rights reserved.
2009
GRC300
2009
Lesson: Workflow-Based Reviews
© 2010 SAP AG. All rights reserved.
177
Unit 3: Compliant User Provisioning Overview
GRC300
Figure 59: SoD Review Configuration
•
Activate and configure User SoD Review workflow.
•
–
Define an initiator.
–
Define a stage (one stage for reviewer and another stage for security).
–
Define a path (one path for a reviewer and another path for security).
–
Define a detour with condition (for SoD removals).
Set up user review options for User SoD Review in the Configuration tab.
•
–
Select if Admin Review is required.
–
Select the reviewers: manager or role owner.
–
Define the appropriate SoD Review Users URL.
–
Define the appropriate SoD Review Users Risks URL.
–
Define number of lines items per request.
–
Select the default request type.
–
Select the default priority of the request.
Populate the Coordinator-Reviewer Relationships table if a coordinator is to be
configured for the User SoD Review.
–
•
•
•
•
•
The coordinator is optional; it is possible to perform the review without a
coordinator.
–
In addition, one coordinator might have many reviewers.
Define the e-mail reminder.
Define the service level for User SoD Review.
Schedule background jobs to perform the batch risk analysis and management
report updates in Risk Analysis and Remediation.
Schedule the SOD Review Load Data background job in Compliant User
Provisioning (either with or without mitigated risks).
Schedule the SOD Review Update Workflow background job in Compliant
User Provisioning.
Note: You can schedule new background jobs to create workflow requests
for manager or risk-owner review only after all previous User SoD Review
request are closed.
Note: The SAP BusinessObjects Access Control Configuration Guide
delivered with the application documentation provides detailed steps on how
to configure User SoD Review in Compliant User Provisioning. Check the
Compliant User Provisioning section, under User Review.
178
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Workflow-Based Reviews
Lesson Summary
You should now be able to:
•
Configure the workflow for User Access Review
•
Configure the workflow for User SoD Review
2009
© 2010 SAP AG. All rights reserved.
179
Unit 3: Compliant User Provisioning Overview
GRC300
Lesson: Compliant User Management Life Cycle
Lesson Overview
This lesson explains the Compliant User Management life cycle in Compliant User
Provisioning.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
•
•
•
•
•
Explain the main advantages of Compliant User Provisioning and discuss how it
can be used to ensure continuous compliance within your organization
Describe and demonstrate a typical request initiated by an end user, the required
approval steps and risk analysis, and the final provisioning in the back-end
system
Describe the workflow creation process (plan, implement, test, and adjust)
Describe the password-sending options
Explain the usage of default roles, role mapping, and user defaults
Describe the LDAP connector and LDAP mapping to retrieve manager
information
Explain and configure workflow exception handling using escalations, detours,
rerouting, and forwarding
Configure an advanced user provisioning workflow
Business Example
Your organization has to set up proper change control procedures in the area
of authorization and access management. Consequently, the implementation of
Compliant User Provisioning as part of SAP BusinessObjects Access Control will
ensure that all changes have been reviewed and approved prior to production
activation. Several business owners within your organization request advanced
functionalities and escalation possibilities in the defined user creation process.
Therefore, you want to familiarize yourself with the advanced workflow functionalities
within the solution.
180
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Management Life Cycle
The Main Advantages of Compliant User Provisioning
•
•
•
•
•
•
•
•
•
•
•
•
Automates, accelerates, and tracks the user access request process using
workflow for SAP and non-SAP systems
User administration with integrated risk analysis and mitigation capabilities
keeps the system clean
Provides simulation in the production system for risk analysis before changes are
provisioned
Provides a comprehensive audit trail
Flexible configuration of multiple workflow paths and workflow triggers based
on the type of request
Self-service password reset lifts another user administration burden from the
support team
User authentication from a wide range of sources, including single-sign on,
LDAP, and SAP systems
Ensures audit compliance
Automatically provision users and roles to users in multiple SAP systems
Automated e-mail notification to appropriate parties
Provides numerous reports in analytical and chart views
Integrated with SAP Enterprise Portal
Dynamic Workflow
Dynamic Workflow Provides End-to-End Automation
•
•
•
•
•
•
2009
Automated user provisioning and de-provisioning to multiple applications
Requests automatically filled with user identity information from LDAP
directory or HR database
Complete SAP provisioning including SAP R/3, SAP ERP, CUA, portals, and
so on
Role filtering or modeling facilitates simple assignment
Approvals directly from e-mail
Configurable path initiators, detours, and escalation
© 2010 SAP AG. All rights reserved.
181
Unit 3: Compliant User Provisioning Overview
GRC300
Figure 60: Dynamic Workflow
Proactive Compliance Lowers Risk and Saves Money
•
•
Integrated, real-time risk analysis before access is granted
Pre-approved mitigating controls assigned as required
Business-Friendly Reporting Increases Visibility
•
•
Ticket process for detailed tracking
Customizable reporting and process-efficiency statistics
Helpful User Administration Services Save Money
•
•
Self-service password reset saves time
Simple Access Reaffirm meets regulatory requirements
Demonstration of a Typical Workflow Request
The instructor will demonstrate a typical workflow for adding a role to a user.
Workflow Creation Process
Plan - Implement - Test - Adjust
182
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Management Life Cycle
Plan
Planning a workflow requires determining:
•
•
•
•
•
Required workflow functionality
Number of workflows needed
What stages, initiators, and paths need to be created
Who are the required approvers
What will be the final provisioning
Planning is the most critical component in the workflow process.
•
•
Planning requires careful consideration at the start of implementation.
The more time spent planning workflow needs, the easier the entire process.
Implement
Create workflows per planning decisions.
•
•
•
Create stages and initiators.
Create workflow paths.
Assign stages and an initiator to each workflow path.
Test and Adjust
Test workflows.
Adjust as necessary.
•
•
Fix existing workflows.
Create new workflows.
Password Sending Options
Password options in e-mails can now be configured to send the password at the end
of the request.
You can configure this on the Email Reminder screen by choosing Configuration →
Workflow → Email Reminder.
Send Password in Mail:
•
•
•
2009
No password sent
Password sent in the e-mail
Password is not sent directly in the e-mail, but will be sent as a link
© 2010 SAP AG. All rights reserved.
183
Unit 3: Compliant User Provisioning Overview
GRC300
Connecting to a LDAP
Lightweight Directory Access Protocol (LDAP) is a standard for managing a large
user directory. Compliant User Provisioning can use an LDAP directory to find
detailed user information.
Out of the box, Compliant User Provisioning supports Microsoft Active Directory,
Sun ONE, Novell eDirectory, and IBM Tivoli LDAPs.
Once connected to a LDAP directory, you have to map the user information. The
LDAP Mapping option maps fields to their corresponding fields in an LDAP database.
In addition, you can add fields and then map them to attributes that already exist
in your enterprise’s LDAP database by selecting those attributes on the Additional
Fields screen.
The field mapping you defined for the LDAP directory is specific to the LDAP
systems that you configured in the User Data Source option. The User Data Source
option is where you configure one or many LDAP data sources for searching and
retrieving user detail information.
Advance Workflows
Advance workflows include:
•
•
•
•
184
Escalations
Detours
Rerouting
Forwarding
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Management Life Cycle
Escalations
Escalations are configured at the stage level, and dictate how to handle a request when
an approver fails to respond within the time allotted during stage definition. Options
for escalation are:
•
•
•
•
No Escalation (default setting): Compliant User Provisioning waits for the
approver’s response– even after the specified wait time passes– and does not
take any steps to resolve the stalled request. The approver approves or rejects the
request. An administrator can manually resolve the problem by approving on
behalf of the assigned approver, forwarding the request to another approver, or
rerouting the request.
Forward to Next Stage: Compliant User Provisioning ignores the expected
approval at this stage and proceeds to the next stage in the path. If you select this
option – even if the designated approver does not respond to the request– it does
not prevent the request from being approved. Use caution with this option, since
it allows the request to bypass the defined approvers.
Forward to Alternate Approver: This provides a fallback option if the designated
approver does not respond within the allotted time. Compliant User Provisioning
reassigns the approver. Alternate approvers must be maintained for the approver
determinator of the stage where this option is set. Escalation to an alternate
approver happens only once; there is no alternate approver for the alternate.
After the system escalates the approval for the stage to the alternative approver,
the original approver no longer has access to approve or reject the request.
Forward to Administrator: If the approver fails to respond within the allotted
time, Compliant User Provisioning forwards the request to the administrator.
The administrator’s information must be maintained on the Configuration
Support screen for this option to work.
Detours
Detours are standalone workflows that assume management of a request from a main
workflow. Detours are not subsets or dependents of main workflows. They do not
have initiators, so they cannot be triggered by a submitted request. If the state of a
request meets predefined conditions, a main workflow passes control of the request to
a detour workflow.
The type of event that triggers a detour is typically one that prevents a main workflow
from proceeding on its defined path. If something occurs that interferes with a request,
the main workflow can be configured to pass the request to a detour workflow.
2009
© 2010 SAP AG. All rights reserved.
185
Unit 3: Compliant User Provisioning Overview
GRC300
For example, you can design a workflow to handle a single request that includes more
than one role. If an approver denies one of the roles in the request, you might want the
remainder of the request to proceed. Rather than aborting the request, you can have
the main workflow transfer it to a detour workflow. The detour can then continue the
approval process for the remaining roles.
The structure of a detour workflow is similar to the structure of a main workflow. It
has a defined starting point and a sequence of one or more stages. At each stage of the
detour, an approver must approve the request before it can proceed.
Rerouting
Rerouting is a option that allows the approver to reroute the request to a previous
stage as an alternative to rejecting the request entirely. Rerouting does not apply if the
approver chooses to approve the request.
Forwarding
Forwarding allows the approver to forward the request to someone else for approval.
186
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Management Life Cycle
Exercise 11: Workflow Creation Workshop
(Group Exercise)
Exercise Objectives
After completing this exercise, you will be able to:
•
Define a process to create a new employee account
•
Define a process to change the roles of an existing account
•
Design the process (on a whiteboard), identify the needed data, and estimate
data that is already stored in the system
Business Example
As a business expert, you are working in a small team to design two workflows:
Create Account and Change Existing Account. At the end of the breakout session,
your team is responsible for presenting and arguing their decisions.
Task 1:
This exercise is a group exercise that will be performed in groups of three or less.
1.
Define a process to create a new employee account.
2.
Define a process to change the roles of an existing account.
3.
Design the process (on a whiteboard), identify the needed data, and estimate data
that is already stored in the system.
Task 2:
Discussion questions to help with the design process:
1.
What information is needed for user creation?
2.
Where is the information stored?
3.
Which approval steps are necessary?
4.
Who removes the old roles?
5.
Who checks the correct responsibilities and authorizations?
6.
What happens with accounts from employees that leave the company?
7.
Who informs about leaving?
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
187
Unit 3: Compliant User Provisioning Overview
188
GRC300
8.
What happens with long runtime of processes?
9.
What happens if an approver is on vacation (escalation when and to whom)?
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Management Life Cycle
Solution 11: Workflow Creation Workshop
(Group Exercise)
Task 1:
This exercise is a group exercise that will be performed in groups of three or less.
1.
Define a process to create a new employee account.
a)
2.
Define a process to change the roles of an existing account.
a)
3.
Design the process (on a whiteboard), identify the needed data, and estimate data
that is already stored in the system.
a)
Task 2:
Discussion questions to help with the design process:
1.
What information is needed for user creation?
a)
2.
Where is the information stored?
a)
3.
Which approval steps are necessary?
a)
4.
Who removes the old roles?
a)
5.
Who checks the correct responsibilities and authorizations?
a)
6.
What happens with accounts from employees that leave the company?
a)
7.
Who informs about leaving?
a)
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
189
Unit 3: Compliant User Provisioning Overview
8.
GRC300
What happens with long runtime of processes?
a)
9.
What happens if an approver is on vacation (escalation when and to whom)?
a)
190
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliant User Management Life Cycle
Lesson Summary
You should now be able to:
•
Explain the main advantages of Compliant User Provisioning and discuss how it
can be used to ensure continuous compliance within your organization
•
Describe and demonstrate a typical request initiated by an end user, the required
approval steps and risk analysis, and the final provisioning in the back-end
system
•
Describe the workflow creation process (plan, implement, test, and adjust)
•
Describe the password-sending options
•
Explain the usage of default roles, role mapping, and user defaults
•
Describe the LDAP connector and LDAP mapping to retrieve manager
information
•
Explain and configure workflow exception handling using escalations, detours,
rerouting, and forwarding
•
Configure an advanced user provisioning workflow
2009
© 2010 SAP AG. All rights reserved.
191
Unit Summary
GRC300
Unit Summary
You should now be able to:
•
List the required steps after installation of SAP BusinessObjects Access Control
Compliant User Provisioning
•
Upload initial data
•
Explain how to configure the user data source
•
Define the authentication system for requestors
•
Describe how to configure the Web service call to Risk Analysis and Remediation
•
Explain how to connect Compliant User Provisioning to a back-end system
•
Explain how to export and import configuration settings in order to perform
transports from development to production
•
Explain the workflow basics: initiator, stage, path, approver determinator
•
Explain stage customizing options
•
Name other areas for which the workflow functionality of SAP BusinessObjects
Access Control can be used: risk maintenance, control maintenance, mitigation
activities, user maintenance, role maintenance, and requesting superuser access
•
Use the workflow functionality to ensure a comprehensive and compliant change
management process for risk and control maintenance
•
Describe the required configuration steps and the business background of using
this functionality
•
Configure the workflow for User Access Review
•
Configure the workflow for User SoD Review
•
Explain the main advantages of Compliant User Provisioning and discuss how it
can be used to ensure continuous compliance within your organization
•
Describe and demonstrate a typical request initiated by an end user, the required
approval steps and risk analysis, and the final provisioning in the back-end
system
•
Describe the workflow creation process (plan, implement, test, and adjust)
•
Describe the password-sending options
•
Explain the usage of default roles, role mapping, and user defaults
•
Describe the LDAP connector and LDAP mapping to retrieve manager
information
•
Explain and configure workflow exception handling using escalations, detours,
rerouting, and forwarding
•
Configure an advanced user provisioning workflow
192
© 2010 SAP AG. All rights reserved.
2009
Unit Summary
193
GRC300
© 2010 SAP AG. All rights reserved.
2009
Unit Summary
194
GRC300
© 2010 SAP AG. All rights reserved.
2009
Unit 4
Superuser Privilege Management
Overview
Unit Overview
This unit discusses the configuration of Superuser Privilege Management. It also
discusses how Superuser Privilege Management can be used as a key mitigation
control to ensure continuous compliance.
Unit Objectives
After completing this unit, you will be able to:
•
•
•
•
List the required steps after installation of SAP BusinessObjects Access Control
Superuser Privilege Management
Explain how Superuser Privilege Management works
Configure Superuser Privilege Management as a key mitigation control to ensure
continuous compliance
Implement a workflow to improve the request for superuser access rights with
help of SAP BusinessObjects Access Control
Unit Contents
Lesson: Superuser Privilege Management Installation Verification and
Configuration ........................................................................ 196
Lesson: Superuser Privilege Management Overview.......................... 200
Exercise 12: Superuser Privilege Management ............................ 203
2009
© 2010 SAP AG. All rights reserved.
195
Unit 4: Superuser Privilege Management Overview
GRC300
Lesson: Superuser Privilege Management Installation
Verification and Configuration
Lesson Overview
In this lesson, you will learn about the required post-installation steps for Superuser
Privilege Management.
Lesson Objectives
After completing this lesson, you will be able to:
•
List the required steps after installation of SAP BusinessObjects Access Control
Superuser Privilege Management
Business Example
In order to set up a project plan for the implementation of SAP BusinessObjects
Access Control Superuser Privilege Management in your organization, you need to
familiarize yourself with the efforts required for the solution setup.
Post-Installation Steps
During Superuser Privilege Management post-installation, it is important to verify that
the RFC connection has been created.
1.
2.
3.
196
Go to transaction SM59 and verify that the RFC connection has been created.
Schedule a Superuser Privilege Management background job for logging
(SM36>/VIRSA/ZVFATBAK).
Create a Superuser Privilege Management ID through transaction SU01.
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Superuser Privilege Management Installation Verification and Configuration
Figure 61: SM59
Figure 62: SM36
2009
© 2010 SAP AG. All rights reserved.
197
Unit 4: Superuser Privilege Management Overview
GRC300
Figure 63: SU01
198
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Superuser Privilege Management Installation Verification and Configuration
Lesson Summary
You should now be able to:
•
List the required steps after installation of SAP BusinessObjects Access Control
Superuser Privilege Management
2009
© 2010 SAP AG. All rights reserved.
199
Unit 4: Superuser Privilege Management Overview
GRC300
Lesson: Superuser Privilege Management Overview
Lesson Overview
This lesson will review the process of implementing Superuser Privilege Management.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
Explain how Superuser Privilege Management works
Configure Superuser Privilege Management as a key mitigation control to ensure
continuous compliance
Implement a workflow to improve the request for superuser access rights with
help of SAP BusinessObjects Access Control
Business Example
You want to implement Superuser Privilege Management in your organization to
eliminate the excessive authorizations and risks that your company experiences with
the current emergency user approach.
Superuser Privilege Management
Superuser Privilege Management helps to eliminate superusers in the production
environment. There are a few ways to use the application. One is to allow emergency
changes in the production environment; in this case, Superuser Privilege Management
provides an environment where it is monitoring the use of the system. The second
way is to allow functional users to have a superuser level of access to perform some
business functions that are not part of their daily process, for example, month-end
close.
Defining Users
Before you use Superuser Privilege management, you need to identify:
1.
2.
3.
200
Who the owners of the IDs will be
Who the controllers will be
Which users will need to log on through Superuser Privilege Management
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Superuser Privilege Management Overview
The main reason why you need to define these three types of users is because you will
need the user information to enter it into Superuser Privilege Management when
configuration is complete. This will also aid in providing the correct role assignments
for the users. The roles begin with the format /VIRSA/Z_VFAT.
Functionality
After you have assigned a user to the application as a Firefighter and that user has the
required role, the user is now able to log on to the application and see the following
screen.
Figure 64: Superuser Privilege Management Logon Screen
If a user is required to log on for a process that only occurs once a month, you can
use Superuser Privilege Management to give the user access through a Firefighter
ID that is only useful for that purpose.
2009
© 2010 SAP AG. All rights reserved.
201
Unit 4: Superuser Privilege Management Overview
GRC300
Figure 65: Reason Code Example
Implementing
There are a few additional items to consider when implementing Superuser Privilege
Management:
•
•
Identify what risks are going to be involved within the Firefighter ID.
Ensure that only the necessary access is given, and not SAP_ALL, to the user ID.
Workflow Integration
Superuser Privilege Management can be integrated into the workflow process of
Compliant User Provisioning. It works by having someone approve the request for the
Firefigher ID and, after approval, the owner of Superuser Privilege Management can
grant access to that user.
202
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Superuser Privilege Management Overview
Exercise 12: Superuser Privilege
Management
Exercise Objectives
After completing this exercise, you will be able to:
•
Verify the configuration of Superuser Privilege Management
•
Create messages in case of occupied firefighter IDs
•
Take over a firefighter session to initiate the payment run
Business Example
Since payment of vendors is a critical transaction, the security department has decided
to use Superuser Privilege Management as a preventive control. As an internal auditor
you need to verify if your emergency access process is well defined and properly
configured in the back-end system.
Task 1:
Access Superuser Privilege Management and make sure that the default roles have
been assigned, especially the administrator role.
1.
Verify that the Firefighter ownership model was correctly implemented.
2.
Log on to the SAP back-end system with the user GRCFFADM-## and
check in transaction SU01D if the owner (GRCFFOWN-##) has appropriate
authorizations to be able to enter the Firefighter application and maintain the
Firefighter user mapping table.
3.
Identify the Firefighter ID for which your owner is responsible.
4.
Verify the Firefighter end user and Firefighter ID.
5.
Log on as user GRCFFADM-## and check in transaction SU01D if the correct
role was assigned to the Firefighter end user (GRCBIZZ-##).
6.
Log on as user GRCFFADM-## and check in transaction SU01D if the
correct firefighter role and a business roles were assigned to the Firefighter ID
(GRCFFID-##).
7.
Log on as owner (GRCFFOWN-##) and verify the mapping inside the
Firefighter Application (choose the Firefighters button). The business user
(GRCBIZZ-##) should be able to use the Firefighter ID (GRCFFID-##) to start a
payment run. Make sure the current date is covered by this time frame.
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
203
Unit 4: Superuser Privilege Management Overview
GRC300
8.
Log on as GRCBIZZ-## and start the payment run. What happens?
9.
As the same user (GRCBIZZ-##) go to the firefighter application (/n/virsa/vfat),
log on as the available Firefighter, and execute a payment run in F110.
10. Try to open a second session of the same Firefighter ID. What happens?
11. Write a message to inform yourself that the Firefighter ID is requested by
another user.
Note: Before performing the next exercise, wait until the instructor
has updated the Log Report manually due to have the recent activities
available in reporting: Transaction: /n/VIRSA/ZVFAT_V01 -> button
"Update Firefighter Log"
Task 2:
Act as an owner/controller.
204
1.
Log on as Owner (GRCFFOWN-##) and start the firefighter application.
2.
Use your Web browser to access the firefighter reporting information.
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Superuser Privilege Management Overview
Solution 12: Superuser Privilege
Management
Task 1:
Access Superuser Privilege Management and make sure that the default roles have
been assigned, especially the administrator role.
1.
Verify that the Firefighter ownership model was correctly implemented.
a)
2.
Log on to the SAP back-end system with the user GRCFFADM-## and
check in transaction SU01D if the owner (GRCFFOWN-##) has appropriate
authorizations to be able to enter the Firefighter application and maintain the
Firefighter user mapping table.
a)
3.
Identify the Firefighter ID for which your owner is responsible.
a)
4.
Verify the Firefighter end user and Firefighter ID.
a)
5.
Log on as user GRCFFADM-## and check in transaction SU01D if the correct
role was assigned to the Firefighter end user (GRCBIZZ-##).
a)
6.
Log on as user GRCFFADM-## and check in transaction SU01D if the
correct firefighter role and a business roles were assigned to the Firefighter ID
(GRCFFID-##).
a)
7.
Write down the business role.
Log on as owner (GRCFFOWN-##) and verify the mapping inside the
Firefighter Application (choose the Firefighters button). The business user
(GRCBIZZ-##) should be able to use the Firefighter ID (GRCFFID-##) to start a
payment run. Make sure the current date is covered by this time frame.
a)
8.
Write down the assigned Firefighter role.
Identify the end user who is able to use your Firefighter ID.
Log on as GRCBIZZ-## and start the payment run. What happens?
a)
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
205
Unit 4: Superuser Privilege Management Overview
9.
GRC300
As the same user (GRCBIZZ-##) go to the firefighter application (/n/virsa/vfat),
log on as the available Firefighter, and execute a payment run in F110.
a)
10. Try to open a second session of the same Firefighter ID. What happens?
a)
11. Write a message to inform yourself that the Firefighter ID is requested by
another user.
Note: Before performing the next exercise, wait until the instructor
has updated the Log Report manually due to have the recent activities
available in reporting: Transaction: /n/VIRSA/ZVFAT_V01 -> button
"Update Firefighter Log"
a)
Task 2:
Act as an owner/controller.
1.
Log on as Owner (GRCFFOWN-##) and start the firefighter application.
a)
You can find the logs in the toolbox area.
Have a look at the log. What can you see?
2.
206
Use your Web browser to access the firefighter reporting information.
a)
Open the following URL and log on as user GRC300-##: http://servername:50000/webdynpro/dispatcher/sapgrc/ffappcomp/Firefighter. What is
the most important difference between ABAP and the Web Interface?
b)
The Web Interface provides a single point of control, so it is possible
to access the data of different firefighter installations on different SAP
back-end systems. Consequently, it is not necessary to log on to each
system to view the reports.
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Superuser Privilege Management Overview
Lesson Summary
You should now be able to:
•
Explain how Superuser Privilege Management works
•
Configure Superuser Privilege Management as a key mitigation control to ensure
continuous compliance
•
Implement a workflow to improve the request for superuser access rights with
help of SAP BusinessObjects Access Control
2009
© 2010 SAP AG. All rights reserved.
207
Unit Summary
GRC300
Unit Summary
You should now be able to:
•
List the required steps after installation of SAP BusinessObjects Access Control
Superuser Privilege Management
•
Explain how Superuser Privilege Management works
•
Configure Superuser Privilege Management as a key mitigation control to ensure
continuous compliance
•
Implement a workflow to improve the request for superuser access rights with
help of SAP BusinessObjects Access Control
208
© 2010 SAP AG. All rights reserved.
2009
Unit Summary
209
GRC300
© 2010 SAP AG. All rights reserved.
2009
Unit Summary
210
GRC300
© 2010 SAP AG. All rights reserved.
2009
Unit 5
Enterprise Role Management Overview
Unit Overview
This unit discusses the configuration of Enterprise Role Management. You will
learn how Enterprise Role Management can prevent the uncontrolled creation of
noncompliant roles. This unit also describes and demonstrates the concepts of role
ownership and change management approvals to support a controlled process of
handling the life cycle of SAP roles within the customer landscape.
Unit Objectives
After completing this unit, you will be able to:
•
•
•
•
•
•
•
•
•
•
•
•
•
2009
List the steps required after installation of SAP BusinessObjects Access Control
Enterprise Role Management
Explain how to connect the Enterprise Role Management component to a
back-end system
Explain the export and import configuration settings that are necessary to
perform transports from development to production
Explain how Enterprise Role Management can prevent the uncontrolled creation
of noncompliant roles
Describe and demonstrate the concept of role ownership and change management
approvals to support a controlled process of handling the life cycle of SAP roles
within the customer landscape
Name the role attributes
Configure a naming convention and enforcement
Explain and configure organizational value mapping
Set up a role creation methodology, condition groups, and role approvers
Configure an approval workflow for role maintenance in the Workflow Engine
Create a new role using the defined naming conventions
Add transactions to the role
Use the PFCG
© 2010 SAP AG. All rights reserved.
211
Unit 5: Enterprise Role Management Overview
•
•
•
•
•
GRC300
Maintain the authorization objects of the role
Create a derived role without using the organizational value map
Perform a risk analysis
Approve the newly created role within the Workflow Engine
Generate the role in the back-end system
Unit Contents
Lesson: Enterprise Role Management Installation Verification and
Configuration ........................................................................ 213
Lesson: Enterprise Role Management Overview............................... 225
Lesson: Enterprise Role Management Configuration Review ................ 229
Exercise 13: Enterprise Role Management ................................. 237
Lesson: Enterprise Role Management Workflow Steps ....................... 244
Exercise 14: Role Mass Maintenance ....................................... 247
212
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Installation Verification and Configuration
Lesson: Enterprise Role Management Installation
Verification and Configuration
Lesson Overview
This lesson discusses installation verification and post-install configuration for
Enterprise Role Management.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
List the steps required after installation of SAP BusinessObjects Access Control
Enterprise Role Management
Explain how to connect the Enterprise Role Management component to a
back-end system
Explain the export and import configuration settings that are necessary to
perform transports from development to production
Business Example
In order to set up a project plan for the implementation of SAP BusinessObjects
Access Control Enterprise Role Management in your organization, you need to
familiarize yourself with the efforts required to set up the business scenario.
Required Steps after Installation of SAP BusinessObjects
Access Control for Enterprise Role Management (ERM)
Enterprise Role Management allows you to create and maintain roles to reflect your
business model and requirements. You should set up a functional environment and test
it thoroughly before attempting to use it in a production environment.
2009
© 2010 SAP AG. All rights reserved.
213
Unit 5: Enterprise Role Management Overview
GRC300
Configuring Enterprise Role Management
SAP recommends that you configure certain functions before others in Enterprise Role
Management. You should configure in the following order.
1.
Set up initial logon to Enterprise Role Management.
Note: This should have been done with the system install.
2.
Import initial system data.
Note: This should have been done with the system install.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Define the system landscape.
Configure management of role attributes.
Configure management of condition groups.
Set up role creation methodology.
Configure management of naming conventions.
Configure management of organizational value mapping.
Configure Risk Analysis and Remediation.
Configure workflow management.
Configure Compliant User Provisioning.
You can configure the following functions in any order:
•
•
•
•
Enterprise Role Management system logs
Management of background jobs
Mass role import
Other functions
Verify Installation Steps
Verify that you are able to log on to Enterprise Role Management by accessing
Enterprise Role Management from the SAP BusinessObjects Access Control launch
pad.
Verify that the initial system data has been uploaded. Select the Configuration tab and
choose Methodology → Step. If there are steps identified, the initial system data
has been uploaded.
214
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Installation Verification and Configuration
System Landscape Definition
A system landscape is a configuration of systems where role definition, creation,
testing, and risk analysis are performed. Prior to creating a landscape, you must define
the systems, determine which system for which you plan to generate roles, and decide
which system you plan to use for risk analysis purposes only. Then you can create a
system landscape where each system is associated with the actions to be used in
the role management process.
Caution: If you adhere to change control procedures in your ERP application
(where all roles are created in development, then transported to quality
assurance/production), you should not have a production system in your
landscape associated with role generation.
You can set up different types of connectors in Enterprise Role Management, including
Enterprise, non-SAP, SAP, and SAP Enterprise Portal connectors.
•
•
Enterprise, non-SAP, and SAP Enterprise Portal connectors are descriptive
connectors used to document the landscape to which each role belongs.
The SAP connector is a live system connector that facilitates the transfer of data
between Enterprise Role Management and other SAP ABAP systems.
A system landscape is a logical grouping of systems. A landscape contains more than
one system and is populated by assigning systems and then associating them with a
predefined action or actions. Associating actions with a system defines which action is
performed in which system within a particular landscape.
Hint: You can associate role risk analysis with a test system or a production
system and a generation of roles to a development system.
Note: The actions available for you to associate the connectors are delivered
with Enterprise Role Management. You cannot create your own actions.
Configuring Management of Role Attributes
Role attributes are the details that define a role during the role definition and creation
process. You determine values for each attribute during Enterprise Role Management
configuration and then assign or input the defined attributes when you create a role.
2009
© 2010 SAP AG. All rights reserved.
215
Unit 5: Enterprise Role Management Overview
GRC300
Role attributes you can manage include:
•
Business Processes
A business process is a collection of related activities that produces something
of value for your organization or business and is categorized according to
the organizational structure of your enterprise. A business process can be
managerial, operational, or supporting, and can be defined narrowly or broadly,
depending on your business needs. When you create a role in Enterprise Role
Management, the business process you assign to the role is one of the role’s
defining attributes and determines which subprocesses you can assign to that role.
•
Business Subprocesses
A business process can be divided into several business subprocesses, each
with its own attributes. A business process typically contains one or more
subprocesses.
•
Functional Areas
A functional area is a classification of processes for a department or business
process. Within SAP, a functional area is used to organize certain activities
within a department or business process. In Enterprise Role Management, a
functional area is a role attribute used to categorize roles and define the approval
and role maintenance processes. In addition, a functional area is used to filter the
results of a role search, identifying only those roles associated with a specific
functional area.
•
Custom Fields
Custom fields allow you to add attributes to a role that are specific to your
company or organization. For example, if you want to distinguish a role by
region, add a custom attribute and assign a specific region when you create
the role.
•
Projects and Releases
The project or release can be a project name, release name, or release number
that you want to associate with a particular role. The Project or Release ID
field allows you to track and filter roles by project or release, based on your
organization’s requirements.
Configuring Management of Condition Groups
A condition group is defined from a set of role attributes (such as a business process,
subprocess, functional area, role type, or role name) and is based on role values and
conditions. After you create a condition group, the system applies it to a role creation
216
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Installation Verification and Configuration
process to override the default role creation process when the criteria from the
condition group are met. You can apply multiple condition groups in one role creation
process, but you cannot associate multiple processes to one condition group.
Setting Up Role Creation Methodology
The role creation process consists of predefined methodology actions and the
methodology steps associated with those actions. The steps then create a methodology,
which guides you through the process of defining, generating, and testing a role during
role creation. Enterprise Role Management is delivered with the predefined role
methodology process “Virsa Default Process.” You can also configure your own role
creation process according to your organization’s requirements.
Methodology steps are the steps to create a role during the role creation process.
Based on these steps, you can tell which phase of the role creation process a role is in.
Enterprise Role Management allows you to create methodology steps and associate
them with predefined actions provided within Enterprise Role Management. After
you associate the steps with the predefined actions, you can create a role methodology
process.
Configuring the Management of Naming Conventions
You create naming conventions to enforce role- and profile-naming standards during
the role creation process. Naming conventions are specific to a system landscape and
role type. The landscape and role type determine the attributes that can be assigned
to a naming convention.
Configuring the Management of Organizational Value Mapping
If you want to restrict user access by organizational area, you can use the
organizational value mapping feature to map roles to different organizational levels.
To define all associated organizational values, you can create an organizational value
map for each organizational area (such as North America, Europe, or Asia Pacific).
Prior to creating an organizational value map, you must run a background job to
import existing organizational fields and values from your SAP ERP system. After the
initial import, you can create a background job to schedule periodic synchronization
to keep the data updated.
You always create an organizational value map with a primary organizational level
and value, because Enterprise Role Management uses that to store and search
for the organizational value. You can create multiple maps for the same primary
organizational level and value combination. After the primary organizational level and
value are set, you can define the values for all child organizational levels to complete
the organizational value map.
2009
© 2010 SAP AG. All rights reserved.
217
Unit 5: Enterprise Role Management Overview
GRC300
Configuration for Risk Analysis Integration with Risk
Analysis and Remediation
Enterprise Role Management works directly with Risk Analysis and Remediation to
perform the following functions:
•
•
•
•
218
Risk analysis
Risk mitigation
Authorization function search
Transaction usage
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Installation Verification and Configuration
To configure Enterprise Role Management Web services for Risk Analysis and
Remediation:
1.
2.
3.
On the Configuration tab in Enterprise Role Management, navigate to
Miscellaneous.
Scroll to the Web Service Info. for CC Risk Analysis section.
Determine if Risk Analysis and Remediation is deployed on the same SAP
NetWeaver server.
If it is on the same server, select Do not use Web Service and skip the
configuration for CC Risk Analysis in step 4. For this option, Enterprise Role
Management integrates with Risk Analysis and Remediation using a Web service
within the Web server to facilitate faster integration. Configuration for all other
Web services in step 4 is still required.
If it is not on the same server, select Use Web Service and continue with step 4
to configure all Web services.
4.
5.
On the Configuration tab, identify the correct Risk Analysis and Remediation
Web service URLs, and then enter each in its corresponding field on the
following screens:
•
Web Service Info. for CC Risk Analysis
•
Web Service Info. for CC Transaction Usage
•
Web Service Info. for Mitigation Control
•
Web Service Info. for CC Functions
Enter the Web service user name and password in each of the Web Service Info.
for CC screen fields.
Hint: Obtain the Web service user name and password for the Web
services from your system administrator. This user communicates
across SAP BusinessObjects GRC solution capabilities through the Web
services configured in each application.
Use the same user name and password information from the connector
and create a common Web user in the User Management Engine
(UME) for all capabilities. Using the same user for all Web service
configurations across the SAP BusinessObjects GRC solution helps
avoid integration issues caused by incorrect user name, password, or
authorizations.
6.
2009
Choose Save.
© 2010 SAP AG. All rights reserved.
219
Unit 5: Enterprise Role Management Overview
GRC300
Configuration for Workflow Management
Enterprise Role Management integrates with Compliant User Provisioning for role
approval workflow. As part of the integration, a role approver to be used by the
approval workflow is defined during the role creation process.
During the role creation process, you can manually define approvers and alternate
approvers for each role, or you can allow Enterprise Role Management to
automatically assign approvers and alternate approvers to that role based on the
approval criteria you create and the role attributes the user selects.
To create approval criteria, you assign approvers and alternate approvers for a set
of role attributes or conditions.
Configuration of Integration with Compliant User Provisioning
Enterprise Role Management integrates with Compliant User Provisioning for the
role approval workflow feature. During the approval phase, the role is submitted for
approval using the Compliant User Provisioning approval workflow.
To configure Enterprise Role Management's Web services for Compliant User
Provisioning:
1.
2.
On the Configuration tab in Enterprise Role Management, choose Miscellaneous.
The Configuration screen appears.
Identify the correct Compliant User Provisioning Web service URL.
Copy the URL for AEWFRequestSubmissionService_5_2 and paste the URL into
the Workflow URL field in the Web Service Info. for AE Workflow section.
3.
Choose Save to save your selections.
Connecting Enterprise Role Management to a Back-End
System
You can set up different types of connectors in Enterprise Role Management. These
include Enterprise, non-SAP, SAP, and SAP EP connectors.
•
•
220
Enterprise, non-SAP, and SAP EP connectors are descriptive connectors used to
document the landscape to which each role belongs.
The SAP connector is a live system connector that facilitates the transfer of data
between Enterprise Role Management and other SAP ABAP systems.
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Installation Verification and Configuration
When setting up a landscape, you specify how you want Enterprise Role Management
to communicate with the target systems by associating the connectors with predefined
actions during the landscape creation process.
Note: The actions available for you to associate the connectors with are
delivered with Enterprise Role Management. You cannot create your own
actions.
2009
© 2010 SAP AG. All rights reserved.
221
Unit 5: Enterprise Role Management Overview
GRC300
Configuring a Connector for SAP
To create a connector for SAP ABAP systems:
1.
In Enterprise Role Management, select the Configuration tab and choose System
Landscape → Systems. The Available Systems screen appears.
Note: Until you create your first connector, the Available Systems screen
is blank.
2.
3.
4.
5.
Choose Create. The Create System screen appears.
In the System Type menu, choose SAP.
Select the SLD Connector checkbox to activate the System Landscape Directory.
In the Name field, enter the target system name. This is the SAP connector name.
Caution: The connector names are very important when integrating
with other SAP BusinessObjects GRC solution products and Central
User Administration (CUA). Make sure that the connector name for
SAP BusinessObjects Access Control is the same as the one configured
for CUA.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
222
In the Description field, enter a detailed description of the system connector,
such as HR QA System.
In the Application field, enter the name of the application or application server.
In the Application Server Host field, enter the host name of the application server.
In the System Number field, enter the number in the SAP system log.
In the Client field, enter the SAP client number.
In the User ID field, enter the SAP user name.
In the Password field, enter the password associated with the SAP user.
In the System Language field, enter the system language for the application
server.
In the Message Server Name field, enter the name of the message server, which
is used for load balancing of your SAP clustered environment.
In the Message Server Group field, enter the logon group name to which the
message server belongs.
In the Message Server Host field, enter the host name of the message server.
In the SAP Version menu, choose the appropriate SAP version. Enterprise Role
Management supports SAP 4.6c and higher.
Choose Save.
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Installation Verification and Configuration
Configuring a Connector for Enterprise, Non-SAP, or SAP EP
You can use the following procedure to plan and document the connection between
ERM and non-ABAP systems. ERM can only communicate with ABAP systems
directly.
To create a connector for Enterprise, non-SAP, or SAP Enterprise Portal:
1.
2.
3.
4.
5.
6.
In Enterprise Role Management, select the Configuration tab and choose System
Landscape → Systems. The Available Systems screen appears.
Choose Create.
In the System Type menu, choose Non SAP.
In the Name field, enter the name of the system.
In the Description field, enter a detailed description of the system.
Choose Save.
Exporting and Importing Configuration Settings
This feature exports configuration settings from one Enterprise Role Management
system and imports them into another. You must export the settings first and then use
the generated file as the import source file for the other system. For example, after
you configure the development system, you can export the configuration settings and
import them into the production system, so you do not have to manually reconfigure
the settings.
Settings that can be exported or imported:
•
•
•
Initial Data: This data consists of all of the system configuration data when it is
first set up. It includes all values and flags that were initially set.
Connector: This data includes connector information for all systems (SAP, nonSAP, LDAP, and so on) that were configured.
Roles: This data includes all roles that were created and imported to the system.
Note: Role export does not export role attributes. Role attributes must
exist in the system before roles can be imported.
•
•
•
2009
Workflow Configuration: This data includes all information from initiator,
custom approver determinator, stage, path, approvers, and the like.
User Defaults: This data includes all mappings, values, and attribute settings.
HR Triggers: This data includes all actions, rules, field mappings, and associated
values and flag settings.
© 2010 SAP AG. All rights reserved.
223
Unit 5: Enterprise Role Management Overview
GRC300
Lesson Summary
You should now be able to:
•
List the steps required after installation of SAP BusinessObjects Access Control
Enterprise Role Management
•
Explain how to connect the Enterprise Role Management component to a
back-end system
•
Explain the export and import configuration settings that are necessary to
perform transports from development to production
224
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Overview
Lesson: Enterprise Role Management Overview
Lesson Overview
This lesson provides an overview of SAP BusinessObjects Access Control Enterprise
Role Management.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
Explain how Enterprise Role Management can prevent the uncontrolled creation
of noncompliant roles
Describe and demonstrate the concept of role ownership and change management
approvals to support a controlled process of handling the life cycle of SAP roles
within the customer landscape
Business Example
Your organization wants to evaluate how a central and enterprise-wide role
development solution could help prevent the introduction of new SoD violations.
2009
© 2010 SAP AG. All rights reserved.
225
Unit 5: Enterprise Role Management Overview
GRC300
Enterprise Role Management
Enterprise Role Management simplifies the enterprise role engineering process:
•
•
•
•
•
•
•
•
•
•
•
•
Provides a single enterprise role repository for role design, testing, and
maintenance to enforce consistency and standardization
Facilitates the role design process with a predefined (yet customizable) design
methodology and workflow
Supports the definition and documentation of role information, authorizations,
and testing results
Enforces the segregation-of-duties analysis during role design to prevent risks
from entering application systems
Provides change history for auditing and compliance
Provides workflow approval for control checking and evaluation during role
design
Provides automatic SAP role generation
Organizations can configure and enforce multiple role design processes within
the company for different business purposes
Companies can define multiple processes for different purposes, such as single
role design process for all single roles
Provides a central documentation repository for enterprise roles residing in SAP
and non-SAP systems
Naming convention to enforce role-naming standardization
Enforces consistency, standardization, and ease of use for Enterprise Role
Management
Figure 66: What is Enterprise Role Management?
226
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Overview
Role Ownership and Change Management in Enterprise Role Management
Enterprise Role Management can help companies define and maintain role ownership
throughout the life cycle of SAP roles. It enforces a company-defined role creation
methodology, and helps support SAP best practices.
Figure 67: Implementing Enterprise Role Management – Best Practice Use Case
As shown above, since ERM will create role information in SAP application systems.
As a best practice, Enterprise Role Management should have connectors (RTAs) set
up to create roles in the company’s development system first. Then, use traditional
Change and Transport System to migrate roles to QA and Production systems.
2009
© 2010 SAP AG. All rights reserved.
227
Unit 5: Enterprise Role Management Overview
GRC300
Lesson Summary
You should now be able to:
•
Explain how Enterprise Role Management can prevent the uncontrolled creation
of noncompliant roles
•
Describe and demonstrate the concept of role ownership and change management
approvals to support a controlled process of handling the life cycle of SAP roles
within the customer landscape
228
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Configuration Review
Lesson: Enterprise Role Management Configuration
Review
Lesson Overview
This lesson will give you an overview of how to design a role using Enterprise Role
Management.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
•
•
Name the role attributes
Configure a naming convention and enforcement
Explain and configure organizational value mapping
Set up a role creation methodology, condition groups, and role approvers
Configure an approval workflow for role maintenance in the Workflow Engine
Business Example
Your organization wants to have a set standard for role creation. They want to be able
to enforce a set methodology.
Role Attributes
Role attributes are the details used to define a role during the role creation process.
You determine the values for each attribute during Enterprise Role Management
configuration, and then assign the defined attributes when you create a role.
Role attributes include:
•
•
•
•
•
2009
Business Processes
Subprocesses
Functional Areas
Custom Fields
Projects / Releases
© 2010 SAP AG. All rights reserved.
229
Unit 5: Enterprise Role Management Overview
GRC300
Business Processes
A business process is a collection of related activities that produces something of
value for your organization or business and is categorized based on your enterprise's
organizational structure. A business process can be managerial, operational, or
supporting, and can be defined narrowly or broadly, depending on your business needs.
When you create a role in Enterprise Role Management, the business process you
assign to the role is one of the role's defining attributes and determines which
subprocesses you can assign to the role.
Examples of business processes are:
•
•
•
Finance
Accounts Payable
Procure to Pay
Hint: Keep it simple. A sophisticated business process model might be a
proper approach for process re-engineering, but the better approach for SAP
BusinessObjects Access Control is to reduce complexity.
Subprocesses
A subprocess is a collection of related activities that produces something of value
for your organization or business and is categorized based on your enterprise's
organizational structure. It is a part of the business process. For example, if a company
defines Procurement as a business process, then Purchasing would be a subprocess.
A business process typically contains one or more subprocesses. Each subprocess
must be linked to a business process.
Functional Area
A functional area is a classification of processes for a department or business process.
Within SAP, a functional area is used to organize certain activities within a department
or business process. For example, within your business you might have the business
process Procurement, containing the functional areas Purchasing, Administration, and
Receiving. However, one or more of these functional areas might also fall under
the Finance business process.
In Enterprise Role Management, a functional area is a role attribute used to categorize
roles and define the approval and role maintenance processes. In addition, a functional
area is used to filter the results of a role search, identifying only those roles associated
with a specific functional area.
230
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Configuration Review
Custom Fields
Custom fields allow you to add attributes to a role that are specific to your company
or organization. For instance, if you have a role that needs to be distinguished by
region, adding a custom attribute allows you to assign a specific region when you
create your role.
Project / Release
The project/release can be a project name, release name, or release number that you
would like to associate with a particular role.
Configure a Naming Convention and Enforcement
You create naming conventions to enforce role and profile naming standards during
the role creation process. Naming conventions are specific to a system landscape
and role type. The landscape and role type determine the attributes you can assign
to a naming convention.
You can have different naming conventions for a single role type in the development
system landscape and the test system landscape. You can also have different naming
conventions for the composite role type in the development system landscape and the
test system landscape, and so on.
Creating a Naming Convention
You create a naming convention by entering free text or text dynamically linked to
your role attributes. The role attributes available for naming convention creation for
all role types are Business Process, Subprocess, and Project/Release. For SAP derived
roles, additional role attributes are available: Master Role Name, Derived Org Level,
From Value, To Value.
1.
2.
3.
4.
5.
On the Configuration tab, choose Naming Convention.
Choose Create.
In the Name field, enter a name for the new naming convention.
From the System Landscape menu, select a system landscape.
From the Role Type menu, select a role type.
The role type you select determines the attributes available to you in the next
step. Available role types are:
•
•
•
•
2009
Single
Composite
Derived
Profile
© 2010 SAP AG. All rights reserved.
231
Unit 5: Enterprise Role Management Overview
6.
GRC300
From the Enforced field dropdown list, select Disabled or Enabled.
•
•
Enabled: The naming convention is enforced and cannot be overridden
by the user.
Disabled The naming convention is suggested, but can be overridden by
the user.
The Expression field contains the format of the naming convention. It is
auto-populated each time you assign an attribute or text character, but you decide
the order and number of characters. The maximum number of characters allowed
for a role name is 30 (with the exception of the profile name – role type Profile –
which only allows 12 characters). Each time you add characters, the position of
the assigned characters and number of characters still available is displayed on
the right side of the Create Naming Convention screen.
Two types of character appear in the Expression field:
•
7.
Variable characters represent the attribute value you select from the
Attribute dropdown list and are represented in the Expression field as a
dollar sign ($). When you create a user role, the variable character is either
auto-populated or changed, depending on your business needs.
•
Free text characters allow you to enter whatever text best fulfills your
business needs, but it is typically based on valid characters for SAP role
names. Free text is represented in the Expression field by either a dollar
sign ($) or the actual text you enter in the Text field.
Populate the Expression field:
a)
b)
Select an attribute from the Attribute dropdown list.
Take one of the following actions:
– Enter the number of characters needed to represent the selected attribute
in the No. of Chars field, and choose the Add icon.
– Enter text in the Text field, and choose Add.
The characters that represent the variable or free text you enter appear in
the Expression field, and the positions the characters hold in the expression
appear in the screen on the right. In addition, you can see the number of
characters that remain available for the naming convention.
8.
232
Choose Save.
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Configuration Review
Organizational Value Mapping
If you want to restrict user access by organizational area, you can use the
organizational value mapping feature to map roles to different organizational levels.
To define all associated organizational values, you can create an organizational value
map for each organizational area (such as North America, Europe, or Asia Pacific).
Prior to creating an organizational value map, you must run a background job to
import existing organizational fields and values from your SAP ERP system. After the
initial import, you can create a background job to schedule periodic synchronization
to keep the data updated.
You always create an organizational value map with a primary organizational level
and value, because Enterprise Role Management uses that to store and search
for the organizational value. You can create multiple maps for the same primary
organizational level and value combination. After the primary organizational level and
value are set, you can define the values for all child organizational levels to complete
the organizational value map.
After you create the organizational value map, it can be used by all users as a basis to
derive any master role.
Note: You must run the initial background jobs for Org Value Sync,
Transaction/Object/Field Sync, and Activity Val Sync prior to configuring
organizational value maps. These background jobs are a prerequisite for the
organizational value mapping feature.
Setting up a Role Creation Methodology, Condition
Groups, and Roles Approvers
A role creation methodology consists of predefined actions and the steps associated
with those actions. The steps, in turn, are then used to create a methodology process,
which is used to guide you, step by step, through the formalized process of defining,
generating, and testing a role during role creation. The actual process step is shown in
the process status in the role creation.
The methodology process is configurable, but not the actions.
For instance, you might refine a methodology without deriving roles because you will
use only organizational value mapping.
2009
© 2010 SAP AG. All rights reserved.
233
Unit 5: Enterprise Role Management Overview
GRC300
Methodology Steps
Methodology steps are the steps used to create a role during the role creation process.
Based on these steps, you can tell which phase of the role creation process a role is in.
Enterprise Role Management allows you to create methodology steps and associate
them with predefined actions within Enterprise Role Management. After you associate
the steps with the predefined actions, you can create a role methodology process.
Creating a Methodology Step
1.
2.
3.
4.
5.
On the Configuration tab, choose Methodology → Step.
Choose Create.
In the Step ID field, enter a name for the step.
In the Description field, enter a brief description for the step.
From the Status dropdown list, select Enable or Disable.
If you select Enable, the step is available for inclusion in a methodology process.
If you select Disable, it is not available.
6.
7.
From the Associate Action dropdown list, select an action with which to
associate the step.
Choose Save.
Condition Groups
A condition group is defined from a set of role attributes (such as a business process,
subprocess, functional area, role type, or role name) and is based on role values and
conditions. After you create a condition group, the system applies it to a role creation
process to override the default role creation process when the criteria from the
condition group are met. You can apply multiple condition groups in one role creation
process, but you cannot associate multiple processes to one condition group.
234
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Configuration Review
Creating a Condition Group
1.
2.
3.
4.
5.
From the Configuration tab, choose Condition Groups.
Choose Create.
In the Condition Group ID field, enter a condition group ID.
In the Description field, enter a brief description for the condition group.
From the Status dropdown list, select Enable or Disable.
If you select Enable, the condition group is available for association during the
role methodology creation process. If you select Disable, it is not available.
6.
To add role attributes to the condition group, choose Add.
A dropdown lists appear under Role Attributes and Condition.
7.
In the Role Attributes column, select the attribute that you want to assign to the
condition group.
After you select a role attribute, a dropdown list or text field appears in the Value
column. The values in the dropdown list are specific to the selected role attribute.
8.
9.
10.
11.
In the Value column, assign a value for the corresponding attribute.
In the Condition column, select a condition for the role attribute.
To add more role attributes to the condition group, repeat steps 6 through 9.
Choose Save.
Approval Workflow for Role Maintenance
Enterprise Role Management integrates with Compliant User Provisioning for role
approval workflow. As part of the integration, a role approver is defined during the
role creation process to be used by the approval workflow.
During the role creation process, you can manually define approvers and alternate
approvers for each role, or you can allow Enterprise Role Management to
automatically assign approvers and alternate approvers to that role based on the
approval criteria you create and the user-selected role attributes.
To create approval criteria, you assign approvers and alternate approvers for a set
of role attributes or conditions.
2009
© 2010 SAP AG. All rights reserved.
235
Unit 5: Enterprise Role Management Overview
GRC300
Creating Approval Criteria for a Workflow
1.
2.
3.
4.
5.
6.
7.
8.
On the Configuration tab, choose Workflow → Approval Criteria.
Choose Create.
In the Group Name field, enter the name of the group for which you want to
create approval criteria.
Choose Add on the Attribute screen.
From the dropdown list, select the attribute(s) required to specify your approval.
Choose Assign Approvers.
Choose Assign Approvers on the Approval Criteria Values screen.
Under the Condition table, choose Add.
a) In the Attribute column, select an attribute from the dropdown list.
b) In the Value column, select a value from the dropdown list.
c) Choose Add.
d) Repeat steps a through c to add additional attributes and values.
9. Under the Approver table, choose Add.
10. In the Approver column, choose Search.
11. Choose Search.
A list of potential approvers appears.
12. Select the radio button next to the user ID of the user you want to assign as
an approver.
13. Choose Select.
The Approver Search window closes, and the Approver field on the Change
Approval Criteria screen is populated.
14.
15.
16.
17.
Repeat steps 10 through 13 to select an alternate approver.
Choose Add.
Repeat steps 10 through 14 to add more approvers and alternate approvers.
Choose Save.
The Approval Criteria Values screen displays the Approver and Alternate
Approver for the selected condition attributes.
236
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Configuration Review
Exercise 13: Enterprise Role Management
Exercise Objectives
After completing this exercise, you will be able to:
•
Configure a role design methodology
•
Define a naming convention
•
Implement organizational value mapping
•
Test the complete role maintenance workflow
Business Example
Management asks for an alternative method of role development and maintenance to
improve the current, manual, time-consuming, and expensive process, and to establish
a more transparent and controlled way of implementing role changes within SAP.
Task 1:
Configure a role design methodology.
1.
Access Enterprise Role Management from the SAP BusinessObjects Access
Control launch pad.
2.
Create a new methodology process.
3.
Fill in the following information:
4.
Process ID
GRC300-xx, where xx is your student
ID
Description
GRC300-xx, where xx is your student
ID
Status
Set to Enable
Click on the + to add a step. Add the following steps in the following order:
1. Definition
2. Risk Analysis
3. Approval
5.
Choose Save.
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
237
Unit 5: Enterprise Role Management Overview
GRC300
Task 2:
Define a naming convention.
1.
Create a new naming convention.
2.
Fill in the following information:
Name
GRC300-xx, where xx is your
student ID
System Landscape
TRAINING
Role Type
Single
Enforced
Disabled
3.
Fill in the information for the naming convention. You can play around with this
area, as we are not going to save this naming convention.
4.
Choose the green arrow to go back. Do not save, as you will not be able to
save this naming convention.
Task 3:
Implement organizational value mapping.
1.
Select the Role Management tab.
2.
Choose Roles → Search.
3.
Perform a blank search to bring up all roles in Enterprise Role Management.
4.
From the search results, select a role to copy, such as GRC300CREATE_VENDOR , and then choose the Change button.
5.
Choose the Derived Roles button.
6.
Next, choose Create.
7.
Select Company Code (BURKS) from the dropdown of the Derived Org Level
field.
8.
Enter 5000 in the Value From field and delete -$$$$ from the Derived Role
field.
9.
Enter Create Vendor for Company Code 5000 in the Derived Role
Description field.
10. In the Profile field, enter 5000 to replace open values #### and choose Continue.
Continued on next page
238
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Configuration Review
11. Select all the check boxes in the next screen and click twice on the Delete icon.
12. Enter 5000 in the Company Code field and enter 50 in the Purchasing
Organization field.
13. Choose Cancel and use the green arrow (twice) to exit without saving the role.
2009
© 2010 SAP AG. All rights reserved.
239
Unit 5: Enterprise Role Management Overview
GRC300
Solution 13: Enterprise Role Management
Task 1:
Configure a role design methodology.
1.
Access Enterprise Role Management from the SAP BusinessObjects Access
Control launch pad.
a)
2.
Create a new methodology process.
a)
3.
Click the Enterprise Role Management link.
Choose Configuration → Methodology → Process then choose Create to
create a new methodology process.
Fill in the following information:
Process ID
GRC300-xx, where xx is your student
ID
Description
GRC300-xx, where xx is your student
ID
Status
Set to Enable
a)
4.
Click on the + to add a step. Add the following steps in the following order:
1. Definition
2. Risk Analysis
3. Approval
a)
5.
Choose Save.
a)
Continued on next page
240
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Configuration Review
Task 2:
Define a naming convention.
1.
Create a new naming convention.
a)
2.
Choose Configuration → Naming Convention, then choose Create to create
a new naming convention.
Fill in the following information:
Name
GRC300-xx, where xx is your
student ID
System Landscape
TRAINING
Role Type
Single
Enforced
Disabled
a)
3.
Fill in the information for the naming convention. You can play around with this
area, as we are not going to save this naming convention.
a)
4.
Choose the green arrow to go back. Do not save, as you will not be able to
save this naming convention.
a)
Task 3:
Implement organizational value mapping.
1.
Select the Role Management tab.
a)
2.
Choose Roles → Search.
a)
3.
Perform a blank search to bring up all roles in Enterprise Role Management.
a)
Continued on next page
2009
© 2010 SAP AG. All rights reserved.
241
Unit 5: Enterprise Role Management Overview
4.
GRC300
From the search results, select a role to copy, such as GRC300CREATE_VENDOR , and then choose the Change button.
a)
5.
Choose the Derived Roles button.
a)
6.
Next, choose Create.
a)
7.
Select Company Code (BURKS) from the dropdown of the Derived Org Level
field.
a)
8.
Enter 5000 in the Value From field and delete -$$$$ from the Derived Role
field.
a)
9.
Enter Create Vendor for Company Code 5000 in the Derived Role
Description field.
a)
10. In the Profile field, enter 5000 to replace open values #### and choose Continue.
a)
11. Select all the check boxes in the next screen and click twice on the Delete icon.
a)
12. Enter 5000 in the Company Code field and enter 50 in the Purchasing
Organization field.
a)
13. Choose Cancel and use the green arrow (twice) to exit without saving the role.
a)
242
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Configuration Review
Lesson Summary
You should now be able to:
•
Name the role attributes
•
Configure a naming convention and enforcement
•
Explain and configure organizational value mapping
•
Set up a role creation methodology, condition groups, and role approvers
•
Configure an approval workflow for role maintenance in the Workflow Engine
2009
© 2010 SAP AG. All rights reserved.
243
Unit 5: Enterprise Role Management Overview
GRC300
Lesson: Enterprise Role Management Workflow Steps
Lesson Overview
This lesson provides an overview of the workflow steps that are used to create a
role using Enterprise Role Management.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
•
•
•
•
•
Create a new role using the defined naming conventions
Add transactions to the role
Use the PFCG
Maintain the authorization objects of the role
Create a derived role without using the organizational value map
Perform a risk analysis
Approve the newly created role within the Workflow Engine
Generate the role in the back-end system
Business Example
In a proof of concept for Enterprise Role Management, you are named to implement
an approval workflow for role changes. Furthermore, you need to evaluate the actual
role creation, automated risk analysis, and back-end integration features before
receiving final approval to run the implementation project.
Creating a New Role
This section will walk though the several steps of the Role Creation workflow. The
instructor will demonstrate the different steps in the Methodology.
Step 1 - Definition
The first step in the role creation methodology is the definition of the role. In
Enterprise Role Management, you are able to enforce a best practice for the definition
and naming of the roles, based on the attributes that are selected. The instructor will
walk though the definition of a role in this section.
244
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Workflow Steps
Step 2a - Authorization Data
The second step in the role creation methodology is the authorization data. You can
select the transactions that you want inside this role, and assign the authorizations to
them. Enterprise Role Management uses the SU24 data that was synced with the
back-end system to suggest the authorizations.
Step 2b - Authorization Data with PFCG Integration
Enterprise Role Management in SAP BusinessObjects Access Control is now
integrated with transaction PFCG, the profile generator, in SAP ERP back-end systems
of in SAP R/3 4.6C and higher. This allows you to leverage the advanced maintenance
features in PFCG and allows security administrators to work in a familiar environment
while maintenance is synchronized in Enterprise Role Management.
Step 3 - Role Derivation
With SAP BusinessObjects Access Control Enterprise Role Management, you can
now can derive a role during the role creation process by selecting the organizational
level and inputting the organizational level value. You can push the role to all
available organizational levels which exist in transactions in the master role you are
deriving. This new feature gives you the ability to derive to multiple organizational
levels during the role creation process without having to use the organizational map.
Step 4 - Risk Analysis on a Role
Segregation-of-duties risk simulation ensures that no SoD risks enter production
during role creation and maintenance. Integration with Risk Analysis and Remediation
allows SoD risks for single and composite SAP roles to be simulated at role design
time You can perform risk analysis simulation at transaction or object levels in
Enterprise Role Management, before the role is generated in the back-end systems.
Before Enterprise Role Management generates a role, it always performs a risk
analysis. If the role contains a risk, Enterprise Role Management can be configured
to allow the role to be generated or not.
Step 5 - Approval of the Newly Created Role
With the integration with Compliant User Provisioning, approval workflow can be
triggered within Enterprise Role Management for role creation and maintenance. The
approval process allows collaboration among different stakeholders involved in the
role engineering process. The approval process can also be maintained in Enterprise
Role Management. The approver must be defined in the role.
2009
© 2010 SAP AG. All rights reserved.
245
Unit 5: Enterprise Role Management Overview
GRC300
Step 6 - Generation of the New Role
Enterprise Role Management will generate the new role in the back-end system that
was defined in the role definition. The Generate Role step generates both master and
derived roles at the same time. All the roles included should already be generated for
composite roles. If not, the system will generate an error. This is standard PFCG
functionality.
246
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Workflow Steps
Exercise 14: Role Mass Maintenance
Exercise Objectives
After completing this exercise, you will be able to:
•
Use the mass maintenance functionality to update multiple roles
Business Example
Management would like to identify possibilities to shorten the project implementation
time. For that reason, you decide to have a closer look at the mass maintenance
functionalities of Enterprise Role Management.
Task:
Demonstrate the new Mass Role Update and Analysis functionality of Enterprise
Role Management.
Caution: Caution: Do not choose the Submit or Save buttons during this
exercise. You are only viewing functionality. At the end of each process,
choose Cancel to exit the function without saving any actions.
1.
Log on to Enterprise Role Management via the SAP BusinessObjects Access
Control launch pad.
2.
Select the Role Management tab and choose Mass Maintenance → Update.
3.
Perform a blank search to bring up all roles in Enterprise Role Management.
4.
From the search results, select the following:
5.
Maintenance Type
Change
Update
Business Process/Sub-Process
Select the two roles
GRC300-ALL and GRC300-BASIS
Choose Mass Update and then confirm that you want to update two roles.
Note where you would select the old value and the new value for each role.
Caution: Do not choose Change!
Caution: DO NOT PRESS THE CHANGE BUTTON.
6.
2009
To return to the previous screen, click the green Back arrow.
© 2010 SAP AG. All rights reserved.
247
Unit 5: Enterprise Role Management Overview
GRC300
Solution 14: Role Mass Maintenance
Task:
Demonstrate the new Mass Role Update and Analysis functionality of Enterprise
Role Management.
Caution: Caution: Do not choose the Submit or Save buttons during this
exercise. You are only viewing functionality. At the end of each process,
choose Cancel to exit the function without saving any actions.
1.
Log on to Enterprise Role Management via the SAP BusinessObjects Access
Control launch pad.
a)
2.
Select the Role Management tab and choose Mass Maintenance → Update.
a)
3.
Perform a blank search to bring up all roles in Enterprise Role Management.
a)
4.
From the search results, select the following:
Maintenance Type
Change
Update
Business Process/Sub-Process
Select the two roles
GRC300-ALL and GRC300-BASIS
a)
5.
Choose Mass Update and then confirm that you want to update two roles.
Note where you would select the old value and the new value for each role.
Caution: Do not choose Change!
Caution: DO NOT PRESS THE CHANGE BUTTON.
a)
6.
To return to the previous screen, click the green Back arrow.
a)
248
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Enterprise Role Management Workflow Steps
Lesson Summary
You should now be able to:
•
Create a new role using the defined naming conventions
•
Add transactions to the role
•
Use the PFCG
•
Maintain the authorization objects of the role
•
Create a derived role without using the organizational value map
•
Perform a risk analysis
•
Approve the newly created role within the Workflow Engine
•
Generate the role in the back-end system
2009
© 2010 SAP AG. All rights reserved.
249
Unit Summary
GRC300
Unit Summary
You should now be able to:
•
List the steps required after installation of SAP BusinessObjects Access Control
Enterprise Role Management
•
Explain how to connect the Enterprise Role Management component to a
back-end system
•
Explain the export and import configuration settings that are necessary to
perform transports from development to production
•
Explain how Enterprise Role Management can prevent the uncontrolled creation
of noncompliant roles
•
Describe and demonstrate the concept of role ownership and change management
approvals to support a controlled process of handling the life cycle of SAP roles
within the customer landscape
•
Name the role attributes
•
Configure a naming convention and enforcement
•
Explain and configure organizational value mapping
•
Set up a role creation methodology, condition groups, and role approvers
•
Configure an approval workflow for role maintenance in the Workflow Engine
•
Create a new role using the defined naming conventions
•
Add transactions to the role
•
Use the PFCG
•
Maintain the authorization objects of the role
•
Create a derived role without using the organizational value map
•
Perform a risk analysis
•
Approve the newly created role within the Workflow Engine
•
Generate the role in the back-end system
250
© 2010 SAP AG. All rights reserved.
2009
Unit Summary
251
GRC300
© 2010 SAP AG. All rights reserved.
2009
Unit Summary
252
GRC300
© 2010 SAP AG. All rights reserved.
2009
Unit 6
Access Control Integration
Unit Overview
This unit explains the integration points between Risk Analysis and Remediation,
Compliant User Provisioning, and Enterprise Role Management. It also discusses
options for the implementation order of these capabilities
Unit Objectives
After completing this unit, you will be able to:
•
•
•
•
•
•
•
•
•
Explain the integration points between Risk Analysis and Remediation,
Compliant User Provisioning, and Enterprise Role Management.
Integrate and test the integration of the products
Discuss options for the order of implementing the different capabilities
Use reporting to analyze history data of the User Access Review and SoD Review
Use the change history within Enterprise Role Management
Execute the Master to Derived Role Relationship report
List roles by the generation date
Investigate discrepancies in roles by comparing transactions in the menu with
included transaction codes in the role authorizations (S_TCODE)
Use the Role Comparison report
Unit Contents
Lesson: Integration Between Access Control Components ................... 254
Lesson: Compliance Reporting ................................................... 261
Exercise 15: Compliance Reporting ......................................... 263
2009
© 2010 SAP AG. All rights reserved.
253
Unit 6: Access Control Integration
GRC300
Lesson: Integration Between Access Control Components
Lesson Overview
This lesson will discuss how Web Services are used to integrate SAP BusinessObjects
Access Control.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
Explain the integration points between Risk Analysis and Remediation,
Compliant User Provisioning, and Enterprise Role Management.
Integrate and test the integration of the products
Discuss options for the order of implementing the different capabilities
Business Example
Your organization plans to implement all the functionalities of SAP BusinessObjects
Access Control, and you need to be able to explain how all the components work
with each other.
SAP BusinessObjects Access Control Web Services
Each component in the SAP BusinessObjects Access Control application has
specific Web Services available. These services must be used when configuring the
components to communicate with each other.
254
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Integration Between Access Control Components
Compliant User Provisioning
In Compliant User Provisioning, you can configure several workflow scenarios with
the available SAP BusinessObjects Access Control Web Services. For example, you
can set up the following workflow types within Compliant User Provisioning:
•
For workflow type for creating and modifying mitigation control, you can
use the following Web Service: /VirsaCCWFExitService5_2Service/Config1?wsdl&=document
•
For workflow type for creating/modifying mitigation control assignment:
/VirsaCCWFExitService5_2Service/Config1?wsdl&=document
•
For Enterprise Role Management, you can configure the following Web Service:
/AEWFExitServiceWS_5_2/Config1?wsdl&=document
•
This is a workflow type for creating and modifying risks: /VirsaCCWFExitService5_2Service/Config1?wsdl&=document
•
You can configure an SoD Review workflow: AEWFExitServiceWS_5_2/Config1?wsdl&=document
If you navigate to http://servername:50<instance>00 and choose Web Services
Navigation, you will find all of the available Web Services. In particular, you will see
the Web Services listed above. If you are configuring Compliant User Provisioning
along with the other SAP BusinessObjects Access Control components, you will
need to configure these Web Services.
Compliant User Provisioning Configuration of Web
Services
To configure the Web Services in Compliant User Provisioning, select the
Configuration tab and choose Miscellaneous. Here you will be able to configure
each of the Web Services discussed above.
2009
© 2010 SAP AG. All rights reserved.
255
Unit 6: Access Control Integration
GRC300
Figure 68: Compliant User Provisioning Configuration
In addition to Miscellaneous configuration, Web services are also configured under
Mitigation.
Figure 69: Web Services for Mitigation Controls
The last Web Services configuration takes place in the Risk Analysis option.
256
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Integration Between Access Control Components
Figure 70: Web Services Configuration for Risk Analysis from Compliant User
Provisioning
Risk Analysis and Remediation
You can configure the workflow from Risk Analysis and Remediation to Compliant
User Provisioning by selecting the Configuration tab and choosing Workflow. Under
the workflow service URL, you can enter the following URL for Risk Analysis and
Remediation Web Services: http://servername:50<instance>00/AEWFrequestSubmissionService_5_2/Config1?wsdl&style=document. In Risk Analysis and Remediation,
you will notice that there is only one place where you have to enter a Web Service.
Enterprise Role Management
When configuring Web Services for Enterprise Role Management, you will also need
to navigate through the SAP NetWeaver Administration page and go to Web Services
Navigation. Within Enterprise Role Management, you can configure the following
Web services:
2009
•
Web Services Info. for CC Risk Analysis
•
Web Services Info. for CC Transaction Usage
•
Web Services Info. for CC Mitigation Control
•
Web Services Info. for CC Functions
•
Web Services Info. for AE Workflow
© 2010 SAP AG. All rights reserved.
257
Unit 6: Access Control Integration
GRC300
An ID and password are required when configuring these Web Services. When
assigning an ID, make sure that the user ID has the SAP BusinessObjects Access
Control roles assigned so that the user is able to access each of the areas listed above.
Testing Web Services
To test Web services, go to the NetWeaver Administration page ahd choose Web
Services Navigation. Select a Web service, select a document, choose Test, and select
the operation that you want to test. Depending on the Web Service that you are testing,
you may need to enter the data to see if the Web Services respond.
After entering data in the required fields and setting the ones that are not require to
Null, choose Send. This will give you the results from the web services.
Implementation
When implementing SAP BusinessObjects Access Control, you can prioritize the
components in the order that will best help your company get to a clean and compliant
environment. An implementation approach can have one of two scenarios:
•
•
The ERP system is new, and roles have not been defined.
The ERP system is already in place, and the company needs to redesign their
security architecture.
New ERP Implementation
If the ERP implementation is new, you can you can begin the security architecture by
implementing Enterprise Role Management and Risk Analysis and Remediation. By
implementing Enterprise Role Management and Risk Analysis and Remediation first,
you can begin your security architecture by generating your roles through Enterprise
Role Management and analyzing them for risk with Risk Analysis and Remediation.
In this implementation approach, you save the time of having to perform the work all
over again if roles were already defined.
Existing ERP Environment
In an existing ERP environment, the roles already exist, but SoDs have not been
analyzed and resolved. In this approach you want to implement Risk Analysis and
Remediation first because it will allow you to identify where SoDs exist. With an
existing ERP environment, you redesign your roles first, by identifying where the
SoDs exist. You can do this by removing transactions that are in conflict from roles;
this will remove SoDs at the role level. Also, during role cleanup, you can eliminate
258
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Integration Between Access Control Components
some of the user-level SoDs. However, to be able to remove most of the user-level
SoDs, you will need to redesign business processes or implement mitigating controls
so that employee functions are not in conflict.
2009
© 2010 SAP AG. All rights reserved.
259
Unit 6: Access Control Integration
GRC300
Lesson Summary
You should now be able to:
•
Explain the integration points between Risk Analysis and Remediation,
Compliant User Provisioning, and Enterprise Role Management.
•
Integrate and test the integration of the products
•
Discuss options for the order of implementing the different capabilities
260
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliance Reporting
Lesson: Compliance Reporting
Lesson Overview
This lesson will discuss the reporting capabilities of SAP BusinessObjects Access
Control.
Lesson Objectives
After completing this lesson, you will be able to:
•
•
•
•
•
•
Use reporting to analyze history data of the User Access Review and SoD Review
Use the change history within Enterprise Role Management
Execute the Master to Derived Role Relationship report
List roles by the generation date
Investigate discrepancies in roles by comparing transactions in the menu with
included transaction codes in the role authorizations (S_TCODE)
Use the Role Comparison report
Business Example
Your organization plans to review progress and effectiveness of the continuous
compliance process. You are asked to analyze the recent adaptations in the areas of
User Access Review and SoD Review. You are also responsible for checking the
current compliance status of your SAP back-end roles, using the reports provided by
SAP BusinessObjects Access Control.
Risk Analysis and Remediation Reporting
Risk Analysis and Remediatoin has several different reports available through the
Informer tab. There, you can review audit reports or security reports.
Audit Reports
You can view action reports within audit reports. These action reports can be used
to identify the rules in Risk Analysis and Remediation.
2009
© 2010 SAP AG. All rights reserved.
261
Unit 6: Access Control Integration
GRC300
Security Reports
The following options are available for security reports:
•
•
•
•
Users by User ID
User Authorization Count
List Expired and Expiring Roles for Users
Users by Organizational level
Compliant User Provisioning
A variety of Compliant User Provisioning reports are located under the Informer tab.
Two very important reports are the SoD Review History report and the User Access
Review History report.
•
•
SoD Review History report: This report can assist you in determining the SoDs
that have been remediated through the workflow process.
User Access Review History Report: This report allows you to review user
accesses.
Enterprise Role Management
There are several Enterprise Role Management reports available under the Informer
tab, but there are some critical reports under the Role Management tab, which allow
you to view the change history within ERM or PFCG.
•
•
Enterprise Role Management Change History: This report allows you to view
the changes made to roles through Enterprise Role Management.
PFCG Change History: This report allows you to view changes made to roles
through PFCG.
By viewing both of these reports, you can view the history of changes to roles that
occurred through ERM or through PFCG. You can determine discrepancies by
comparing roles and their transaction codes.
262
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliance Reporting
Exercise 15: Compliance Reporting
Exercise Objectives
After completing this exercise, you will be able to:
•
Execute and analyze the SoD Review and User Access Review reports
•
Execute and interpret the following authorization-management-relevant reports:
Action Usage by Users, Invalid Mitigation Controls, and SoD Violations from
Custom Programs
Business Example
Your organization wants to check the effectiveness of the most recent reviews in
the areas of SoD and User Access Management. You also want to review how your
current authorization concept supports the cleanup and continuous compliance phases
of the project.
Task 1:
Locate and view the SoD Review and User Access Review reports.
1.
Execute and analyze the SoD Review and User Access Review reports.
2.
Execute and interpret the following authorization-management-relevant reports:
Action Usage by Users, Invalid Mitigation Controls, and SoD Violations from
Custom Programs.
Task 2:
Go to Risk Analysis and Remediation. Select the Informer tab and choose Security
Reports→ Miscellaneous→ Action Usage by user report.
2009
© 2010 SAP AG. All rights reserved.
263
Unit 6: Access Control Integration
GRC300
Solution 15: Compliance Reporting
Task 1:
Locate and view the SoD Review and User Access Review reports.
1.
2.
Execute and analyze the SoD Review and User Access Review reports.
a)
Open Compliant User Provisioning.
b)
Select the Informer tab and choose Analytical reports → SOD Review
History Report or User Access Review History Report.
Execute and interpret the following authorization-management-relevant reports:
Action Usage by Users, Invalid Mitigation Controls, and SoD Violations from
Custom Programs.
a)
Task 2:
Go to Risk Analysis and Remediation. Select the Informer tab and choose Security
Reports→ Miscellaneous→ Action Usage by user report.
264
© 2010 SAP AG. All rights reserved.
2009
GRC300
Lesson: Compliance Reporting
Lesson Summary
You should now be able to:
•
Use reporting to analyze history data of the User Access Review and SoD Review
•
Use the change history within Enterprise Role Management
•
Execute the Master to Derived Role Relationship report
•
List roles by the generation date
•
Investigate discrepancies in roles by comparing transactions in the menu with
included transaction codes in the role authorizations (S_TCODE)
•
Use the Role Comparison report
2009
© 2010 SAP AG. All rights reserved.
265
Unit Summary
GRC300
Unit Summary
You should now be able to:
•
Explain the integration points between Risk Analysis and Remediation,
Compliant User Provisioning, and Enterprise Role Management.
•
Integrate and test the integration of the products
•
Discuss options for the order of implementing the different capabilities
•
Use reporting to analyze history data of the User Access Review and SoD Review
•
Use the change history within Enterprise Role Management
•
Execute the Master to Derived Role Relationship report
•
List roles by the generation date
•
Investigate discrepancies in roles by comparing transactions in the menu with
included transaction codes in the role authorizations (S_TCODE)
•
Use the Role Comparison report
266
© 2010 SAP AG. All rights reserved.
2009
Test Your Knowledge
267
GRC300
© 2010 SAP AG. All rights reserved.
2009
Course Summary
GRC300
Course Summary
You should now be able to:
•
•
•
•
268
Explain the components of SAP BusinessObjects Access Control, and give a
brief overview of each
Explain the post-installation steps for SAP BusinessObjects Access Control
Explain the new features of SAP BusinessObjects Access Control 5.3
Show how the different components of SAP BusinessObjects Access Controls
5.3 integrate with each other
© 2010 SAP AG. All rights reserved.
2009
Feedback
SAP AG has made every effort in the preparation of this course to ensure the accuracy
and completeness of the materials. If you have any corrections or suggestions for
improvement, please record them in the appropriate place in the course evaluation.
2009
© 2010 SAP AG. All rights reserved.
269