One SAP GRC Access Control

SAP GRC
Governance, Risk and Compliance (Access Control)
Asst. Prof. Dr. Santipat Arunthari

Chief Technology Officer (CTO)
PTT ICT Solutions
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential

1. GRC Background
The driver for GRC within Organization

What GRC is
Why Organization should take and integrated approach GRC
How Technology can help GRC
2. SAP solution for GRC

SAP GRC Risk Management
SAP GRC Process Control
SAP GRC Access Control
3.
4.
GRC access control (overview solution)

Case study

1. Governance, Risk
and Compliance (GRC)
2. Solution SAP GRC
module
3.
SAP Access Control
4. Case Study Implement
GRC Background
GRC

(Ethics)

Governance
(Transparency)
(Responsibility)
(Accountability)
(Equitable Treatment)
(Creation of Long
Term Value Sustainable Growth)
(Social and Environmental Awareness)

6
(Promotion of Best
GRC

(Stakeholders)
(Shareholders)

Tone at the top
/
Governance is about meeting strategic

objectives (performance) while meeting
legal and regulatory, contractual and other
obligatory requirements often supported by
policies (conformance).
Performance
Conformance
Governance is the process of decisionmaking and the process by which decisions

are implemented (or not implemented)
directed and controlled.
Management Control
Management controls are the organization,
policies, and procedures used by agencies to
reasonably ensure that:
Programs achieve their intended results,
Resources are used consistent with agency mission,
Programs and resources are protected from waste,
fraud, and mismanagement,
Laws and regulations are followed, and
Reliable and timely information is obtained,
maintained, reported and used for decision making.
Corporate Governance
Other
stakeholder
Shareholder
Board
Monitoring
Disclosure
Senior executive team

Strategy
Desirable behavior
Key assets
Human
assets
Financial
assets
Physical
assets
IP assets
Information and
IT assets
Financial governance
Mechanisms
(committees, budgets, etc.)
Key assets governance

IT Governance
Relationship
assets
IT governance mechanisms
(committees, budgets, etc.)
GRC Integrated Summarize
How to Make Enterprise Governance Risk

and Compliance work for You
www.isaca.org
Introduction
GRC defined
COBIT 5 and Governance
COBIT 5 and Risk
COBIT 5 and Risk (count.)
COBIT 5 and Risk
COBIT5 and Compliance
COBIT 5 and Compliance
COBIT 5 and GRC summarize
Using technology to help you manage your enterprise GRC
Management GRC with Technology
Why use a technology tool for GRC
Setting Expectations
Setting Expectations
Getting Started
SAP solution for GRC
SAP GRC Overview
1 Access Control / 2. Process Control
3. Risk Management / 4. Global Trade service
SAP GRC Integrated framework
Enterprise
Access
Risk management
Control
Process Control

SAP GRC Benefits
SAP GRC Benefits
Reduced Risk:
Lower fraud-related loss
Faster remediation
Improved business processes and overall performance
Reduced Cost of compliance :
Automation /Monitoring frees up resources for value tasks
Shorter audit cycles
Streamlined evaluations
Lower TCO
Improved confidence:
Visibility /Real-time information
Single version of the truth
Reinforced accountability
SAP GRC Benefits (contd..)

Key Areas
Segregation of Duties
Observation of AS IS Process
Benefits
Security activities require 25% to 50% of security admin time Automated monitoring
Manual processes are inefficient and prone to error, Annual and tracking
audit time of several weeks to manually create SoD reports and Preventive and detective
to review
controls
Add/Change/Delete Users
Manual data entry is inefficient, generates error, and creates Automated users
risk
administration
Frequent Add/Change requests requiring manual effort
Delays of process create risk of unauthorized access
Deletion of users is not consistently and accurately
implemented
Privileged User Access
Access is granted for extended period of time

Activity is not verifiable
Question of What did they do when they had access?
Role Design and Management Limited Role reaffirm process

Limited ability for validation of current roles and proposed
changes of roles
Automated Superuser
access with tracking of all
activities
Compliant role design
and management
Difficult to manage large number of master roles and derived

roles
Sensitive Transactions
Management
Reporting
Limited, manual tracking of access

Current control does not meet Audit requirements well
Manual reporting process
Manual analysis of differences between time periods
Limited visibility for management
Automate alerting,
tracking, and logging
Automated pre-built
access controls reporting
Qualitative Benefits
Manual Process
GRC AC Process
Provides partial pro-active SOD analysis
Provides fully pro-active SOD analysis
SOD analysis level restricted to Transaction

Code level
SOD analysis spreads to Auth. Object level values
Captures the SOD implications at periodic

Internal Audit control
Captures the SOD implications at run time
Captures potential risk with no solution
Captures potential Risks with probable solution
Prone to human error in provisioning Roles

to users
Avoids human error in provisioning Roles by

Defining Pre-approved approval paths
Manual Log process for emergency access

provisioning leading to discrepancy and
missing Audit trail
Automatically captures the Log for emergency

access provisioning and limits access to time
period producing Audit trail
Manual definition of Role creation process

resulting in loss of control and Audit trail
Standard methodology defined for Role creation

Process resulting into Auditable roles
Comparative study of GRC AC v. Manual Process

GRC access control

(overview)
GRC Access Control Overview
Purpose & Target Audience

GRC Solutions
Why GRC Access Control
GRC Access Control Basics
GRC Access Control Architecture
GRC Access Control Applications
Risk Analysis & Remediation

Compliant User Provisioning
Enterprise User Management
Super User Privilege Management
Purpose
The purpose of this document is:

Provide an overview of GRC AC system architecture and functionality.
Intended audience:
Infrastructure, Security
SAP Functional
Internal Control/ Internal Audit
IT Security
Security Compliance
GRC Solutions
Governance, Risk & Compliance (GRC)

Solutions
ACCESS CONTROL
Risk Analysis and Remediation
Superuser Privilege Management
Enterprise Role Management
Why GRC Access Control
Business Drivers / Common Challenges

Customers face a host of security challenges, including:
Continued increase in compliance spend

Requirement for continuous compliance monitoring
Requirement for centralized Internal controls repository
Fraud Examiner report recently estimated average loss of existing fraud
is 7% of revenue.
Disparate and complex application landscape with process
inefficiencies/redundancies
Existing segregation of duties violations and compliance issues
Desire to automate user provisioning to support compliance
requirements, operational efficiency goals, and regulatory requirements
Request of Emergency access (admin rights) is ad hoc and insufficiently
monitored and controlled
Poor communication between Business & IT results in best-guess
approval of requests
GRC Access Control Goals
Compliance World-wide
GRC to ensure Compliance with regulatory mandates

Integrated GRC
Unified process, compliance
and risk methodologies
Alignment of risk
and strategy management
Increased visibility across

impact of risk
Standardized risk and

compliance methodologies
Necessity to Implement Access

Control
Common approaches rely on periodic
audits/manual evaluations and subsequent
remediation of the findings
Despite the high effort, without a process in
place to continuous monitor Segregation of
Duties risks are not under control
Maturity Model
Evolve from Manual, unreliable and inefficient controls to
technology-based, cost effective, reliable controls
GRC Access Control Basics
Terminology
Segregation of Duties (SoD): Segregation of Duties deals with access controls

ensuring that no one user has access to two or more than two incompatible duties.
Some examples of incompatible duties are:
Creating vendor and initiate payment
Creating and modifying invoices
Processing inventory, and posting payments
Roles: A role is a container that holds Transactions/Reports and an associated profile
Authorization: Permission to access data or execute transactions
Authorization Object: A group of fields that allow for management of authorizations
User: End Users given access to SAP applications
Risk: This defines the potential risks existing in the system due to SOD and is based
on the standard business process
Risk Analysis: The Process of analyzing Roles, Profiles and/or Users for Risks
Mitigation Control: Mitigation Controls gives the ability to associate controls with
Risks, so they can be applied to Users, Roles identified to violate SoDs during Risk
Analysis.
Governance, Risk and Compliance

Corporate Governance:
Risk Management
Ethical corporate behavior together with management and

practices in the creation of all stakeholders
Identify, classify, document, and reduce risks to an acceptable

level
Spells out the rules and procedures for making decisions

about corporate affairs
Risk is a result of three different parameters
IT Governance:
Helps to ensure alignment of IT and enterprise objectives
Existence of a threat for a business process
Likelihood of occurrences
Impact on the Business process
IT resources are used responsibly and its risks are managed

properly
Act accordingly:
National and International legal requirements:
Sarbanes Oxley Act (US)
Data Protection Law (Germany)
J SOX ( Japan)
Corporate policies represents both corporate philosophy and strategic

thinking on a high level
Low level policies focus on the operational layer
Policies need to be in sync with the overall business strategy

and legal requirements
Evolution of SAP GRC

Virsa Systems founded in 1996
Sarbanes-Oxley Act (SOX) 2004
SAP AG announced acquisition of Virsa on 3rd April 2006
SAP AG renamed SAP Virsa Application to SAP GRC suite
SAP upgrades GRC
SAP integrates GRC AC with PC,EHS & GTS
SAP GRC + SAP BO GRC = SAP BO GRC SAP BO GRC + RM + PC= SAP BO GRC
SAP BO GRC + IDM components + Dashboards
GRC AC Risk Remediation

Strategy
Pro-active real-time compliance by preventing security and controls violations before

they occur. The approach of GRC AC in implementing Access Control is top to bottom.
GRC Access Control Processes

GRC AC
GRC RAR
SOD
Rules
repository
Maintenance
Mitigation Plan
Maintenance
Management
Reporting
Continuous
Compliance
monitoring
GRC CUP
Dynamic approval
workflows, audit trails
Authorization
changes
Role design
changes
Compliance
repository
changes
Access, Authorization
Changes, Approvals,
Audit Trials
Emergency access
requests
GRC SPM
Emergency Change
Access Management
Emergency session
log capture and storage
GRC ERM
SAP Role
Management
Compliant SAP Role
management
Role management
audit trails
Segregation of Duties
A segregation of duty issue for a business process is when an individual can perform two or more of the following
functions on a given transaction
Record Keeping: Activities to record the transaction or event in the companys

records
Custody:
including information
Activities assigned to personnel to safeguard
an asset,
Authorization:
transaction or activity
Implied or explicit approval to perform a
business
Reconciliation:
Comparisons of recorded balances or
volumes to
actual between time intervals to
detect differences and take action on any
differences
Authorization Concept
Glen, a G/L Accountant wants to execute a GL Posting.
Job
Task
In addition to this, if Glen had access to
FS00 G/L Account Master record maintenance
SAP Role
Transaction
Code
Execute Tcode
FB50
Check auth.object
S_TCODE
F_SKA1_BES: G/L Account: Account Auth

F_BKPF_BLA: Acctg Doc: Auth for Doc Types
Auth Objects and Field

Values
Check auth.object
F_BKPF_BUK
Accounting document:
Authorization for
Company Code
Check auth.object
F_BKPF_GSB
Authorization for
Business area
Check auth.object
F_BKPF_KOA
Authorization for
Account type
Authorization Concept (contd..)

FS00 G/L Account Master record
maintenance
FB50 G/L Account posting

Authorization Concept
Risk!
Gives someone the access to create a
fictitious GL account and generate
journal activity or hide activity via
posting entries
GRC SOD Rules Approach

Analysis
Evaluate
RAR Standard Rule Set
SAP
256 Risks
58,649 action combinations As of 2008 Q2 update for the below business
processes
HR and Payroll
Materials Management
Procure to Pay (70/11104)
APO/SCM
Order to Cash (32/6101)
SRM
Finance (37/6229)
General Accounting
Project Systems
CRM
Fixed Assets
Basis, Security and System Administration (25/13556)
Consolidations
Oracle
162 Risks
13,183 action combinations
PeopleSoft
57 Risks
27,906 action combinations
JD Edwards
21 Risks
303 action combinations
Non-RTA system analysis framework for legacy systems
Cross-Enterprise Rules Library Delivered out of the box
GRC Access Control Architecture
Terminology
RTA: It
respond to events or signals as fast as possible, or as they

happen and sits in the backend .
JCO: A programming interface (API) that provides an interface between a
Java program and a legacy application such as CICS and ECC
IGS: The IGS is used to generate graphical content, and to give you
enough information to incorporate such graphics into your own Web
Dynpro applications
UME: A Java-based user administration component with central user
administration, an SSO, and secure access to distributed applications
SLD: Signifies the layout of the systems in an environment. Landscape is
the highest node within the system landscape hierarchy.
Standard GRC Architecture
GRC Architecture-Generic view
RTA: The Enterprise Software Real-Time

Agent
RTA Usage
TYPE
Prebuilt for SAP
BAPI programming interface
Prebuilt for Oracle Stored procedure
Stored procedure
Prebuilt for PeopleSoft Web services
Web services
Prebuilt for Hyperion Web services
Web services
Custom-built for direct access to legacy system database

Query
Custom-built for upload file extraction to legacy system
Query
Flat file (delimited)
GRC Access Control Landscape - Basic
SAP GRC Access Control Application System Landscape for a Typical Installation
GRC Access Control Landscape Authoritative

User Sources
SAP GRC Access Control Application System Landscape with Authoritative-User Sources
GRC Access Control Landscape Central User Administrator
SAP GRC Access Control Application System Landscape with User Provisioning with or Without the CUA
GRC Access Control Applications
GRC Access Control Overview
GRC AC Applications
GRC Access Control is an enterprise application that provides end-toend automation for documenting, detecting, remediating, mitigating, and
preventing access and authorization risk enterprise wide, resulting in
proper segregation of duties, lower costs, reduced risk, and better
business performance; it also provides an integrated framework for
designing, enforcing and monitoring continuous compliance in SAP
systems
GRC Access Control consists of the below four Applications:
Risk Analysis & Remediation (RAR) and Risk Terminator

Sustainable SoD definition, remediation, monitoring and reporting for continuous compliance
Complaint User provisioning (CUP)
Proactive, compliant, automated auditable access approval and provisioning
Enterprise Role management (ERM)
Compliant role design, maintenance and auditability
Super user Privilege Management (SPM)
Controlled and reviewable privilege user management

Risk Analysis and Remediation enables monitoring of SAP User Access and applies a
library of Segregation of Duties (SoD) rules to detect potential irregularities and minimize
risks of fraudulent activity. It is a real-time and preventive compliance solution.
RAR Functionalities
Audit & Assessment of existing
practice
Risk Identification and Assessment
Business SoD rules definition
Mitigation Controls definition
Assessment of Mitigation Controls
Remediation plans
Progress Monitoring
Dynamic Dashboards
RAR - features and benefits include
Facilitate discussion between Business and IT

Centralized definition of Risks related to User Access
Real-time and Cross-system risk analysis
Remediation of SoD Violations
Proactive detection of SoD issues by simulation
Audit ability of Change Documents
SAP GRC
Super User
Privilege
Management
(Firefighter)
SAP GRC
Compliant
User
Provisioning
(Access Enforcer)
SAP GRC
Enterprise
Role
Management
(Role Expert)
SAP GRC Risk Analysis and Remediation (Complaince Calibrator)
Risk Terminator
Provides real-time SOD analysis during user and role maintenance and user to role
assignment
Risk Terminator can be configured to run a risk analysis when one of the four tasks is
performed
When a role is generated using PFCG
When users are assigned to a role using PFCG
When a role or profile is assigned to a user using SU01
When a role or profile is assigned to users using SU10
The Risk Analysis report will be displayed to the user with showing the SoD violations
The configuration setting Stop generation if violation exists will determine if this is an
error or a warning.
If the User continues to process the task, a warning message is displayed with two
options:
Discard changes
Continue
Superuser Privileged User Access Management

The Privileged User Access Management Tool lets "superusers" perform emergency activities outside of their role under a
controlled and auditable environment.
Work Order
Acceptance
FFID
Is Required
No
Current
E.RFC
Yes
Emergency
Situation
Pre-Designated
Firefighter logs into
CUP and requests a FF
ID + Notification sent
to BTO
Firefighter logs into SAP

using their ID and
executes a TCode to
check out the FF id.
Firefighter ID Owner logs

into CUP and approves the
FF ID to the FF with an
expiration date.
Firefighter has
required access
remediate
situation.
Audit Logs /
Transactions are
Archived for Future
Audits
Access auto expires
after pre-determined
period
SPM - features and benefits include
Pre-approved emergency access

Automatic email notification when Firefighter mode is activated
Automatic sending of log report to controller
Detailed audit trial of performed actions
Audit ability ( FF User not equal to SAP_ALL User)
Web based log reports, including Risk Analysis
SAP GRC
Super User
Privilege
Management
(Firefighter)
SAP GRC
Compliant
User
Provisioning
(Access Enforcer)
SAP GRC
Enterprise
Role
Management
(Role Expert)

SPM Process Overview

Job functions change frequently and employees transition into new roles or inherit new responsibilities,
but companies often overlook how these changes impact SoD requirements. By incorporating control
activities into everyday business processes, companies avoid after-the-fact violation detection. SAP GRC
Access Control creates visibility, enables fully compliant user provisioning throughout the employee life
cycle, and prevents new SoD violations.
CUP Functionalities
Assessment of Business
Assessment of Business relationship
Design Dynamic workflow service
Automate User provisioning
Reduce burden on IT
Prevents Risks by proactive analysis
Meets Regulatory compliance target
CUP - features and benefits include
Homogenized access request process

Automated approval management (Workflow)
Dynamic routing for approval
Risk analysis before request approval
Transparent view on impact of the approval (in business language)
Automated user provisioning to SAP
Automated logging of request approvals and modifications
SAP GRC
Super User
Privilege
Management
(Firefighter)
SAP GRC
Compliant
User
Provisioning
(Access Enforcer)
SAP GRC
Enterprise
Role
Management
(Role Expert)
CUP Functional Overview
CUP Typical End User

Requestors request access to systems and roles
Approvers approve user access request; security,

managers, data owners (role owners), process owners, etc
Administrators administer requests, configure

workflow, manage application security, manage
other system settings/configuration
CUP Provisioning Workflow

ECC
Security
Coordinator
Approval
User Access
Request
Role Owner
Approval
HR
CRM
Manager
Approval
Security
Coordinator
Approval
Legacy
CUP Workflow features
Flexible configuration of workflows
Multiple Approvers
Different workflow paths for different request attributes
Parallel Paths Different workflow paths based on role selection
Detours and Forks certain predefined conditions can trigger detours
Escape Routes
Forwarding to another approver
Automated provisioning without security review
Automated Actions
Create/Change User
Change User Master record information (validity date, user group, etc)
Lock/Unlock user
Delete Users
Notifications
CUP - Other Workflow types (non user access request)

Risk Change Approvals
Mitigation change approvals
SOD Management by exception
Superuser Privilege Management Automates E-RFC process while

providing audit trail and maintaining compliance
Role maintenance approvals
User Access Review Can facilitate Quarterly Access Review
Superuser access assignment
Reviews sent to approvers to approve users current access
SOD Management by Exception
Exception based reporting and remediation via workflow
CUP - Additional Capabilities
Password Self-Service
HR Triggers
Ability to setup automatic workflow requests based on a function/action that occurs in an SAP HR system
BI Integration for detailed custom reporting
Allows users to reset their password using challenge and response (If not authenticating against MS AD)
Standard cube is available (as of 5.3)
Integration with Training System
Verification of user training status

Will need web service integration configuration
CUP - Typical Administration
Maintain Roles
Upload new roles on periodic basis
Remove roles on periodic basis
Maintain Approvers
Maintain Workflow
Upload new approvers

Remove approver information as required
Maintain workflow paths

Opportunities to streamline workflow process
Manage Requests
On hold or stale requests
CUP - Integration Points and Data Sources
Possible points of integration
ECC, BI, BI-EP, Solution Manager

Non SAP Systems (with custom RTA)
Supported Data Sources
Multiple SAP Systems

Multiple LDAP Systems
Out of the Box
Active Directory
SunOne
Novel E-directory
IBM Tivoli
Any LDAP system supported by SAP UME
Non-SAP Support Systems
Oracle, PeopleSoft, JD Edwards

Enterprise Role Management addresses the root of access control through standardized and centralized role design, testing, and
maintenance. It helps you eliminate manual errors and makes it easier to enforce best practices. The application puts role ownership in
the hands of business process owners rather than IT staff, allowing them both to document role definitions, perform automated risk
assessments, track changes, and conduct maintenance with ease, which increases consistency and lowers IT costs.
Centralized Role Management

ERM Functionalities
Enterprise
Rules
SAP GRC
Access Control
Audit log
Creation and maintenance of role

Integrates with RAR for SoD analysis
Assignment of Role Owner to roles
Across applications
Triggers dynamic approval workflow

Dual environment : Analysis & Generation
Provision opening SAP profile generator
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Compliant enterprise roles
ERM - features and benefits include
Central management of authorization roles

Automatic notification of change of Role Owners
Approval workflow for Role Changes
Preventive Risk analysis for roles
Automatic role generation in SAP system
Audit trials and reporting of all role changes
SAP GRC
Super User
Privilege
Management
(Firefighter)
SAP GRC
Compliant
User
Provisioning
(Access Enforcer)
SAP GRC
Enterprise
Role
Management
(Role Expert)

ERM Process Overview

HR
Compliant
User
Provisionin
g
CRM
ECC
Business
Process
Owner
CRM
ECC
Risk
Analysis Approval Generation
DefinitionAuthorization
Security
HR
D
e
r
i
v
e
Risk
Analysis &
Remediatio
n
T
e
s
t
Case Study
Income and Profit

Sustainability
Stakeholders
Performance
Conformance
Regulator
Risk Management Policy
Access control and Process control Policy
I.T. Applications and Services Company

Limited ( ITAS ),
Implement Access Control
Start 2008 with one Process
Consultant - Deloit
Implement for Non wireless company
( Tele communication)
- IT Department Lead
- IT audit / Auditor Advisor
-
Santipat Arunthari, Ph.D.

Chief Technology Officer (CTO)
PTT ICT Solutions Company Limited

Energy Complex, Building A, 4th Floor,
555/1 Vibhavadi Rangsit Road
Chatuchak, Bangkok, 10900 Mobile: +66 (0) 8-66173000
"If you are not thinking and acting strategically,

then you are merely following orders and responding to pressure.
Date: 14/6/2554
129

One SAP GRC Access Control

Uploaded by

Copyright:

Available Formats

You might also like

One SAP GRC Access Control

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

One SAP GRC Access Control

Uploaded by

Copyright:

Available Formats

SAP GRC

Governance, Risk and Compliance (Access Control)

Asst. Prof. Dr. Santipat Arunthari

The driver for GRC within Organization

2. SAP solution for GRC

SAP GRC Process Control

SAP GRC Access Control

GRC access control (overview solution)

Governance is about meeting strategic

Governance is the process of decisionmaking and the process by which decisions

Senior executive team

Key assets governance

GRC Integrated Summarize

How to Make Enterprise Governance Risk

COBIT 5 and Governance

COBIT 5 and Governance

COBIT 5 and Governance

COBIT 5 and Risk

COBIT 5 and Risk (count.)

COBIT 5 and Risk

COBIT5 and Compliance

COBIT 5 and Compliance

COBIT 5 and GRC summarize

Using technology to help you manage your enterprise GRC

Management GRC with Technology

Why use a technology tool for GRC

SAP solution for GRC

SAP GRC Overview

1 Access Control / 2. Process Control

3. Risk Management / 4. Global Trade service

SAP GRC Integrated framework

SAP GRC Benefits

SAP GRC Benefits (contd..)

Privileged User Access

Access is granted for extended period of time

Role Design and Management Limited Role reaffirm process

Difficult to manage large number of master roles and derived

Limited, manual tracking of access

Provides partial pro-active SOD analysis

Provides fully pro-active SOD analysis

SOD analysis level restricted to Transaction

SOD analysis spreads to Auth. Object level values

Captures the SOD implications at periodic

Captures the SOD implications at run time

Captures potential risk with no solution

Captures potential Risks with probable solution

Prone to human error in provisioning Roles

Avoids human error in provisioning Roles by

Manual Log process for emergency access

Automatically captures the Log for emergency

Manual definition of Role creation process

Standard methodology defined for Role creation

Comparative study of GRC AC v. Manual Process

GRC access control

GRC Access Control Overview

Purpose & Target Audience

Risk Analysis & Remediation

The purpose of this document is:

Governance, Risk & Compliance (GRC)