8890 GRC-Introduction to Access Control-GRC AC 10.1

DEMO SCRIPT CLASSIFICATION: INTERNAL & PARTNERS

GRC: Introduction to Access Control: GRC AC 10.1 SCENARIO ID: 8890

General Information

 SAP GRC Access Control  Value Scenario  Country or Global

Authors

 User ID I822145

Date Last Updated

 October 26, 2015

1

2013 SAP AG OR AN SAP AFFILIATE COMPANY. ALL RIGHTS RESERVED. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries. Apple, App Store, Face Time, iBook’s, iPod, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc. Bluetooth is a registered trademark of Bluetooth SIG Inc. Citrix, ICA, Program Neighborhood, MetaFrame now Xantippe, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc.Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH. Edgar Online is a registered trademark of EDGAR Online Inc., an R.R. Donnelley & Sons Company. Facebook, the Facebook and F logo, FB, Face, Poke, Wall, and 32665 are trademarks of Facebook. Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik, and Android are trademarks or registered trademarks of Google Inc. HP is a registered trademark of the Hewlett-Packard Development Company L.P. HTML, XML, XHTML, and W3C are trademarks, registered trademarks, or claimed as generic terms by the Massachusetts Institute of Technology (MIT), European Research Consortium for Informatics and Mathematics (ERCIM), or Keio University. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation. Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation. INTERMEC is a registered trademark of Intermec Technologies Corporation. IOS is a registered trademark of Cisco Systems Inc. The Klout name and logos are trademarks of Klout Inc. Linux is the registered trademark of Linus Torvalds in the United States and other countries. Motorola is a registered trademark of Motorola Trademark Holdings LLC. Mozilla and Firefox and their logos are registered trademarks of the Mozilla Foundation. Novell and SUSE Linux Enterprise Server are registered trademarks of Novell Inc. OpenText is a registered trademark of OpenText Corporation. Oracle and Java are registered trademarks of Oracle and its affiliates. QR Code is a registered trademark of Denso Wave Incorporated. RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry AppWorld are trademarks or registered trademarks of Research in Motion Limited. SAVO is a registered trademark of The Savo Group Ltd. The Skype name is a trademark of Skype or related entities. Twitter and Tweet are trademarks or registered trademarks of Twitter. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Wi-Fi is a registered trademark of Wi-Fi Alliance. SAP, R/3, ABAP, BAPI, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, Sybase, Adaptive Server, Adaptive Server Enterprise, iAnywhere, Sybase 365, SQL Anywhere, Crossgate, B2B 360° and B2B 360° Services, m@gic EDDY, Ariba, the Ariba logo, Quadrem, b-process, Ariba Discovery, SuccessFactors, Execution is the Difference, BizX Mobile Touchbase, It's time to love work again, SuccessFactors Jam and BadAss SaaS, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany or an SAP affiliate company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

2

© Copyright 2013 SAP AG

TABLE OF CONTENTS 1.1.

Demo Description ................................................................................................................................................ 4

1.2.

Business Pain Points .......................................................................................................................................... 4

1.3.

Key Messages and Value Proposition .......................................................................................................... 4

1.4.

Story flow Summary ............................................................................................................................................ 4

1.5.

Speed demo link ................................................................................................................................................... 5

2. Demo Script ................................................................................................................................................................... 6 1.6.

Step-By Step Guide ............................................................................................................................................. 6

2.

Appendix ............................................................................................................................................ 29

3

© Copyright 2013 SAP AG

1. Demo Script Overview 1.1. Demo Description This speed demo (offline) shows the key benefits of SAP Access Control. , SAP Access Control automates the process of detecting, remediating, and preventing access risk violations (Segregation of Duty & Critical/Sensitive Access). Rated by Gartner and KuppingerCole as the leading vendor and best solution for managing access in SAP systems

1.2. Business Pain Points We know every company today has a process for managing access and access risk, but most are manual in nature, using spreadsheets, email, and point solutions. Manual processes for managing access however are: 

Error prone and may be leaving companies exposed to risk



Time consuming and costly



Difficult to manage, sustain, and impossible to scale

1.3. Key Messages and Value Proposition 

Reduce access risk and fraud



Reduce the cost of access management



Reduce the cost of ongoing compliance

1.4. Story flow Summary 

The access governance challenges customers are facing today and why they are so difficult



Introduction to the key concepts in SAP Access Control



Find and remediate SoD and critical access violations with access risk analysis



Automate access assignments across SAP and non-SAP systems



Define and maintain roles in business terms



Certify access assignments are still warranted



Monitor emergency privileges and transaction usage



Summary

4

© Copyright 2013 SAP AG

1.5. Speed demo link

The demo can be fetched in the Speed Daemon for any modification or reuse using the Demo ID: 112591 The demo is available in the below link: Internal link: http://iwdfvm4772.wdf.sap.corp:8080/speeddemo/demo/112591 Expiry Date: 12/31/2015

External link: http://demo.tdc.sap.com/SpeedDemo/710274094440ecfb Expiry Date: 12/31/2015

Scan the QR code to launch directly on iPad.

5

© Copyright 2013 SAP AG

2. Demo Script 1.6. Step-By Step Guide

Step 1.0 Overview What to say

Today I’m going to talk to you about managing access risk – that is, risk related to the systems and applications your users have access to. Most, if not all organizations have efforts underway to address compliance, policy and risk requirements, in some form, related to access risk. SAP Access Control helps companies to better manage this process by preventing access risk, reducing the cost of access risk management, and minimizing the time and effort of compliance. What you should see



6

© Copyright 2013 SAP AG

Step 2.0 Top Risks

What to say

There are many aspects to effectively managing access risk to business applications. When we talk about managing access risk, we are referring to the set of processes and controls that organizations put into place to manage challenges such as: - Controlling Segregation of Duties and sensitive access - Monitoring emergency access - Provisioning compliant access without risk - Effectively managing roles - Periodically certifying access - Reporting accurately on huge data volumes across systems and landscapes

What you should see



7

© Copyright 2013 SAP AG

Step 3.0 Managing Access Risk is Hard

What to say

While we know that companies have processes in place today to try and manage access risk, most have fragmented and manual processes and use tools such as spread sheets, email, and point solutions to manage these different aspects which makes managing risk compliantly, extremely difficult. Fragmented approach: - Company often measure access risk at the departmental, organizational, or at a single system level – if at all. Auditors and access administrators have a siloed view of a user’s access. This type of fragmented approach leads to an incomplete or false view of risk and the controls that manage it. Inefficient and costly manual processes: - This problem is compounded by the use of manual tools which not only lead to inefficiencies (such as employee onboarding or manual employee access reviews), but made worse when trying to consolidate access profiles across multiple systems, departments or companies. Lack of visibility: - The lack of visibility into which users have access to what leads to users with excessive access rights and risks across the company, in particular as employees transition from job to job. Inability to prevent access risk violations: - Manual processes and a lack of visibility across the enterprise invariably enable access risks into your environment. As users receive new authorization assignments, new risks are introduced. What you should see



8

© Copyright 2013 SAP AG

Step 4.0 Access Control – Manage Access Risk and Prevent Fraud

What to say With SAP® Access Control, you can move beyond manual processes for managing access risk. The application enables you to manage segregation of duties (SoD), critical and sensitive access, and superuser access effectively and efficiently. It automates the compliant provisioning of users, periodic user and role certifications, and the maintenance of compliant roles. This allows you to manage access risk on an exception basis and focus on value-adding initiatives. . Another way to think about that is SAP Access Control helps you get clean, stay clean, and stay in control of you access risk. You get clean by finding and remediating SoD and access violations across your enterprise. You stay clean by automating the access request and business role processes and embedding compliance checks to ensure only compliant authorization is granted and available. And finally you stay in control through the use of periodic user and role certification, emergency user monitoring, and transaction reporting and alerts. What you should see



9

© Copyright 2013 SAP AG

Step 5.0 Access Risk Dashboard

What to say 

Getting clean begins with access risk analysis. We’re looking at the risk violations dashboard which provides an executive level overview of access risk across the company over time. Access Control is delivered with over 100 reports and dashboards out of the box.



In this dashboard, authorization violations can be analyzed by year/month, by system, by user or role and by group. Access risks are grouped by business process so you can focus on specific areas of your business.



SAP Access Control delivers integration to SAP ERP, as well as non-SAP systems, including Oracle, PeopleSoft, and JD Edwards out of the box, along with legacy and over 75 other non-SAP applications through our partnership with Greenlight Technologies. What you should see

10

© Copyright 2013 SAP AG

Step 6.0 Cross System Simulation

What to say 



Dashboards, like the one we just saw, are a great way to give managers and executives a high level view into authorization risk. For a real-time or more detailed view into access you can run a risk analysis or in this case a risk simulation – which provides real-time what-if analysis against authorizations assigned in the back end. We’re going to run a cross system risk analysis across an SAP and Ariba system for the user Kate Shaw.



What you should see

11

© Copyright 2013 SAP AG

Step 7.0 Cross System Simulation Risk Results

What to say 

When we run the analysis, we see that granting a purchasing role inAriba and an invoicing role in SAP results in the user having the ability to purchase unauthorized items and initiating payments for those items, a high risk.



From the usage statistics we see Kate Shaw has not used the Ariba role since 2009 – a good indication its authorization she’s received over time, but no longer needs. What you should see

12

© Copyright 2013 SAP AG

Step 8.0 Simulate Role Removal

What to say 

Now we’ll run a simulation to see if removing the Ariba role will remove the risk. The simulation goes directly to the backend and analyzes the authorizations assigned to Kate in the SAP and Ariba systems. What you should see

13

© Copyright 2013 SAP AG

Step 9.0 Simulate Role Removal Results

What to say 

The result of the simulation is a clean risk profile for Kate. We know removing the unused Ariba role will remediate the risk violations assigned Kate. This type of simulation provides an effective means for cleaning your environment, and can be run for users, roles, profiles, or HR objects. What you should see

14

© Copyright 2013 SAP AG

Step 10.0 User Access Management

What to say 

SAP Access Control automates access management activities and embeds compliance checks throughout the employee lifecycle. Employees can request access to SAP and non-SAP systems using a self-service portal, with a workflow-driven request and approval process reduces the IT resources required. The application automatically tests for SoD and critical-access violations, facilitates the removal of SoD or critical access risks, and enforces the assignment of mitigating controls prior to approval. With this functionality, the application prevents unmitigated access-risk violations from being introduced into the environment, and enables companies to Stay Clean. What you should see



15

© Copyright 2013 SAP AG

Step 11.0 Access Request Self Service

What to say 

SAP Access Control offers self-service capabilities, allowing users to request access, review their current privileges, manage passwords, and check the status of previously submitted requests. The self-service form can be embedded in your portal – here we see an example from SAP’s internal implementation. What you should see

16

© Copyright 2013 SAP AG

Step 12.0 Access Request Approval Form

What to say 

Access requests are sent to the appropriate approver based on dynamic workflow logic. Risk analysis is embedded in the view and approvers are provided a number of remediation options.



Requests for user access can be drawn from a number of different sources. Each request is sent to the appropriate approver based on dynamic workflow logic, and a what-if simulation is embedded during the provisioning process to assess the risk impact of role assignments across business applications. Request sources include:



A self-service portal for business users to request access for themselves or others



SAP NetWeaver® Identity Management component and third-party identity management software through standard Web services



HR software, including the SAP ERP Human Capital Management (SAP ERP HCM) solution, which can trigger changes to user assignments based on new hire, transfer, or termination actions in the HR software



What you should see



17

© Copyright 2013 SAP AG

Step 13.0 Mobile Access Approver

What to say 

The SAP GRC Access Approver mobile app simplifies the approval process even further, allowing requests for user access and emergency access to be addressed from supported mobile devices.



Unlike other mobile approval products, SAP GRC Access Approver not only shows the access being requested but the potential risk associated with assignment as well as any mitigating controls that may have been assigned.



Call or email users to request additional information - add comments before approving or rejecting requests - forward requests to people in your contacts list when further information is needed What you should see



18

© Copyright 2013 SAP AG

Step 14.0 Mobile Access Approver Submit

What to say 

The intuitive interface requires no training and is available for both iOS and Android devices. The apps are available for free download and trial from the Apple App store and Google Play respectively. What you should see



19

© Copyright 2013 SAP AG

Step 15.0 Maintain Roles

What to say 

Another key component of keeping your environment clean is building and maintaining violation-free roles from the bottom up. By incorporating SoD and critical access rules into the role design process, the application allows you to define compliant roles proactively.



SAP Access Control supports flexible role-building methodologies – including support for business roles. The application translates technical access terms into common business language. This facilitates collaboration between IT and business owners by allowing them to use the same, consistent terms to document role definitions.



What you should see



20

© Copyright 2013 SAP AG

Step 16.0 Role Dashboard

What to say 

You’re looking at the role analytics dashboard. SAP Access Control allows you to centrally and compliantly maintain roles from across your entire enterprise. Roles are linked to business attributes to make it easier to track authorizations by business segment. Here, we are looking at roles by business process. The application supports technical, composite, derived and business roles. What you should see



21

© Copyright 2013 SAP AG

Step 17.0 Business Role Management

What to say 

Business roles, which can consist of one or more technical roles from both SAP and non-SAP systems, can be maintained and assigned to users through SAP Access Control. The configurable methodology ensures that a compliant process is followed to design, test and approve roles as they are created and maintained. An audit trail tracks all changes so updates can be historically reviewed. What you should see



22

© Copyright 2013 SAP AG

Step 18.0 Certify Authorizations

What to say 

Periodically reviewing the access assignments is a key process from both a compliance and best practice standpoint. SAP Access Control facilitates periodic reviews of user access, role authorizations, risk violations and mitigating control assignments. An important component in a compliance audit, automating these reviews saves a tremendous amount of time and effort. As an example, oil and gas customer was able to streamline their review process from 3 months to 3 weeks after implementing Access Control’s user access reviews. What you should see



23

© Copyright 2013 SAP AG

Step 19.0 User Access Review

What to say 

Here, we see an example of a user access review request. In this case, a manager is reviewing the roles assigned to their employees. We can see that the roles are described in business terms by system. Usage details are included by roles to show whether the users are actually using the authorizations in each role. This can be a helpful tool for determining whether users still require all of the access that they are assigned. What you should see



24

© Copyright 2013 SAP AG

Step 20.0 Monitor Privileges

What to say 

In addition to the preventative capabilities that we’ve discussed, SAP Access Control also includes a number of monitoring capabilities to further enable you to keep your environment clean and stay in control of your access risk. These capabilities include transaction execution alerts and reporting, a closed-loop process for managing emergency access and over 100 delivered dashboards and reports as well as extensions for customized reporting. What you should see



25

© Copyright 2013 SAP AG

Step 21.0 Transaction Reporting

What to say 

SAP Access Control collects transaction usage data to facilitate a number of review processes, including



Alerting business owners where sensitive access or conflicting access is performed by a user. Alerts are sent to responsible reviews for analysis and follow-up.



Reporting on activities by user, as seen here, which shows system and actual usage information. We can filter these reports by system and authorization to narrow investigations of user activity, and reports can be exported for additional analysis.



Usage information is also available for inclusion in the previously discussed user access reviews and other reports throughout the application.



What you should see



26

© Copyright 2013 SAP AG

Step 22.0 Emergency Access Management

What to say 

Granting emergency access to SAP ERP leads to one of the most common audit issues SAP customers experience today. You may have additional accounting personnel who need to post payments during the month-end close or IT personnel that require elevated access to support the business.



With a self-service emergency-access request and workflow approval process, the SAP Access Control can provide exception based access to users through “Firefighter ID’s”, where a monitoring layer tracks their usage for review.



Once a user has completed the activities using the firefighter ID, a request containing detailed usage information is created and sent to a process owner for review. Any exceptions noted during review between intended and actual usage are also managed via workflow. Escalation procedures can be put in place to ensure all logs are reviewed and approved.



Usage data and a request history are retained for audit and reporting purposes.



. What you should see



27

© Copyright 2013 SAP AG

Step 23.0 SAP Access Control

What to say 

With the SAP Access Control application, you can automate key processes to detect, remediate, and ultimately prevent access violations, streamline user provisioning, and centralize role management. This helps reduce the cost of access management, audit, and ongoing compliance activities and minimize the risk of internal fraud.



What you should see



28

© Copyright 2013 SAP AG

2. APPENDIX This step is necessary if the demo needs to be reset in any way, in order to perform it a second time. This can include any programs, or data additions or deletions. If this section is not needed, then state that there are no reset instructions.

29

© Copyright 2013 SAP AG