SAP Roles and Authorizations
April 10, 2017 | Author: Lý Bằng | Category: N/A
Short Description
Download SAP Roles and Authorizations...
Description
SAP Authorizations and GRC
By: Ravi B Hemanth 1
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Objectives
2
Learn how a role is built up in SAP, what role-based access is and why it is important. Understand why security and Segregation of Duties (SoD) is important in SAP. Understand the business value and usage of the applications in the SAP GRC Access Control Suite.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Why is security important in SAP?
3
Data theft and espionage is a growing crime - several examples where millions have been lost in damages. Intruders target user profiles with extended authorizations. Long-term damages include financial damages, image loss declined stock, law suits and compliance violations.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Figures
U.S fraud cost were $52.6 billion in 2005
Intellectual property theft costs U.S. companies between $200 billion and $250 billion a year in sales
4
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Famous scandals
5
Worldcom Lost $127 billion in market value. 24 000 people lost their jobs. Share value $62 to $0.20 in less than 3 years. Enron Lost $ 19 billion in market value. 5500 people lost their jobs.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Who are they?
Paul Sarbanes
6
Michael Oxley
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Sarbanes-Oxley (SOX)
7
In 2001/2002 large US companies like Enron or WorldCom went bankrupt. Their management had hidden and changed financial data and betrayed investors. In 2002 The Sarbanes-Oxley Act was made law to establish better controlling and accounting transparency. The strongest focus is on Internal Controls.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Why SOX?
10
All companies that are registred on the NYSE/NASDAQ stock market, must be compliant with SOX. Massive impact for large enterprises who had to take measures to ensure internal control. SOX has generated thousands and thousands of hours of consultant work! There will be a similar law within EU - "Euro SOX".
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Segregation of Duties
11
Definition: “Key duties and responsibilities in authorizing, processing, recording and reviewing official business transactions must be separated among individuals to reduce the risk of error or fraud”. Applied on our client: “One person should not control all stages of a process, a situation in which error or irregularities could occur without detection”.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
SAP Security Concept for Roles and Authorizations
12
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
SAP example
Materials Management
Finance and Controlling
Production Planning Sales and Distribution
Mr. Smith
Human Resources
As a Financial Accountant, Mr. Smith probably has job duties that involve accessing components of the Finance and Controlling module (FI/CO).
13
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Transactions
14
A user performs tasks in SAP by entering transaction codes. A transaction code is a command that takes the user to a certain program in the SAP system. The term ”transaction” is usually used to refer to the program that is run when the corresponding transaction code has been entered. For example, the user enters the transaction code FB02 to run the transaction/program that is used to change documents in the general ledger.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Example: FB02
15
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
FB02
16
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
FB02
17
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
FB02
18
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
SAP Security model overview
Authorization Profiles
Composite Profile User Master Record
or
Authorization
Simple Profile
Authorization field Authorization Object
19
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
User Master Record
Example of a User Master Record
User Name Initial User Password Group
21
User Type
Valid Dates Authorization Profiles
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Profiles
Composite Profile
Simple Profile A Allow Display access to documents Simple Profile B
Allow Change access to documents
22
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Authorization Object
Authorization Object
23
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Authorization field
Data Dictionary
Authorization field
Authorization Object
24
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Data Element
Authorizations
Object
Field name
Value
S_TCODE
TCD
FB02
S_TCODE
TCD
FB03
Authorization
Authorization
Authorization fields
Authorization Object EXAMPLE: S_TCODE
25
EXAMPLE: TCD
EXAMPLE: FB02 EXAMPLE: FB03
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Auth. Object check under transactions
Maintain Transaction Object
26
Activity Company Code
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Display Company Code value
FB02
28
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Authorization check
ABAP/4 Code AUTHORITY-CHECK OBJECT 'F_BKPF_BUK' ID 'BUKRS' FIELD s_bukrs ID 'ACTVT' FIELD '02'.
Authorization Object
IF sy-subrc 0. MESSAGE E002(ZI) WITH text-200 s_bukrs ENDIF.
29
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
ST01: Trace Display
30
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
SAP Access Role concept
31
Historically, users were given SAP access by direct assignment of Profiles, but to facilitate a more business oriented access management, the role layer was added. Roles were added as an additional abstraction level, in order to facilitate authorization design. Compare to object-oriented programming instead of programming in machine language.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Hierarchy F
A A C
S P
A P
User
S
PP
V
A
F
F
A U = User S = Single role P = Profile A = Authorization object F = Field V = Value
V FB02
C = Composite role
32
V
A
S
FINANCIAL ACCOUNTANT GENERAL LEDGER JOURNALS MAINTAIN
V
F
A
C MR. SMITH
F
A
V
V
F $TCD $TCD $........... $........... $......... $....... $......... $........
A
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding S_TCODE any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
FB02 FB03 …… …… …… …… …… ……
Profiles
Single roles hold a 1:1 mapping towards Profiles.
C
User
S P P S
MR. SMITH
PP
C FINANCIAL ACCOUNTANT
S GENERAL LEDGER JOURNALS MAINTAIN
33
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Single roles
A Single Role corresponds to a Job task in the system, for example General Ledger Journals Maintain.
C
User
S
S
MR. SMITH
C FINANCIAL ACCOUNTANT
S
GENERAL LEDGER JOURNALS MAINTAIN
34
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Composite roles
A Composite Role corresponds to a Job role in reality, for example Financial Accountant. All users in the SAP systems have at least one and usually several Composite Roles assigned to them. A Composite Role is a predefined collection of Single Roles that have a relation to each other, and that together give the necessary access for the user to fulfill a certain job role. User
MR. SMITH
Composite role
Composite role FINANCIAL ACCOUNTANT (TECHNICAL NAME: RMUS_01_CCC01_FIN:0013)
35
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
PFCG: Role Maintenance
The technical name for Financial Accountant.
36
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Single roles
37
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Display Authorization Data
38
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Display Authorization objects and values
39
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Summary
40
User master records, profiles, transactions, objects etc. generic technical design in all SAP systems. Composite role/Single role concept - built-in possibilities in SAP that is used as best practice. How can the role concept be used to perform Segregation of duties? … to be SOX compliant?
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Sarbanes-Oxley (SOX) compliance and Segregation of Duties (SoD)
41
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Sarbanes-Oxley and Segregation of Duties
The Sarbanes-Oxley act (SOX) is intended to ensure the correctness of US companies’ accounting One effect of SOX is referred to as the Segregation of Duties (SoD) directive The SoD directive stipulates that no person must control several key steps in a connected process Approve Purchase Order
42
Receive Goods
Authori Custod Record Control zation y
Enter Goods Receipt
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Clear Vendor
What is the impact of SOX and SoD on Roles and Authorizations in SAP?
43
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Control Systems Mandatory Access Discretionary Access Role Based Access Control (MAC) Control (DAC) Control (RBAC) Access objects and Access is granted by Each user is able to users classified on a assigning each user pass on the linear security scale permissions he or she one or more access (E.g. Level 1, Level roles has to other users 2, ...) A user is given access Each user is given If the user’s security access to the objects to an object if he or permission ”level” that his or her roles she has been given exceeds that of the specify access to it by A user may be given object’s the user is another user granted access to access either by new There is commonly that object roles or by changing a one user with irrevocable access to role that the user already has all access objects (E.g. root, Low maintenance High versatility administrator, ...) 44
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Based Access
Role Architecture A library of roles must be built and maintained Principles must be established and followed for the role library to remain consistent
Role Provisioning Provisioning is the process by which users are given new roles Slow provisioning costs money in lost productivity
SOX directives
45
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Architecture
46
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Architecture • No role must contain internal SoD risks - Control over several steps in a process would mean that no user could have this role
Permissions Enter Goods Receipt
Access Role
Permissions Clear Vendor
47
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Architecture
Role Based Access – Design Principles Each
access role mapped to a job role Global template roles define action level security – ”what” Locally derived roles define data level security – ”where”
48
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Roles vs. Job Roles
49
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Architecture • An access role is a role defined in the system; a job role is a real-world role - An access role contains all permissions needed to perform the tasks needed to complete the job role - Permissions = Actions + Data Access
• Benefit: Access roles are free from internal SoD risks (as long as job roles are)
50
User
Access role
Permissions
(e.g. a financial accountant)
Financial Accountant
e.g. change G/L document, post G/L document
User
Access role
Permissions
(e.g. a sales assistant)
Sales Assistant
e.g. create sales orders, change sales orders
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Architecture
Action level security? Data level security?
51
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Architecture
• Action level security defines access to activities - In SAP, actions level security can be thought of as access to transactions
• Action level security is specified on a global level - A financial accountant has the same access irrespectively of in which country he or she works
52
Access role template
Permissions
Financial Accountant
TCODE: FB01
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Architecture
Data level security
53
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Architecture • Data level security defines access to data - Access to display/maintain certain company codes, sales organizations, plants, etc.
• Locally derived roles define data access Global Template Role e.g. Financial Accountant_Template TCODE: FB01 ACTVT: BUKRS: -
Local Role e.g. Financial Accountant_Sweden TCODE: FB01 ACTVT: 01 BUKRS: 4200
54
Local Role e.g. Financial Accountant_China TCODE: FB01 ACTVT: 01 BUKRS: 6200
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Provisioning
55
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Provisioning
No person must be given roles that give access to several steps in a connected process Segregation is possible by process or geography Access role Security Advisor Sweden
OK
Access role Financial Accountant Sweden
56
Access role Billing Administrator Sweden
Mr. Smith
OK
Process separation
SoD Risk
Access role Billing Administrator Norway
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Geographic separation
Role Provisioning
Traditional
Role Based Access
User
Role
admin team grants access based on line manager demands Access applied for on an asneeded basis User admin team responsible for security while business is trying to operate
57
provisioning flow controlled entirely by business Access applied for on a job role basis Business is responsible for maintaining security and operational effectiveness
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Provisioning
Role provisioning process
58
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Provisioning
Role provisioning flow controlled entirely by business Business is responsible for maintaining both security and operational effectiveness Access applied for on a job role basis
Application Business approval
59
Security approval
Assignment
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Provisioning
Why is a business approval needed?
60
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Provisioning
SOX requires that a valid business reason for the order must exist Verify that the requested role match actual personal identity and job role Verify that the end-user has a need to know of the information that will be available via the role
Business approval
61
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Provisioning
Security approval
62
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Provisioning
The security approval checks that no SoD risks appear for the user Verify that no SoD risks appear for the user Verify that user is not given access to unnecessary critical actions (create users, change roles, etc.) Verify that user is not given access to display sensitive data (financial statements etc.) Security approval
63
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
SOX audits
64
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
SOX Audits
65
What SoD risks do you have? Do you have proof that all access is properly authorized? How do you ensure the consistency of your roles? How are sensitive activities monitored?
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
SAP GRC Suite
66
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
VIRSA systems
67
In April 2006, SAP bought VIRSA systems and started transforming the VIRSA suite into SAP GRC VIRSA stands for “Versatile Innovative Risk and Security Administration” US company, founded in 1996 Today more than one million end users are subject to compliance at more than 170 customers worldwide Major references (Vodafone, IBM, Unilever, Panasonic, BASF, Boeing, Burger King, Sony, Nortel, Siemens, Gillette) Virsa provides the only solutions that monitor and enforce business controls in real time across enterprise systems Virsa is the global leader in cross-enterprise compliance solutions The company is privately funded with venture investment from SAP Ventures, Kleiner Perkins Caufield & Byers, and Lightspeed Venture Partners.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
GRC Suite
68
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
SAP GRC Suite overview
Online ordering tool
Access Enforcer
Access in FireFighter
SAP
Compliance Calibrator
FireFighter logs
69
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
connection is = possible
Role Expert
GRC Suite Cross Enterprise Risk Management Enterprise Portals Risk Manager
Provisioning
Superuser access control
Fail-safe risk prevention
Role management
Risk Terminator
Firefighter
Access Enforcer
Role Expert
SoD analysis, critical transaction monitoring, & preventive simulation
SAP Compliance Calibrator by Virsa Systems
70
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Compliance Calibrator
71
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Compliance Calibrator
/VIRSA/ZVRAT
72
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Compliance Calibrator
73
Part of the SAP GRC Suite Core application of the suite Uses the ERP Risk Framework (within ”Rule Architect” for SoD risk analysis of users SAPgui based (4.0, current version) Web based NetWeaver (5.2, release Q3 2007)
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Compliance Calibrator
74
Compliance Calibrator Source of ERP risk framework used for all SOD analysis Is used to monitor users, roles, risks and mitigation controls Compliance Calibrator increases visibility regarding SoD and assists in managing risks and users
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Compliance Calibrator
Risk Definition
75
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Compliance Calibrator Rule Architect
76
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Compliance Calibrator Selection Screen (Cockpit)
77
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Compliance Calibrator User Analysis
Risk definition 1
Function A
Function B
Function C
Transaction Transaction . .
Transaction Transaction . .
Transaction Transaction . .
Risk
User X
78
Risk definition 2
No risk
User Y
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Compliance Calibrator Risk Report
79
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Enforcer
80
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Enforcer: Purpose
81
Used primarily to perform segregation of duty (SoD) analysis before roles are approved and allocated to users. Reduction of lead-times for roles allocation leads to significant business improvements. The user administration will be fully automated. The tool will enforce the role approval process, secure that SoD checks are performed and that potential risks are mitigated - all prior to role allocation.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Enforcer: Business value
82
Facilitate the SOX compliance from an SAP security perspective. Increase the accuracy of SAP user authorizations and adhere the GAC principles. Reduce maintenance costs for the SAP user administration. Reduce lead-times for roles allocation - leads to significant business improvements. Reduce security audit costs for SAP environments.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Enforcer: User administration process
83
The purpose of a User Administration Process is to assign/remove roles from SAP user accounts. An online ordering tool and Access Enforcer ensure that the proper approval for every request is done and that all assigned roles are compliant to the security policy.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Enforcer: Order process
All orders for access to IT applications are managed via a tool for ordering online.
84
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Enforcer: Requests for approval
85
The first approver in the workflow receives the requests that was ordered in the online ordering tool.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Enforcer: Roles included in the order
86
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Enforcer: Risk Analysis
87
When the approver clicks Risk Analysis, Access Enforcer runs an analysis on the user's current roles in combination with the new roles that were ordered. In fact, Access Enforcer makes a call to Compliance Calibrator, where the SoD risk framework is stored. Compliance Calibrator runs the analysis and returns the result.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Enforcer: Risk Analysis result
88
The risks are listed with a Risk ID, Risk Description and Status.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
SoD risk: FB01 and ME21
89
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Enforcer: Risk simulation
90
Now we can uncheck Financial Accountant and Simulate the risks without that role.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Enforcer: Risk Analysis result
91
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Expert: First approval step finished
93
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
What is Role Expert?
94
Tool for documenting roles and authorizations. Web based application. Automates creation and management of role definitions. RE enforces (sve. upprätthåller, genomdriver) best practice to ensure that role definitions, development, testing and maintenance is consistent through the implementation.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Expert functionality
95
Track progress during role implementation. Monitor the overall quality of the implementation. Perform risk analysis at role design time. Set up a workflow for role approval. Provide an audit trail for all role modifications. Maintain roles after they are generated to keep role information current.
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Expert: Search screen
Enter TMUS*. (Technical name for single roles in the system called MUS).
96
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Expert: Search results
97
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Expert: Role definition
98
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Expert: Add transactions
99
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Expert: Company mapping
100
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
FireFighter
101
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
FireFighter
102
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Summary SAP uses a complex structure The Sarbanes-Oxley act (SOX) to manage authorizations: imposes requirements on Fields companies’ management of Objects roles and authorizations: Profiles Segregation of Duties (SoD) Roles Business approvals Audit trails Role Based Access (RBAC) is To manage compliance SAP required to fulfil the roles offers the GRC Suite: Compliance Calibrator (SoD) and authorization Access Enforcer (Role requirements of large organizations: provisioning) Globally governed role FireFighter (Critical access) Role Expert (Role architecture Business controlled role architecture) provisioning 103
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
View more...
Comments
