• No results found

190993472-Grc300-Sap-Businessobjects-Access-Control-Implementation-and-Configuration-1.pdf

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "190993472-Grc300-Sap-Businessobjects-Access-Control-Implementation-and-Configuration-1.pdf"

Copied!
289
0
0

Loading.... (view fulltext now)

Download now ( 289 Page )

Full text

(1)GRC300 SAP BusinessObjects Access Control - Implementation and Configuration SAP Governance, Risk, and Compliance. Date Training Center Instructors Education Website. Participant Handbook Course Version: 84 Course Duration: 5 Day(s) Material Number: 50093010. An SAP course - use it to learn, reference it for work.

(2) Copyright Copyright © 2010 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.. Trademarks •. Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.. •. IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation.. •. ORACLE® is a registered trademark of ORACLE Corporation.. •. INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered trademarks of Informix Software Incorporated.. •. UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.. •. Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.. •. HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.. •. JAVA® is a registered trademark of Sun Microsystems, Inc.. •. JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.. •. SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.com are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other products mentioned are trademarks or registered trademarks of their respective companies.. Disclaimer THESE MATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE, INFORMATION, TEXT, GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTS CONTAINED HEREIN. IN NO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY KIND WHATSOEVER, INCLUDING WITHOUT LIMITATION LOST REVENUES OR LOST PROFITS, WHICH MAY RESULT FROM THE USE OF THESE MATERIALS OR INCLUDED SOFTWARE COMPONENTS.. g201033023223.

(3) About This Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. It is not suitable for self-study.. Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used. Type Style. Description. Example text. Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths, and options. Also used for cross-references to other documentation both internal and external.. 2009. Example text. Emphasized words or phrases in body text, titles of graphics, and tables. EXAMPLE TEXT. Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example SELECT and INCLUDE.. Example text. Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, and passages of the source text of a program.. Example text. Exact user entry. These are words and characters that you enter in the system exactly as they appear in the documentation.. <Example text>. Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.. © 2010 SAP AG. All rights reserved.. iii.

(4) About This Handbook. GRC300. Icons in Body Text The following icons are used in this handbook. Icon. Meaning For more information, tips, or background. Note or further explanation of previous point Exception or caution Procedures. Indicates that the item is displayed in the instructor's presentation.. iv. © 2010 SAP AG. All rights reserved.. 2009.

(5) Contents Course Overview ............................................................................. vii Course Goals.................................................................................vii Course Objectives ...........................................................................vii. Unit 1: Course Overview ......................................................................1 Course Overview ............................................................................. 3 Business Challenge and Solution .......................................................... 6 SAP BusinessObjects Access Control Overview....................................... 11 SAP BusinessObjects Access Control Authorizations ................................. 28. Unit 2: Risk Analysis and Remediation Overview .................................... 41 Risk Analysis and Remediation - Verification of Installation and Configuration .... 44 Introduction to the SoD Risk Management Process ................................... 48 Rule Building and Validation .............................................................. 53 Rule Reporting ............................................................................. 64 Risk Analysis ................................................................................ 73 Risk Remediation ........................................................................... 84 Definition of Process-Related Mitigation Controls ...................................... 98 Risk Analysis and Remediation Reporting ............................................. 113 Continuous Compliance .................................................................. 119. Unit 3: Compliant User Provisioning Overview ......................................127 Compliant User Provisioning Installation Verification and Configuration ........... 129 Compliant User Provisioning Functionality ............................................. 142 Compliant User Provisioning – Additional Functionality .............................. 163 Workflow-Based Reviews ................................................................ 173 Compliant User Management Life Cycle ............................................... 180. Unit 4: Superuser Privilege Management Overview.................................195 Superuser Privilege Management Installation Verification and Configuration ..... 196 Superuser Privilege Management Overview ........................................... 200. Unit 5: Enterprise Role Management Overview ...................................... 211 Enterprise Role Management Installation Verification and Configuration .......... 213 Enterprise Role Management Overview ................................................ 225 Enterprise Role Management Configuration Review ................................. 229. 2009. © 2010 SAP AG. All rights reserved.. v.

(6) Contents. GRC300. Enterprise Role Management Workflow Steps ........................................ 244. Unit 6: Access Control Integration ......................................................253 Integration Between Access Control Components .................................... 254 Compliance Reporting .................................................................... 261. vi. © 2010 SAP AG. All rights reserved.. 2009.

(7) Course Overview This course explains how SAP BusinessObjects Access Control (Risk Analysis and Remediation, Superuser Privilege Management, Compliant User Provisioning, and Enterprise Role Management) works in combination with SAP business processes. You will learn how to implement SAP BusinessObjects Access Control following best practices from SAP.. Target Audience This course is intended for the following audiences: •. SAP BusinessObjects Access Control consultants, administrators, and technical users. Course Prerequisites Required Knowledge • •. Previous working knowledge of SAP BusinessObjects Access Control 5.1 or 5.2 Authorization concepts for SAP ERP systems. Course Goals This course will prepare you to: •. Understand how SAP BusinessObjects Access Control can be implemented to support the risk and compliance management processes within your organization, and how it works in combination with SAP business processes. Course Objectives After completing this course, you will be able to: • • • •. 2009. Explain the components of SAP BusinessObjects Access Control, and give a brief overview of each Explain the post-installation steps for SAP BusinessObjects Access Control Explain the new features of SAP BusinessObjects Access Control 5.3 Show how the different components of SAP BusinessObjects Access Controls 5.3 integrate with each other. © 2010 SAP AG. All rights reserved.. vii.

(8) Course Overview. viii. GRC300. © 2010 SAP AG. All rights reserved.. 2009.

(9) Unit 1 Course Overview Unit Overview This unit gives an overview of SAP BusinessObjects Access Control.. Unit Objectives After completing this unit, you will be able to: •. • • • • • • • • • • •. Explain how SAP BusinessObjects Access Control (Risk Analysis and Remediation, Superuser Privilege Management, Compliant User Provisioning, and Enterprise Role Management) works in combination with SAP business processes. Implement SAP BusinessObjcts Access Control following best practices from SAP List some typical challenges for SAP customers in the areas of access and authorization management Explain how SAP BusinessObjects Access Control can solve these issues List the main components of SAP BusinessObjects Access Control and their integration points Describe the functionality of Risk Analysis and Remediation and Risk Terminator Describe the functionality of Superuser Privilege Management Describe the functionality of Enterprise Role Management Describe the functionality of Compliant User Provisioning List the authorizations and roles used in the Java-based parts of SAP BusinessObjects Access Control Explain the UME role concept Access and use the UME administration tool. Unit Contents Lesson: Course Overview ............................................................ 3. 2009. © 2010 SAP AG. All rights reserved.. 1.

(10) Unit 1: Course Overview. GRC300. Lesson: Business Challenge and Solution ......................................... 6 Lesson: SAP BusinessObjects Access Control Overview...................... 11 Exercise 1: SAP BusinessObjects Access Control - Overview............ 25 Lesson: SAP BusinessObjects Access Control Authorizations................ 28 Exercise 2: SAP BusinessObjects Access Control – Authorizations ..... 33. 2. © 2010 SAP AG. All rights reserved.. 2009.

(11) GRC300. Lesson: Course Overview. Lesson: Course Overview Lesson Overview This course is designed to give a detailed overview of SAP BusinessObjects Access Control. We will cover each of the four components, from post-installation activities to configuration and functionality.. Lesson Objectives After completing this lesson, you will be able to: •. •. Explain how SAP BusinessObjects Access Control (Risk Analysis and Remediation, Superuser Privilege Management, Compliant User Provisioning, and Enterprise Role Management) works in combination with SAP business processes. Implement SAP BusinessObjcts Access Control following best practices from SAP. Business Example Management is concerned about compliance because of negative internal audit results, and asks your team to find out how compliance can be ensured by software support. The main issues are authorization rights and the business-process-related risks resulting from organizational fragmentation. The software should be able to link business process knowledge with provisioning of authorization rights. You want to find out whether SAP BusinessObjects Access Control is able to analyze, detect, and remediate risks. Mitigation of unavoidable risks or superuser functionality should be possible, and continuous compliance is another essential aspect. Consequently, you want to demonstrate how Compliant User Provisioning and Enterprise Role Management can support you in achieving these objectives.. 2009. © 2010 SAP AG. All rights reserved.. 3.

(12) Unit 1: Course Overview. GRC300. Access and Authorization Management. Figure 1: Access Control Overview - Compliance. 4. © 2010 SAP AG. All rights reserved.. 2009.

(13) GRC300. Lesson: Course Overview. Lesson Summary You should now be able to: • Explain how SAP BusinessObjects Access Control (Risk Analysis and Remediation, Superuser Privilege Management, Compliant User Provisioning, and Enterprise Role Management) works in combination with SAP business processes. • Implement SAP BusinessObjcts Access Control following best practices from SAP. 2009. © 2010 SAP AG. All rights reserved.. 5.

(14) Unit 1: Course Overview. GRC300. Lesson: Business Challenge and Solution Lesson Overview This lesson provides an overview of some typical challenges in the area of access and authorization.. Lesson Objectives After completing this lesson, you will be able to: • •. List some typical challenges for SAP customers in the areas of access and authorization management Explain how SAP BusinessObjects Access Control can solve these issues. Business Example A special topic in the audit report mentions a high risk in the area of authorization management because the IT department is responsible for both provisioning and approval at the same time. This leads to a wide range of authorizations because IT has no overview of the risks concerning the business processes. You want to find out whether it is possible to link the responsibilities of business lines and IT when access rights are provided.. Access and Authorization Risks Without proper controls, accidental activities and intentional activities due to excessive access privileges can impact performance and reputation. Addressing regulatory mandates with manual activities and fragmented processes increases cost and complexity. Complexity impacts access and authorization management and makes it inefficient. Consequently, risks are not identified and managed in time. No proper remediation or mitigation is possible Managers cannot own the responsibility for segregation of duties.. 6. © 2010 SAP AG. All rights reserved.. 2009.

(15) GRC300. Lesson: Business Challenge and Solution. The current access and authorization approach leads to the following consequences: •. • •. IT does not own the responsibility for proper segregation of duties. However, they cannot pass the responsibility to the business side, as they lack the collaboration tools and language to effectively collaborate with the business owners. Line-of-business managers own the responsibility for segregation of duties (SoD), but they lack the technical depth to manage user access, so they rely on IT. Internal auditors are trying desperately to stay on top of the SoD issue. However, with manually maintained spreadsheets listing the access and authorizations of all employees, contractors, partners, and so on, they can only perform a very limited audit at a very high cost.. Figure 2: Access and Authorization Risks. 2009. © 2010 SAP AG. All rights reserved.. 7.

(16) Unit 1: Course Overview. GRC300. Access and Authorization Management Implementation of comprehensive risk-based access and authorization management: • • •. Overcome fragmented authorization management processes Effective and efficient cleanup of SoD conflicts and excessive authorizations Prevent future violations via a risk-based approval process for new authorizations within the organization. •. Business assumes ownership: Who can access the data in my area? What kind of authorizations do I want to assign? Are all risks properly mitigated? Ensure the mitigation is effective.. Figure 3: Access and Authorization Management. Governance Corporate governance ensures ethical corporate behavior together with management practices in the creation of wealth for all stakeholders. It spells out the rules and procedures for making decisions about corporate affairs. IT governance helps to ensure the alignment of IT and enterprise objectives so that IT resources are used responsibly and its risks are properly managed.. 8. © 2010 SAP AG. All rights reserved.. 2009.

(17) GRC300. Lesson: Business Challenge and Solution. Risk Management Risk management identifies, classifies, documents, and reduces risks to an acceptable level. Risk is a result of three different parameters: • • •. Existence of a threat for a business process Likelihood of occurrence Impact on the business process. Compliance Corporate policies represent the corporate philosophy and strategic thinking on a high level. Low-level policies focus on the operational layer. Policies need to be in sync with the overall business strategy and legal requirements. National and international legal requirements: • • •. Sarbanes-Oxley Act (U.S.) Data Protection Law (Germany) J-SOX (Japan). Figure 4: Access and Authorization Management. 2009. © 2010 SAP AG. All rights reserved.. 9.

(18) Unit 1: Course Overview. GRC300. Lesson Summary You should now be able to: • List some typical challenges for SAP customers in the areas of access and authorization management • Explain how SAP BusinessObjects Access Control can solve these issues. 10. © 2010 SAP AG. All rights reserved.. 2009.

(19) GRC300. Lesson: SAP BusinessObjects Access Control Overview. Lesson: SAP BusinessObjects Access Control Overview Lesson Overview This lesson provides an overview of the four components that comprise the SAP BusinessObjects Access Control application.. Lesson Objectives After completing this lesson, you will be able to: • • • • •. List the main components of SAP BusinessObjects Access Control and their integration points Describe the functionality of Risk Analysis and Remediation and Risk Terminator Describe the functionality of Superuser Privilege Management Describe the functionality of Enterprise Role Management Describe the functionality of Compliant User Provisioning. Business Example Management requires both detective and preventative controls to address currently existing risks. You need to check the different functions of SAP BusinessObjects Access Control to ensure its ability remove risks from your system and to keep it clean.. SAP BusinessObjects Access Control Suite Components The SAP BusinessObjects Access Control application is a suite of four components that work together to provide a comprehensive and integrated, risk-based access and authorization management solution. These components are: • • • •. Risk Analysis and Remediation (RAR) Compliant User Provisioning (CUP) Superuser Privilege Management (SPM) Enterprise Role Management (ERM). The figure below shows a high-level overview of the relationships between the various components.. 2009. © 2010 SAP AG. All rights reserved.. 11.

(20) Unit 1: Course Overview. GRC300. Figure 5: SAP GRC Access Control Components. As of SAP BusinessObjects Access Control 5.3, there is now one integrated launch pad to utilize any of the four Access Control capabilities. There is one single URL for the capabilities instead of four different URLs.. 12. © 2010 SAP AG. All rights reserved.. 2009.

(21) GRC300. Lesson: SAP BusinessObjects Access Control Overview. Figure 6: SAP BusinessObjects Access Control Launch Pad. Note: The integrated launch pad supports single sign-on as provided by SAP NetWeaver Application Server, such as UME, Windows, SAP Logon ticket, X.509, Siteminder, and Netegrity. Access requests and password reset requests will continue to be initiated via the Compliant User Provisioning URL. Administrators and other access control users, such as role owners, can use either the single launch pad or the Compliant User Provisioning URL.. Risk Analysis and Remediation: The Foundation The Risk Analysis and Remediation (RAR) component is a fully automated security audit and segregation of duties (SoD) analysis tool designed to identify, analyze, and resolve all SoD and audit issues related to regulatory compliance. It includes an expandable starter set of rules. Risks can be identified and created in a system that can be correlated with functions, and each function can be associated with a business process. Risk Analysis and Remediation produces SoD analytical reports (both summary and detail) for selected users, user groups, roles, and profiles. It also produces reports on critical actions, critical permissions, critical roles, and profiles.. 2009. © 2010 SAP AG. All rights reserved.. 13.

(22) Unit 1: Course Overview. GRC300. Risk Analysis and Remediation provides comprehensive risk management functionality and powerful, easy to use, functionality to document risk mitigation controls. The SoD rule set created in this business scenario is used as the basis for all SoD analysis for the access control components.. Figure 7: Risk Analysis and Remediation. Compliant User Provisioning: The Workflow Engine The Compliant User Provisioning (CUP) component provides a new approach to provisioning that allows administrators of enterprise systems to automate the process, to manage the various types of business risks, and to reduce the workload for IT staff. It is the workflow engine for all of the SAP BusinessObjects Access Control components. With its configurable workflow capabilities, Compliant User Provisioning automates and expedites user provisioning throughout an employee’s life cycle. By integrating with the Risk Analysis and Remediation SoD rules, Compliant User Provisioning prevents SoD violations and helps to ensure corporate accountability and compliance with the Sarbanes-Oxley Act and other laws and regulations.. 14. © 2010 SAP AG. All rights reserved.. 2009.

(23) GRC300. Lesson: SAP BusinessObjects Access Control Overview. Figure 8: Compliant User Provisioning Overview. Enterprise Role Management: Centralizing Role Documentation The Enterprise Role Management (ERM) component automates role definition and management of roles. This capability enables preferred practices to ensure that role definitions, development, testing, and maintenance are consistent across the entire enterprise, resulting in lower ongoing maintenance and painless knowledge transfer. It provides SAP security administrators, role designers, and role owners with a simplified means of documenting and maintaining important role information for better role management.. 2009. © 2010 SAP AG. All rights reserved.. 15.

(24) Unit 1: Course Overview. GRC300. Figure 9: Enterprise Role Management Overview. Superuser Privilege Management: Monitoring the Firefighter The Superuser Privilege Management (SPM) component tracks, monitors, and logs the activities that are performed by a superuser with a privileged user ID. In emergencies or extraordinary situations, Superuser Privilege Management enables users to perform activities outside their role under superuser-like privileges in a controlled, auditable environment.. 16. © 2010 SAP AG. All rights reserved.. 2009.

(25) GRC300. Lesson: SAP BusinessObjects Access Control Overview. Figure 10: Superuser Privilege Management Overview. Integration Points in SAP BusinessObjects Access Control The components of BusinessObjects Access Control work together to provide seamless integration for maintaining compliance in your ERP landscape. Although Risk Terminator is configured only in SAP ABAP systems, it also works with Risk Analysis and Remediation to provide another tool to manage SoD violations as they occur during role development and user provisioning.. 2009. © 2010 SAP AG. All rights reserved.. 17.

(26) Unit 1: Course Overview. GRC300. Figure 11: SAP BusinessObjects Access Control Integration Points. By using the workflow engine from Compliant User Provisioning, approval for changes to roles can be initiated from Enterprise Role Management through Web services provided as part of SAP BusinessObjects Access Control. Role information that is uploaded into Compliant User Provisioning can be synchronized with the roles and the attendant role details in Enterprise Role Management.. 18. © 2010 SAP AG. All rights reserved.. 2009.

(27) GRC300. Lesson: SAP BusinessObjects Access Control Overview. Figure 12: Compliant User Provisioning and Enterprise Role Management Integration. Compliant User Provisioning uses the SoD rules configured in Risk Analysis and Remediation to provide user analysis functionality at the time of user provisioning. Risk Analysis and Remediation can use the Compliant User Provisioning workflow functions for approval processes and change management of mitigation controls around business risks that are configured in Risk Analysis and Remediation.. 2009. © 2010 SAP AG. All rights reserved.. 19.

(28) Unit 1: Course Overview. GRC300. Figure 13: Compliant User Provisioning and Risk Analysis and Remediation Integration. Running risk analysis in Enterprise Role Management for role development uses the SoD rules configured in Risk Analysis and Remediation.. 20. © 2010 SAP AG. All rights reserved.. 2009.

(29) GRC300. Lesson: SAP BusinessObjects Access Control Overview. Figure 14: Risk Analysis and Remediation and Enterprise Role Management Integration. When configured in an SAP ABAP system, Risk Terminator uses the SoD rules from Risk Analysis and Remediation during maintenance of roles (PFCG) and users (SU01) to analyze for risk violations.. 2009. © 2010 SAP AG. All rights reserved.. 21.

(30) Unit 1: Course Overview. GRC300. Figure 15: Risk Analysis and Remediation and Risk Terminator Integration. Just as with Risk Terminator, Superuser Privilege Management configuration happens in an SAP ABAP system. Superuser Privilege Management also uses the Risk Analysis and Remediation rules to analyze for SoD violations, and checks for critical actions use monitoring of superuser access.. 22. © 2010 SAP AG. All rights reserved.. 2009.

(31) GRC300. Lesson: SAP BusinessObjects Access Control Overview. Figure 16: Superuser Privilege Management and Risk Analysis and Remediation Integration. SAP BusinessObjects Access Control has a central repository for access-based and authorization-based risks and controls. This repository: • • •. 2009. Provides risk analysis for every process that can be covered by the solution Supports the creation and assignment of a mitigation control out of an approval workflow via the mitigation service Supports the role maintenance life cycle in Enterprise Role Management by using an event-driven, multilevel approval process. © 2010 SAP AG. All rights reserved.. 23.

(32) Unit 1: Course Overview. GRC300. Figure 17: Management Takes Responsibility for Compliance. Figure 18: SAP BusinessObjects Access Control: Solution Integration. 24. © 2010 SAP AG. All rights reserved.. 2009.

(33) GRC300. Lesson: SAP BusinessObjects Access Control Overview. Exercise 1: SAP BusinessObjects Access Control - Overview Exercise Objectives After completing this exercise, you will be able to: • Use the launch pad to access the different functionalities within SAP BusinessObjects Access Control • Navigate between the different tabs within all applications in SAP BusinessObjects Access Control. Business Example To evaluate changes in the most recent version of SAP BusinessObjects Access Control compared to the older versions, you must log on and familiarize yourself with the launch pad and some elementary functionalities.. Task: Log on to the application and familiarize yourself with the launch pad, access the four components and navigate to the different tabs in each one.. 2009. 1.. Launch the SAP BusinessObjects Access Control 5.3 launch pad, and log on to the system.. 2.. Review the launch pad links to the various components. 3.. Review the Risk Analysis and Remediation component.. 4.. Review the Compliant User Provisioning component.. 5.. Review the Enterprise Role Management component.. 6.. Review the Superuser Privilege Management component.. 7.. Exit the application.. © 2010 SAP AG. All rights reserved.. 25.

(34) Unit 1: Course Overview. GRC300. Solution 1: SAP BusinessObjects Access Control - Overview Task: Log on to the application and familiarize yourself with the launch pad, access the four components and navigate to the different tabs in each one. 1.. 2.. Launch the SAP BusinessObjects Access Control 5.3 launch pad, and log on to the system. a). Enter the SAP BusinessObjects Access Control training system URL (provided by your instructor) into a browser window and choose Go.. b). Log on to the system with the user ID GRC300-xx (xx is your user number, and its provided by instructor) and password.. Review the launch pad links to the various components a). 3.. Review the Risk Analysis and Remediation component. a). 4.. Choose Superuser Privilege Management. Click on each of the visible tabs: Reports and Configuration.. Exit the application. a). 26. Choose Enterprise Role Management. Click on each of the visible tabs: Role Management, Informer, and Configuration.. Review the Superuser Privilege Management component. a). 7.. Choose Compliant User Provisioning. Click on each of the visible tabs: My Work, Informer, and Configuration.. Review the Enterprise Role Management component. a). 6.. Choose Risk Analysis and Remediation. Click on each of the visible tabs: InformerRule Architect, Mitigation, Alert Monitor, CCADstatus, BJstatus, and Configuration.. Review the Compliant User Provisioning component. a). 5.. Notice that all the links are activated. If the user does not have access to a specific component, does it still show?. Exit the application by closing all browser windows or by choosing Log off.. © 2010 SAP AG. All rights reserved.. 2009.

(35) GRC300. Lesson: SAP BusinessObjects Access Control Overview. Lesson Summary You should now be able to: • List the main components of SAP BusinessObjects Access Control and their integration points • Describe the functionality of Risk Analysis and Remediation and Risk Terminator • Describe the functionality of Superuser Privilege Management • Describe the functionality of Enterprise Role Management • Describe the functionality of Compliant User Provisioning. 2009. © 2010 SAP AG. All rights reserved.. 27.

(36) Unit 1: Course Overview. GRC300. Lesson: SAP BusinessObjects Access Control Authorizations Lesson Overview This lesson explains the authorization concept of SAP BuinessObjects Access Control in the user management engine (UME).. Lesson Objectives After completing this lesson, you will be able to: • • •. List the authorizations and roles used in the Java-based parts of SAP BusinessObjects Access Control Explain the UME role concept Access and use the UME administration tool. Business Example You are asked to evaluate the Java-based authorization concept within SAP BusinessObjects Access Control to ensure the correct technical implementation of roles and responsibilities and to be prepared for future audits.. User Management Engine The user management engine (UME) is where users are assigned roles for the different SAP BusinessObjects Access Control products. During the installation of the SAP BusinessObjects Access Control products, the roles.txt file is imported. This generates the necessary roles for Risk Analysis and Remediation, Compliant User Provisioning, and Enterprise Role Management.. 28. © 2010 SAP AG. All rights reserved.. 2009.

(37) GRC300. Lesson: SAP BusinessObjects Access Control Authorizations. Figure 19: User Management Engine Import Screen. After the roles text file is imported, you can choose the Identity Management button in the UME and begin creating users or assigning roles to users. Caution: When creating users, you should verify with your Basis team if the user data source has been set to UME, ABAP, or LDAP. If the user source is not UME, you will not be able to create the users in the UME.. Figure 20: User Management Engine. 2009. © 2010 SAP AG. All rights reserved.. 29.

(38) Unit 1: Course Overview. GRC300. Once in the UME, you can search for roles or users in the system. The concept of roles in the UME is based on actions. Actions are assigned to roles within the UME, and this makes up a role in the UME. The following roles are delivered with SAP BusinessObjects Access Control: •. Compliant User Provisioning is comprised of three roles: AEAdmin, AESecurity, and AEApprover. All of these roles are made up of different actions. –. •. Some of the actions delivered with Compliant User Provisioning include: ViewAccessEnforcer, AE.ModifyBackgroundJobsConfiguration, and AE.ModifyChangeLogConfiguration.. Risk Analysis and Remediation is comprised of four roles: VIRSA_CC_Administrator, VIRSA_CC_Report, VIRSA_CC_Security_Admin, and VIRSA_CC_Business_Owner. –. •. Some of the actions delivered with Risk Analysis and Remediation are com.virsa.cc.CreateRuleSet, com.virsa.cc.ChangeRuleSet, and com.virsa.cc.DeleteRuleSet. Enterprise Role Management is comprised of six roles: RE Admin, REBusinessuser, RERoleDesigner, RESecurity, RESuperuser, and REConfigurator. –. •. Some of the actions delivered with Enterprise Role Management are ViewConfiguration, RE.ViewRoleExpert, and RE.ViewRoleLibrary. Superuser Privilege Management is made up of one SAP role: FF_Admin. This is the administrator role and should only be used by the administrator. You can create additional roles by assigning some of the following actions: ViewreportsTab, ViewReaffirms, and SODReport.. All of these roles are standard SAP-delivered roles. If you want to replicate or modify the roles, use a copy so the integrity of the SAP-delivered roles is maintained.. 30. © 2010 SAP AG. All rights reserved.. 2009.

(39) GRC300. Lesson: SAP BusinessObjects Access Control Authorizations. Figure 21: SAP BusinessObjects Access Control Roles in UME. 2009. © 2010 SAP AG. All rights reserved.. 31.

(40) Unit 1: Course Overview. 32. GRC300. © 2010 SAP AG. All rights reserved.. 2009.

(41) GRC300. Lesson: SAP BusinessObjects Access Control Authorizations. Exercise 2: SAP BusinessObjects Access Control – Authorizations Exercise Objectives After completing this exercise, you will be able to: • Explain the authorizations and rules used in the Java-based parts of SAP BusinessObjects Access Control • Explain how to access and use UME administration. Business Example An internal auditor is part of your SAP BusinessObjects Access Control team. He is only interested in running reports and viewing authorizations. You need to create a user for him in the UME.. Task: Use the UME to create users, create roles, and assign them to users.. 2009. 1.. Log on to the UME using your user ID, GRC300-##.. 2.. Create the user and the role for the auditor in UME. Use the ID AUDIT-## and create and assign the reporting role CC.ReportingView.## to the user. Test the logon by logging into Risk Analysis and Remediation.. © 2010 SAP AG. All rights reserved.. 33.

(42) Unit 1: Course Overview. GRC300. Solution 2: SAP BusinessObjects Access Control – Authorizations Task: Use the UME to create users, create roles, and assign them to users. 1.. Log on to the UME using your user ID, GRC300-##. a). 2.. Open a browser and enter http://servername:5<instance number>00, then choose User Management Engine.. Create the user and the role for the auditor in UME. Use the ID AUDIT-## and create and assign the reporting role CC.ReportingView.## to the user. Test the logon by logging into Risk Analysis and Remediation. a). Choose Create user and enter the following information: Field Name. Value. Logon ID. AUDIT##. Define Password. audit##. Confirm Password. audit##. Last Name. Bazemore. First Name. Molly. Language. English. b). Choose Save.. c). Create the role CC.ReportingView.##.. d). Enter the following information: Field Name. Value. Unique Name. CC.ReportingView#. Description. Role for Internal Auditors. e). Choose Save.. f). Choose Modify. Continued on next page. 34. © 2010 SAP AG. All rights reserved.. 2009.

(43) GRC300. Lesson: SAP BusinessObjects Access Control Authorizations. g). Add the following five actions from the service/application com.virsa.cc and then save the role. Field Name. Field Name. Field Name. UME. com.virsa.cc. RunAuditReports. UME. com.virsa.cc. RunRiskAnalysis. UME. com.virsa.cc. RunSecurityReport. UME. com.virsa.cc. ViewInformer. UME. com.virsa.cc. ViewMgmtReport. h). Assign AUDIT-## to role CC.ReportingView.## and test the new user.. i). Search for the user AUDIT-## in the UME. Select and modify AUDIT-## by assigning role CC.ReportingView.##.. j). Log off from UME.. k). Open a browser and enter http://servername:5<instancenumber>00/webdynpro/dispatcher/sap.com/grc~ccappcomp/ComplianceCalibrator.. l). Enter the following data:. m). Field Name. Value. User ID. AUDIT-##. Password. audit##. Enter and confirm a new password. What is the difference between GRC300-## and user AUDIT-##? AUDIT-## can only see the Informer, CCADstatus, and BJstatus tabs, while GRC300-## can see all of the other tabs.. 2009. © 2010 SAP AG. All rights reserved.. 35.

(44) Unit 1: Course Overview. GRC300. Lesson Summary You should now be able to: • List the authorizations and roles used in the Java-based parts of SAP BusinessObjects Access Control • Explain the UME role concept • Access and use the UME administration tool. 36. © 2010 SAP AG. All rights reserved.. 2009.

(45) GRC300. Unit Summary. Unit Summary You should now be able to: • Explain how SAP BusinessObjects Access Control (Risk Analysis and Remediation, Superuser Privilege Management, Compliant User Provisioning, and Enterprise Role Management) works in combination with SAP business processes. • Implement SAP BusinessObjcts Access Control following best practices from SAP • List some typical challenges for SAP customers in the areas of access and authorization management • Explain how SAP BusinessObjects Access Control can solve these issues • List the main components of SAP BusinessObjects Access Control and their integration points • Describe the functionality of Risk Analysis and Remediation and Risk Terminator • Describe the functionality of Superuser Privilege Management • Describe the functionality of Enterprise Role Management • Describe the functionality of Compliant User Provisioning • List the authorizations and roles used in the Java-based parts of SAP BusinessObjects Access Control • Explain the UME role concept • Access and use the UME administration tool. 2009. © 2010 SAP AG. All rights reserved.. 37.

(46) Unit Summary. 38. GRC300. © 2010 SAP AG. All rights reserved.. 2009.

(47)

(48)

(49) Unit Summary. 39. GRC300. © 2010 SAP AG. All rights reserved.. 2009.

(50) Unit Summary. 40. GRC300. © 2010 SAP AG. All rights reserved.. 2009.

(51) Unit 2 Risk Analysis and Remediation Overview Unit Overview As a business expert, you are responsible for organizing and supporting the risk-recognition and rule-building phases of the project in order to identify, classify, and document potential risks to your organization's processes. Furthermore, it is your task to evaluate the change management controls within the new solution. This unit will discuss the post installation steps of setting up Risk Analysis and Remediation, as well as business uses of this component.. Unit Objectives After completing this unit, you will be able to: • • • • • • • • • • • • •. 2009. List the required steps after installation of SAP BusinessObjects Access Control Risk Analysis and Remediation Explain how to connect Risk Analysis and Remediation to a back-end system Explain the possibility of exporting and importing configuration settings in order to perform transports from development to production List the main process in identifying and resolving SoD issues Describe the people involved in the process and their responsibilities Name each step of the process and explain the required activities in each phase Explain the key terminology related to risks within SAP BusinessObjects Access Control Create and maintain functions and risk, build the resulting rules, and explain the concept of organizational rules Discuss what is delivered in the delivered rule set List the systems for which a rule set is provided View or locate function change history View or locate risk change history Compare rule sets. © 2010 SAP AG. All rights reserved.. 41.

(52) Unit 2: Risk Analysis and Remediation Overview. • • • • • • • • • • • • • • • • • • • •. GRC300. Define the relevant management views Run a risk analysis at role level Run a risk analysis at user level List the relevant report types Explain the use of different report formats Schedule a risk analysis as a background job Perform simulations based on roles and users Explain the best approach for risk remediation and system cleanup Simulate cleanup activities in SAP BusinessObjects Access Control Perform cleanup activities in SAP ERP Explain how mitigation controls can support you in reducing access risks in your landscape Describe the difference between preventative and detective controls, and implement mitigation controls in SAP BusinessObjects Access Control Define alerting as a powerful detective control Locate and view the Action Usage by Users report Locate and view the Invalid Mitigation Controls report Locate and view the SoD Violations from Custom Programs report Discuss SoD management as an ongoing process Explain how the Risk Terminator can support continuous compliance List the steps to activate Risk Terminator within SAP BusinessObjects Access Control List additional possibilities for continuous compliance. Unit Contents Lesson: Risk Analysis and Remediation - Verification of Installation and Configuration ......................................................................... 44 Lesson: Introduction to the SoD Risk Management Process .................. 48 Lesson: Rule Building and Validation ............................................. 53 Exercise 3: Rule Building and Validation ..................................... 59 Lesson: Rule Reporting ............................................................. 64 Exercise 4: Rule-Set-Relevant Reporting .................................... 69 Lesson: Risk Analysis ............................................................... 73 Exercise 5: Perform a Risk Analysis .......................................... 79 Lesson: Risk Remediation.......................................................... 84 Exercise 6: Risk Remediation ................................................. 91 Lesson: Definition of Process-Related Mitigation Controls..................... 98. 42. © 2010 SAP AG. All rights reserved.. 2009.

(53) GRC300. Unit 2: Risk Analysis and Remediation Overview. Exercise 7: Definition of Risk-Related Mitigation Controls ................ 105 Lesson: Risk Analysis and Remediation Reporting ............................ 113 Exercise 8: Remediation-Relevant Reporting .............................. 115 Lesson: Continuous Compliance ................................................. 119. 2009. © 2010 SAP AG. All rights reserved.. 43.

(54) Unit 2: Risk Analysis and Remediation Overview. GRC300. Lesson: Risk Analysis and Remediation - Verification of Installation and Configuration Lesson Overview In this lesson, you will learn how to verify installation and configuration of Risk Analysis and Remediation.. Lesson Objectives After completing this lesson, you will be able to: • • •. List the required steps after installation of SAP BusinessObjects Access Control Risk Analysis and Remediation Explain how to connect Risk Analysis and Remediation to a back-end system Explain the possibility of exporting and importing configuration settings in order to perform transports from development to production. Business Example To set up a project plan for the implementation of SAP BusinessObjects Access Control Risk Analysis and Remediation, you need to familiarize yourself with the efforts required for setup.. After Technical Installation When implementing Risk Analysis and Remediation, there are several items that must be configured for the system to work properly. Following is a list of items that must be checked.. 44. © 2010 SAP AG. All rights reserved.. 2009.

(55) GRC300. Lesson: Risk Analysis and Remediation - Verification of Installation and Configuration. Figure 22: Background Job Daemon Verification. Figure 23: UME - Verification of Imported Role. 2009. © 2010 SAP AG. All rights reserved.. 45.

(56) Unit 2: Risk Analysis and Remediation Overview. GRC300. Steps to Verify Installation •. •. Confirm that the Internet Graphics Sever (IGS) is running. Go to http://servername:40080/; this location will tell you if the IGS is running or not. If you see a message that says SAP IGS is running, this confirms it has been configured properly. Confirm that the job daemon is running. To verify that it is running, go to http://servername:port/sap/CCBgStatus.jsp and to http://servername:port/sap/CCADStatus.jsp. If you experience issues with the job deamon you will need to verify that the lines 105, 106 and 107 are inserted in the table virsa_cc_config. Use the debugger: http://servername:50000/webdynpro/dispatcher/sap.com/grc~ccappcomp/CCDebugger for this.. •. • •. Verify that the roles have been imported to the UME. It is important to make sure that the roles text file was imported during the installation of Risk Analysis and Remediation. Do this by going to the User Management Engine (UME) Ensure that the Real Time Agents (RTA) have been installed through transaction code SPAM. Ensure that the SAP Java Connectors (JCo) have been activated. Two JCos are required for Risk Analysis and Remediation; one is for metadata and one is for model. To check them, choose Webdynpro → Administrator Content → Maintain JCo Connectors. Caution: During installation of the RTAs, use transaction SPAM to identify if there are any HR components installed on that system. If there are any HR components, you will need to install the HR RTA. If this is not done, the risk analysis will not complete when you attempt to run it from Risk Analysis and Remediation.. 46. © 2010 SAP AG. All rights reserved.. 2009.

(57) GRC300. Lesson: Risk Analysis and Remediation - Verification of Installation and Configuration. Lesson Summary You should now be able to: • List the required steps after installation of SAP BusinessObjects Access Control Risk Analysis and Remediation • Explain how to connect Risk Analysis and Remediation to a back-end system • Explain the possibility of exporting and importing configuration settings in order to perform transports from development to production. 2009. © 2010 SAP AG. All rights reserved.. 47.

(58) Unit 2: Risk Analysis and Remediation Overview. GRC300. Lesson: Introduction to the SoD Risk Management Process Lesson Overview This lesson will review the SoD risk management process.. Lesson Objectives After completing this lesson, you will be able to: • • •. List the main process in identifying and resolving SoD issues Describe the people involved in the process and their responsibilities Name each step of the process and explain the required activities in each phase. Business Example As a business expert, you are responsible for guiding the other project team members through the segregation of duties risk management process to clean up your system. Consequently, you need to familiarize yourself with the process steps.. Risk Management Phase approach SAP has developed a three-phase approach to risk management. By applying this method, it is possible to implement a process for segregation of duties (SoD) risk management.. Figure 24: SoD Risk Management Process. The process begins by defining the risks, rule building, and validation.. 48. © 2010 SAP AG. All rights reserved.. 2009.

(59) GRC300. Lesson: Introduction to the SoD Risk Management Process. Risk Recognition In the risk recognition phase, identify authorization risks and approve exceptions. Clarify and classify risk as high, medium, or low. Identify new risks and conditions for monitoring in the future.. Rule Building and Validation In the rule building and validation process, reference best practices rules for your environment. Validate rules, customize rules, then test. Verify against test user and role cases.. Analysis During analysis, run analytical reports. Estimate cleanup efforts. Analyze roles and users. Modify rules based on analysis. Set alerts to distinguish executed risks.. Remediation In the remediation process, determine alternatives for eliminating risks. Present analysis and select corrective actions. Document approval of corrective actions. Modify or create roles or user assignments.. Mitigation During mitigation, determine alternative controls to mitigate risk. Educate management about conflict approval and monitoring. Document a process to monitor mitigation controls. Implement controls.. Continuous Compliance In continuous compliance, communicate changes in roles and user assignments. Simulate changes to roles and users. Implement alerts to monitor for selected risks and mitigate control testing.. Roles and Responsibilities During the SoD risk management process, there are a number of roles that need to be involved if you are to have a successful remediation plan.. 2009. © 2010 SAP AG. All rights reserved.. 49.

(60) Unit 2: Risk Analysis and Remediation Overview. GRC300. Figure 25: Roles and Responsibilities. In defining the roles and responsibilities, you should think about the individuals in your company that meet some of these responsibilities.. Business Process Owner During the risk management process, you will need to identify process owners in areas such as finance, sales, purchasing, and materials management, depending on where the SoD risks are located. Involving the business process owners from the beginning of the project is important because they will understand the impact of the risks after the rules have been defined.. Senior Officers One of the main reasons senior officers should be involved is to approve or reject risks between areas and approve mitigating controls. By having senior officers involved, you maintain focus on the identified risks and how those risks affect the company financially.. Security Administrators and Technical Liaisons Security administrators and technical liaisons assume responsibility of the application from a maintenance point of view. They grant access to users, troubleshoot problems, and can remediate SoD conflicts at role level.. 50. © 2010 SAP AG. All rights reserved.. 2009.

(61) GRC300. Lesson: Introduction to the SoD Risk Management Process. Auditors and Regulators Internal audit can assist in running a risk analysis on a regular basis. They can provide guidance to other team members as to which risks are true conflicts and what might be considered a false positive.. SoD Rule Keeper The rule keeper is involved in making necessary configuration changes to rules. The rule keeper can also maintain mitigating controls for control owners and be a liaison between Basis and the SAP GRC team. Caution: When setting your rule set, make sure that you consider critical actions that will also need to be maintained in the rule set.. 2009. © 2010 SAP AG. All rights reserved.. 51.

(62) Unit 2: Risk Analysis and Remediation Overview. GRC300. Lesson Summary You should now be able to: • List the main process in identifying and resolving SoD issues • Describe the people involved in the process and their responsibilities • Name each step of the process and explain the required activities in each phase. 52. © 2010 SAP AG. All rights reserved.. 2009.

(63) GRC300. Lesson: Rule Building and Validation. Lesson: Rule Building and Validation Lesson Overview This lesson will explain the terminology related to risks within SAP BusinessObjects Access Control Risk Analysis and Remediation.. Lesson Objectives After completing this lesson, you will be able to: • • • •. Explain the key terminology related to risks within SAP BusinessObjects Access Control Create and maintain functions and risk, build the resulting rules, and explain the concept of organizational rules Discuss what is delivered in the delivered rule set List the systems for which a rule set is provided. Business Example As a business process expert, you are responsible for implementing the identified risks inside SAP BusinessObjects Access Control. Your organization decides to build a new rule set from the scratch, using the standard rule set delivered from SAP as a template.. Rule Building and Validation After risk recognition, the second part of phase one is rule building and validation.. 2009. © 2010 SAP AG. All rights reserved.. 53.

(64) Unit 2: Risk Analysis and Remediation Overview. GRC300. Figure 26: Rule Building and Validation. Key Terminology Business Process: The business area categories in which you would like to report risk analysis results in Risk Analysis and Remediation Function: A grouping of one or more related actions or permissions for a specific business area Risk: An opportunity for physical loss, fraud, process disruption, or productivity loss that occurs when individuals exploit a specific condition; functions are the main components of risks Action: An activity that is performed in the system in order to fulfill a specific function, for example, Create Purchase Order or Create Material Master Record Permission: Authorizations that allow a user to perform a particular activity in a system System: Refers to a system in which risk analysis is performed, for example, SAP ERP, Oracle, SAP CRM, PeopleSoft, or Hyperion. 54. © 2010 SAP AG. All rights reserved.. 2009.

(65) GRC300. Lesson: Rule Building and Validation. Figure 27: Rule Structure. Rule Building. Figure 28: Main Components of the Rule-Building Process. 2009. © 2010 SAP AG. All rights reserved.. 55.

(66) Unit 2: Risk Analysis and Remediation Overview. GRC300. Figure 29: Functions. Figure 30: Risks. Organizational Rules The organizational rule functionality eliminates false positives based on organizational-level restrictions. Use this functionality for exception-based reporting only.. 56. © 2010 SAP AG. All rights reserved.. 2009.

(67) GRC300. Lesson: Rule Building and Validation. Companies should perform an analysis prior to implementation to ensure their situation warrants the use of organizational rules, and should not institute organizational rules until the remediation phase of their project. Only after identifying a possible organizational rule scenario that you should create the organization rules. Using organizational rules to group users into reports by organizational levels to distribute SoD reports to various management levels is not recommended. Rather, use the organization level rules exclusively for exception-based reporting to remove false positive conflicts that result from organization-level segregation. Because of the sizable performance impact that organization level rules can have, use them for only those situations in which the company has made a conscious decision to segregate via organization levels.. Delivered Rule Set from SAP The SAP delivered rule set provides a list of SoD risks that have been accumulated from best practices, clients, and SAP's own experience You should review these rules to determine if they are applicable to your clients. They are a recommendation only. The delivered rule set includes rules for:. 2009. •. ERP. • • • •. – Basis – Finance – HR / Payroll – MM / PP / QM – Order-to-cash – Procure-to-pay SRM / EBP CRM Consolidation APO. © 2010 SAP AG. All rights reserved.. 57.

(68) Unit 2: Risk Analysis and Remediation Overview. 58. © 2010 SAP AG. All rights reserved.. GRC300. 2009.

(69) GRC300. Lesson: Rule Building and Validation. Exercise 3: Rule Building and Validation Exercise Objectives After completing this exercise, you will be able to: • Implement the identified issues from the Risk Recognition Workshop in your own rule set • Create critical functions inside SAP BusinessObjects Access Control • Create and describe risks resulting from the critical respectively conflicting functions. Business Example As a business process expert, you are responsible for implementing the identified risks inside SAP GRC Access Control. Your organization decided to build a new rule set from scratch while using the standard rule set delivered from SAP as a template only.. Task: Create and generate your own rule set. 1.. Log on to SAP BusinessObjects Access Control (Risk Analysis and Remediation) and select the tab Rule Architect to create a new rule set. Expand Rules Sets in the left menu pane and click Create.. 2.. Log on to SAP BusinessObjects Access Control (Risk Analysis and Remediation) and select the tab Rule Architect to create your own business process for purchase-to-pay. Expand Business Processes in the left menu pane and click Create.. 3.. 4.. Create a function with the following information. Function ID. Func1_XX (where XX is your group number). Description. Func1_XX. Business Process. <XX> Procure to Pay. Analysis Scope. Single. Actions. XK01. Create a function with the following information. Continued on next page. 2009. © 2010 SAP AG. All rights reserved.. 59.

(70) Unit 2: Risk Analysis and Remediation Overview. 5.. 6.. 60. GRC300. Function ID. Func2_XX (Where XX is your group number). Description. Func2_XX. Business Process. <XX> Procure to Pay. Analysis Scope. Single. Actions. ME21N. Create a risk with the two functions from above and the following information. Risk ID. <XX>NN (Where XX is your group number and NN is free to be changed.). Description. Risk_XX. Risk Type. Segregation of Duties. Risk Level. Medium. Business Process. PP<XX>. Status. Enable. Generate rules for the risk you just created.. © 2010 SAP AG. All rights reserved.. 2009.

(71) GRC300. Lesson: Rule Building and Validation. Solution 3: Rule Building and Validation Task: Create and generate your own rule set. 1.. Log on to SAP BusinessObjects Access Control (Risk Analysis and Remediation) and select the tab Rule Architect to create a new rule set. Expand Rules Sets in the left menu pane and click Create. a). 2.. Enter the information from the table below. Replace XX with your group number. Rule Set ID. RS<XX>. Description. <XX> rule set. Log on to SAP BusinessObjects Access Control (Risk Analysis and Remediation) and select the tab Rule Architect to create your own business process for purchase-to-pay. Expand Business Processes in the left menu pane and click Create. a). 3.. Enter the information from the table below. Replace XX with your group number. Business Process ID. PP<XX>. Description. <XX> Procure to Pay. Create a function with the following information. Function ID. Func1_XX (where XX is your group number). Description. Func1_XX. Business Process. <XX> Procure to Pay. Analysis Scope. Single. Actions. XK01. a) 4.. Create a function with the following information. Continued on next page. 2009. © 2010 SAP AG. All rights reserved.. 61.

(72) Unit 2: Risk Analysis and Remediation Overview. GRC300. Function ID. Func2_XX (Where XX is your group number). Description. Func2_XX. Business Process. <XX> Procure to Pay. Analysis Scope. Single. Actions. ME21N. a) 5.. 6.. Create a risk with the two functions from above and the following information. Risk ID. <XX>NN (Where XX is your group number and NN is free to be changed.). Description. Risk_XX. Risk Type. Segregation of Duties. Risk Level. Medium. Business Process. PP<XX>. Status. Enable. a). Add your two functions as the two conflicting functions.. b). Select the rule set that you created, Rule set XX.. Generate rules for the risk you just created. a). 62. © 2010 SAP AG. All rights reserved.. 2009.

(73) GRC300. Lesson: Rule Building and Validation. Lesson Summary You should now be able to: • Explain the key terminology related to risks within SAP BusinessObjects Access Control • Create and maintain functions and risk, build the resulting rules, and explain the concept of organizational rules • Discuss what is delivered in the delivered rule set • List the systems for which a rule set is provided. 2009. © 2010 SAP AG. All rights reserved.. 63.

(74) Unit 2: Risk Analysis and Remediation Overview. GRC300. Lesson: Rule Reporting Lesson Overview This lesson discusses reporting within the risk library.. Lesson Objectives After completing this lesson, you will be able to: • • •. View or locate function change history View or locate risk change history Compare rule sets. Business Example Audit demands lists of recent changes to the rule set in order to check if the implemented change management process is effective. Only approved changes will be actually implemented in SAP BusinessObjects Access Control.. Change History Choose Change History to view the changed functions log for functions and the risk history in the change log for risks. Viewing the logs permits managers and administrators to determine which functions and risks were changed and who changed them. Whether or not you will have the ability to see the logs is determined during configuration.. 64. © 2010 SAP AG. All rights reserved.. 2009.

(75) GRC300. Lesson: Rule Reporting. Figure 31: Function Change History. Function Change History To view change log information for functions, choose Rule Architect → Change History → Functions. In the displayed Functions-Change History Results screen, select your settings and choose Execute to run a search to view the change log results. The Functions Change History Results log includes: • • • • • • • • •. 2009. Changed On: The date and time Changed by: The user ID Function (ID) Change Type: This is either Insert Function or Delete Function System Action Item Value Status. © 2010 SAP AG. All rights reserved.. 65.

(76) Unit 2: Risk Analysis and Remediation Overview. GRC300. Figure 32: Risk Change History. Risk Change History To view change log information for risks, choose Rule Architect → Change History → Risks. In the displayed Risks-Change History Results screen, you select your settings and choose Execute to run a search to view the change log results. The Risks Change History Results log includes: • • • • • • •. Changed On: The date and time Changed by: The user ID Risk ID Change Type: The type is either Insert or Delete Field Old Value New Value. Comparing Rule Sets This report compares the contents of two rule sets and displays the results.. 66. © 2010 SAP AG. All rights reserved.. 2009.

(77) GRC300. Lesson: Rule Reporting. Figure 33: Rule Set Comparison. The rule sets can be compared in two ways: • •. A comparison of just the risks in the designated rule sets A comparison of risks and actions/permissions. To perform a comparison of rule sets, chooseRule Architect → Rule Sets → Compare. A comparison of risks is always performed, and these results are displayed initially. The Summary button on the risk comparison screen drills down to an action rule comparison. The Detail button in the action rule comparison drills down to a permission rule comparison.. 2009. © 2010 SAP AG. All rights reserved.. 67.

(78) Unit 2: Risk Analysis and Remediation Overview. 68. © 2010 SAP AG. All rights reserved.. GRC300. 2009.

(79) GRC300. Lesson: Rule Reporting. Exercise 4: Rule-Set-Relevant Reporting Exercise Objectives After completing this exercise, you will be able to: • Execute and interpret the Function Change History and Risk Change History reports • Use the rule set comparison. Business Example As the owner of the rule set, you are responsible for reviewing changes to ensure the integrity and proper documentation of access-relevant risks in SAP BusinessObjects Access Control.. Task 1: Demonstrate the Function Change History report. 1.. Demonstrate the Function Change History report.. Task 2: Demonstrate the Risk Change History report. 1.. Demonstrate the Risk Change History report.. Task 3: Demonstrate the Rule Set Comparison report. 1.. 2009. Demonstrate the Rule Set Comparison report.. © 2010 SAP AG. All rights reserved.. 69.

(80) Unit 2: Risk Analysis and Remediation Overview. GRC300. Solution 4: Rule-Set-Relevant Reporting Task 1: Demonstrate the Function Change History report. 1.. Demonstrate the Function Change History report. a). Log on to Risk Analysis and Remediation via the SAP BusinessObjects Access Control launch pad.. b). Choose Rule Architect → Change History → Functions.. c). In the Function ID field, enter the function that you created in the Rule Building and Validation exercise (Func1_XX).. d). Choose Execute.. e). Look at the changes that are identified on the results screen.. Task 2: Demonstrate the Risk Change History report. 1.. Demonstrate the Risk Change History report. a). Log on to Risk Analysis and Remediation via the SAP BusinessObjects Access Control launch pad.. b). Choose Rule Architect → Change History → Risks.. c). In the Risk ID field, enter the risk that you created in the “Rule Building and Validation” exercise (<XX>NN).. d). Choose Execute.. e). Look at the changes that are identified on the results screen.. Continued on next page. 70. © 2010 SAP AG. All rights reserved.. 2009.

(81) GRC300. Lesson: Rule Reporting. Task 3: Demonstrate the Rule Set Comparison report. 1.. 2009. Demonstrate the Rule Set Comparison report. a). Log on to Risk Analysis and Remediation via the SAP BusinessObjects Access Control launch pad.. b). Choose Rule Architect → Rule Set → Compare.. c). Compare the Global rule set to the rule set you created in the “Rule Building and Validation” exercise (<XX> RuleSet).. d). Select Actions and Permissions. Note that Risks are automatically selected.. e). Look at the results that are identified on the Results screen. Switch between the Actions and Permission reports.. © 2010 SAP AG. All rights reserved.. 71.

(82) Unit 2: Risk Analysis and Remediation Overview. GRC300. Lesson Summary You should now be able to: • View or locate function change history • View or locate risk change history • Compare rule sets. 72. © 2010 SAP AG. All rights reserved.. 2009.

(83) GRC300. Lesson: Risk Analysis. Lesson: Risk Analysis Lesson Overview This lesson will give you an overview of the management reports in the RAR Informer tab in SAP BusinessObjects Access Control.. Lesson Objectives After completing this lesson, you will be able to: • • • • • •. Define the relevant management views Run a risk analysis at role level Run a risk analysis at user level List the relevant report types Explain the use of different report formats Schedule a risk analysis as a background job. Business Example As leading risk management expert, you need to improve the process of checking the current risk situation in the system, and estimate the required cleanup effort inside your organization.. SoD Risk Management Process Phase Two: Analysis The purpose of this phase is to provide business process analysts and business process owners with alternatives for correcting or eliminating risks by: •. •. Performing a security analysis to confirm risks for: – Simple roles – Composite roles – Users Reviewing the role to determine how certain personnel might be restricted from performing undesired activities by checking: – – –. 2009. Objects Fields Values. © 2010 SAP AG. All rights reserved.. 73.

(84) Unit 2: Risk Analysis and Remediation Overview. GRC300. Figure 34: Analysis Phase of the SoD Risk Management Process. Management View The Management view in the Informer tab of Risk Analysis and Remediation provides a compact overview of risk violations grouped by time, severity, and business process.. 74. © 2010 SAP AG. All rights reserved.. 2009.

(85) GRC300. Lesson: Risk Analysis. Figure 35: Management View - Risk Violations. Management View: Reports Start from the overview level and concentrate on the details afterward. •. SoD Violations report –. 2009. •. Displays a pie chart and a bar chart to represent current and past violations in the system landscape – Supports two different views: Violations by risk level and violations by process User Analysis report. •. – Risks by user resulting from SoD conflicts – Risks by user resulting from critical actions and roles Role Analysis report. © 2010 SAP AG. All rights reserved.. 75.

(86) Unit 2: Risk Analysis and Remediation Overview. GRC300. Provides an overview of the remediation progress: •. Comparisons report –. •. Choose quarterly or monthly comparisons of user, role, and profile violations – Check remediation progress and percent completion Alerts report –. • •. Provides an accumulated view of conflicting action alerts per business process Rules Library report Controls Library report. Figure 36: Reports in the Management View. Risk Analysis Analyze risks based on users, roles, HR objects, and other factors: •. Specify the parameters of the analysis – – –. 76. Cross-system analysis is possible Specific roles or users can be selected for risk analysis Restrict by business process or risk level if required. © 2010 SAP AG. All rights reserved.. 2009.

(87) GRC300. Lesson: Risk Analysis. Figure 37: Analyzing a Risk. Report Types Depending on the required analysis, select: •. Action Level. •. – Performs SoD analysis only at action level Permission Level. •. – Performs SoD analysis at action and permission levels Critical Actions –. •. Analyzes users having access to one critical function (actions and permissions) Critical Permissions. •. – Analyzes users having access to one critical function (permissions only) Critical Roles/Profiles –. •. 2009. Analyzes users having access to critical roles or profiles. Assignment of Mitigation Controls. © 2010 SAP AG. All rights reserved.. 77.

(88) Unit 2: Risk Analysis and Remediation Overview. GRC300. Report Formats Depending on the required level of detail, choose: •. Executive Summary report –. •. Provides a description of the risks and a count of the number of rules that are causing the conflict Management Summary report. •. – Displays users causing the conflicts, but no actions Summary report. •. – Displays the users or roles and action conflicts involved Detail report –. Provides the highest level of detail, including transactions Note: It is possible to change the report format after a risk analysis is completed.. Scheduling a Background Job Large background jobs should be scheduled to run overnight: • • • •. 78. Type in a descriptive name. Decide whether to run the job immediately or if it should be delayed. Schedule periodically if required. Only the scheduler and the administrator should be able to see the result of the job (check UME actions).. © 2010 SAP AG. All rights reserved.. 2009.

(89) GRC300. Lesson: Risk Analysis. Exercise 5: Perform a Risk Analysis Exercise Objectives After completing this exercise, you will be able to: • Run a risk analysis against a business user using the recently designed rule set containing the risk identified in the Risk Recognition Workshop • Schedule a risk analysis job to check conflicts inside a composite role. Business Example You want to use the Risk Analysis and Remediation capabilities of SAP BusinessObjects Access Control to improve the process of checking the current risk situation in the system and to estimate the required cleanup efforts.. Task 1: User Risk Analysis report 1.. Use the Risk Analysis and Remediation functionality of SAP BusinessObjects Access Control to identify the risks of your business user, GRCBIZZ-xx.. 2.. Use the icons in the result screen of the risk analysis to toggle the different report formats.. Task 2: Role risk analysis 1.. Use the Risk Analysis and Remediation functionality of SAP BusinessObjects Access Control to identify the risks inside the composite role GRC300-CR_PURCHASE_TO_PAY-<XX>.. 2.. Check the result of your background job analysis, toggle to report format Detail Report, and download the result in a Microsoft Excel file.. Result Congratulations! Now you can use the result of your analysis for further discussions with the role and authorizations team within your company.. 2009. © 2010 SAP AG. All rights reserved.. 79.

References

Download now ( PDF - 289 Page - 8.26 MB )

Outline

SAP BusinessObjects Access Control Overview Risk Analysis and Remediation Overview

Related documents