SAP GRC Access Control

2012
SAP BusinessOjects GRC

Access Control
Approach Document
SAP GRC ACCESS CONTROL

Approach Document
Padmanabha
4/23/2012
SAP BO GRC Access Control
TABLE OF CONTENTS
Int rodu ct ion ................................................................................................. 3

1.1
About SAP GRC Access Control ........................................................................................... 4
1.2
SAP GRC Access Control Modules and Features ............................................................... 5
1.3
Need for SAP GRC Access Control ....................................................................................... 6
S AP G RC O v e rv i ew ....................................................................................... 8
S AP G RC Ar c hit e ct u r e .................................................................................. 9
3.1
GRC Architecture Framework .............................................................................................. 10
3.2
Cross Enterprise Solution .................................................................................................... 11
G RC Ap pl ic at ion L an ds ca pe ........................................................................ 12
S AP G RC Ac c e ss C o nt ro l In sta ll at ion ......................................................... 13
5.1
GRC Landscape .................................................................................................................... 13
5.2
Support Pack Levels and Backend Compatibilities .......................................................... 13
5.3
Hardware Requirements ....................................................................................................... 14
Imp le me nt a t io n M et h odolo g y ...................................................................... 15

6.1
Implementation Phases: ....................................................................................................... 15
6.2
Risk Analysis & Remediation Overview ............................................................................ 16
6.3
Enterprise Role Management............................................................................................... 18
6.4
Compliant User Provisioning Workflow Overview ......................................................... 20
6.5
Super User Privilege Management - Overview ................................................................. 21
6.6
Harmonization B/W all GRC products: ............................................................................... 23
6.7
GRC - Management Oversight and Internal Audit ............................................................ 23
6.8
Implementation Approach .................................................................................................... 24
6.9
GRC Integration Aspects ...................................................................................................... 24
S AP G RC Ac c e ss C o nt ro l B ene fit s .............................................................. 28
AS AP M et ho dol og y ..................................................................................... 30
De liv er a b le s ............................................................................................... 31
Page 2 of 32
1 Introduction
Corporate Governance issues have dominated in the agendas of C-level executives at large
Corporates. With the acquisition and rapid integration of Virsa, in the area of SOD and Access
Control space, SAP has an evolved GRC offering that has been proven over many years of realworld experience and industry-specific deployments. In addition, SAPs recent partnership with
Cisco attests to the companys dedication to providing comprehensive risk protectionfrom the
network layer to the application layer. With the introduction of SAP GRC Repository, SAP GRC
Process Control and SAP GRC Risk Management, SAP GRC Global Trade Services (GTS), SAP
Environment, Health & Safety (EH&S) SAP clearly offers the most compelling, comprehensive
portfolio of GRC solutions available today. And, equally important, these applications are built on the
NetWeaver platform, making them among the first service oriented architecture (SOA)-based GRC
solutions.
The current scope of this document describes in brief, the Approach Note and Technical High Level
Approach of SAP GRC Access Control (AC5.3) Implementation. Based on the Industry Best
Practices and SAP Guidelines, GRC Access Control implementation shall be rolled-out to meet the
business needs and compliance requirements.
Page 3 of 32
1.1
About SAP GRC Access Control
SAP GRC Access Control is an enterprise application that provides end-to-end automation for
documenting, detecting, remediating, mitigating, and preventing access and authorization risk
enterprise wide, resulting in proper segregation of duties, lower costs, reduced risk, and better
business performance.
GRC Access Control Evolution Path
The Access Control application includes the following capabilities:
Risk Analysis and Remediation, which supports real-time compliance to detect, remove, and
prevent access and authorization risk by preventing security and control violations before
they occur.
Compliant User Provisioning, which automates provisioning, tests for SoD risks, and
streamlines approvals to the appropriate business approvers to unburden IT staff and
provide a complete history of user access.
Page 4 of 32
Enterprise Role Management, which standardizes and centralizes role creation and
maintenance.
Superuser Privilege Management, which enables users to perform emergency activities

outside their roles as a privileged user in a controlled and auditable environment.
SAP GRC solutions help companies comply with the Sarbanes-Oxley Act and other regulatory
mandates by enabling organizations to rapidly identify and remove authorization risks from IT
systems. Access Control allows preventive controls be embedded into business processes to
identify and prevent future SoD violations from being introduced without proper approval and
mitigation.
The SAP GRC Access Controls module provides the following functionality:
Analyze, detect, and provides means for remediating access and authorization controls in
real-time and with simulation
Monitor and track privileged user access controls
Provide compliant user and access provisioning
Define and document security access design
The SAP GRC Access Controls provides the Key Features and Benefits:
Automated SAP Security Audit and Segregation of Duties (SoD) Analysis product
Real-time risk assessment solution
Simulation and remediation
Mitigation Controls
Preventive as well as detective controls
Security and Audit - Summary and drill-down reports
Cross-enterprise analysis
1.2
SAP GRC Access Control Modules and Features
The specific modules of SAP GRC Access Control are:
Risk analysis and remediation (formerly Virsa Compliance Calibrator)
Compliant user provisioning (formerly Virsa Access Enforcer)
Enterprise role management (formerly Virsa Role Expert)
Super user privilege management (formerly Virsa FireFighter for SAP)
Page 5 of 32
High Level features of these individual components are:

Risk Analysis and Remediation (RAR)
Based on the rules set, RAR assess risk, enabling businesses to identify conflicts immediately, drill
down into root causes, and achieve resolutions swiftly. Helps in quick, effective and comprehensive
identification and elimination of existing access and authorization risks.
Superuser Privilege Management (SPM)

Enables users to perform activities outside their role under superuser-like privileges in a controlled,
auditable environment for emergency operations. It tracks, monitors, and logs every activity a
superuser performs with a privileged UserID. Web-based reporting provides business process
owners and auditors with detailed multi-system usage reports across their SAP software landscape.
Activity logs track input down to the field value level and enable easy filtering, sorting, and
downloading of input information.
Enterprise Role Management (ERM)

Enforces SoD at the design time. Ensures centralized role design across applications. And also,
ensures standardization in role design, testing and maintenance.
Compliant User Provisioning (CUP)

Enables fully compliant user provisioning throughout the employee life cycle and prevents new SoD
violations. Businesses can automate provisioning, test for SoD issues, streamline approvals, and
reduce the workload for IT staff.
1.3
Need for SAP GRC Access Control
Compliance Issues
Negative Sarbanes-Oxley Audit Results
Segregation of Duties (Conflicts) / Excessive Access
Security Administration Process
Internal Controls Repository
Maintaining a clean environment
Program Development/ERP Upgrades
Escalating help desk costs
Change management
ITGC and Business cycles controls/responsibility
Incomplete Global Risk Profile
Page 6 of 32
Hence, present laws in corporate governance demands high level of transparency and
accountability in disclosure of companys financial statements.
To overcome these issues, the SAP GRC Access Control implemented would provide this GRC
Transparency:
Page 7 of 32
2 SAP GRC Overview

SAP GRC Access Control offers a robust solution for monitoring, testing, and enforcing access and
authorization controls that enable enterprises to quickly fulfill compliance and regulatory
requirements.
The following illustration provides an overview of all software components used by SAP GRC
Access Control including Risk Analysis and Remediation, Compliant User Provisioning, Enterprise
Role Management, and Superuser Privilege Management.
Page 8 of 32
3 SAP GRC Architecture

GRC Technical Architecture is as depicted:
Provides centralized cross-enterprise compliance visibility
Rule Architect analyses access to systems other than SAP
Leverages SAP Netweaver Application Server
Does not impact the production server
Features a single compliance dashboard
Role dependent views utilizing SAP User Management Engine (UME)
Login to SAP client is not required to access Risk Anaysis and Remediation
Page 9 of 32
3.1
GRC Architecture Framework
Central component of SAP GRC Access Control connects to multiple Enterprise Software Systems.
The adapter framework provides a common runtime environment for the risk analysis of different
ERP systems. The real-time adapter (RTA) is the back-end counterpart that resides on the target
Page 10 of 32
systems. Together they provide real-time connectivity between SAP solutions for GRC and the
backend system providing real-time compliance around the clock to detect, remove, and prevent
control violations before they occur.
3.2
Cross Enterprise Solution
Page 11 of 32
4 GRC Application Landscape
Page 12 of 32
5 SAP GRC Access Control Installation

5.1
GRC Landscape
At the minimum, as per Industry Best Practice, SAP GRC Access Control has to be deployed as a
two system landscape with DEV/QA and PROD. SAP GRC AC has to be initially installed in
DEV/QA environment in SAP Netweaver (Web Application Server 700-SP10 or above,
with Java/J2EE stack, Java Runtime Environment JRE version 1.4.x is the software requirement on
Windows 2000/2000 advanced server/ 2003 Server (Standard/Enterprise/Web) or Linux/Unix based
servers. The other pre-installation checklists are: SAP database exists, User Management Engine
(UME) is installed and configured, and Memory settings for SAP 700 Web Application Server (WAS)
are configured.
GRC AC post installation configuration includes: Creating the Administrator Role, Assigning the
Administrator Role to the Administrator User, Choosing the Language Setting and Connecting the
Stand alone J2EE System to the Remote SAP Server.
This makes SAP GRC Access Control ready the configuration and implementation to begin with.
SAP GRC Access Controls Installation can be done by the in-house Web AS (Basis) team or as part
of GRC implementation.
SAP GRC Access Control components configurations are deployed at DEV/QA system. Even, a
Sandbox system can be deployed for pilot and implementation baseline across the enterprise wide
GRC functionalities. Based on these configurations, GRC AC configurations are replicated for
development, testing and QA in DEV /QA environment, and these configurations are transported
to PROD system environment in the Final Preparation phase.
5.2
Support Pack Levels and Backend Compatibilities

Pre-requisites of Access Control 5.3
NW 7.0 with SP 10 and higher

SLD is required for Risk Analysis and Remediation
Supported RTA
Supported RTA R/3 versions are 4.6c, NW2004 or ECC 5.0, NW 7.0 or ECC 6.0
Optional BI 7.0 and EP 7.0
Page 13 of 32
This table indicates the minimum SP level required for the backend system (RTA) with the
corresponding SAP Notes numbers:
We can install RTA for latest Access Control AC10 on any SAP systems as long as it meets the prerequisites for support packages corresponding to the SAP ABAP and BASIS Stacks as indicated in
the table: SAP_ABA and SAP_BASIS.
5.3
Hardware Requirements
Machine - Server based; Dual Processors = 2.43.2 GHz or faster

RAM = 16 GB; Hard Disk = 120 GB Minimum (240 GB Recommended)
Precise Sizing requirements are arrived in the implementation based on the volume of data.
Page 14 of 32
6 Implementation Methodology
As defined, the project methodology spread across Analysis, Design, Build, Test and deliver. In the
similar lines, SAP GRC AC has standard implementation methodology based on ASAP Methodology
spread across: Get clean, Stay clean and Stay in control for various components.
6.1
Implementation Phases:
Analysis and Remediation (Compliance Calibrator) implementation is typically broken down into
these distinct 6 phases:
Risk Recognition
Rule Building and Validation
Identify or approve conflicts and exceptions

Classify risks as High, Medium, or Low
Identify new risks and conditions that should be monitored
Establish technical rules to monitor risk

Verify rules against test cases (Users/Roles)
Analysis
Run analytical reports

Explore alternatives to eliminating
Size cleanup efforts
Page 15 of 32
Remediation
Design alternative controls to mitigate risk

Educate management on conflicts approval and monitoring
Document a process for monitoring mitigation controls
Implement controls
Continuous Compliance / Improvement
6.2
Determine alternatives for eliminating risks

Present Analysis and select corrective actions
Document approval of corrective actions
Modify / create Roles or User Assignment
Mitigation
Modify Rules based on analysis
Communicate changes in roles and user assignment

Simulate changes to roles and users
Implement alerts to monitor for new selected risks and mitigating control testing
Risk Analysis & Remediation Overview
Risk Analysis & Remediation Segregation-of-Duties Management Process Overview

SAP security provides the opportunity to prevent an individual from executing combinations of
transactions without the involvement of another person in the process. SOD proactive management
involves identifying the ways to commit fraud or accidentally corrupt processes. This includes
monitoring security privileges granted to individuals so capabilities are known before they are
exploited.
However, there are circumstances which require the same person to be able to order and receive
materials, for example. In these cases, a detective control should be put in place to review that
persons access to detect fraud or unusual activities. The management process is designed to help
Business Process Owners (BPOs) recognize SOD risks and implement the necessary controls
(mitigating controls).
Security owns the SOD process and acts as a facilitator. The BPOs are responsible for managing
the risks and designing alternate controls when Segregation-of-Duties cannot be achieved. Once
the risks are defined, Business Process Analysts (BPAs) provide the technical knowledge to ensure
the appropriate transactions, related objects and field values are defined in Risk Analysis and
Remediation. Business Process Owners are also responsible for approving actions taken to rectify
SOD issues inherent in roles under their responsibility.
Page 16 of 32
RAR Implementation Approach: GRC Access Control Risk Analysis and Remediation is implemented as
defined in standard SOD Management process, carried across the phases from Risk Definition to remediation
and mitigation leading to SOD clean state.
In GRC Risk Analysis and Remediation, Security owns the SOD process and acts as a facilitator. The Business
Process Owners are responsible for managing the risks and designing alternate controls when Segregation-ofDuties cannot be achieved. Once the risks are defined, Business Process Analysts provide the technical
knowledge to ensure the appropriate transactions and related objects and field values are defined. Business
Process Owner also own the responsibility for approving actions taken to rectify SOD issues inherent in roles
and mitigating users.
The audit department takes the ownership and responsibility for conducting audits to discover Segregation-ofDuties issues and for testing mitigating controls implemented by business process owners. The SOD rule
keeper is responsible for controlling the rules in security and SAP Security administrator is segregated from the
duties of SOD and owns the Security administration activities.
The following diagram depicts the high level solution approach of Risk Analysis and Remediation:
Enhanced Access Risk Analysis (RAR v10):
Page 17 of 32
6.3
Enterprise Role Management
Enterprise Role Management is a Web based application that automates the creation and
management of Role Definitions. Role Expert enforces best practices to ensure that the Role
Definitions, development, testing and maintenance is consistent across the entire implementation,
resulting in lower ongoing maintenance and painless knowledge transfer.
Enterprise Role Management empowers SAP security administrators and Role Owners to document
important role information that can be of great value for better role management such as:
Tracking progress during role implementation.
Monitoring the overall quality of the implementation.
Performing risk analysis at role design time.
Setting up a workflow for role approval.
Providing an audit trail for all role modifications.
Maintaining roles after they are generated to keep role information current.
Enterprise Role Management has a rich set of reports to facilitate the overall role quality
management and provide valuable information to achieve precise role definitions and lower ongoing
role maintenance. Role Expert provides reports, which make the identification of risks surrounding
the segregation of duties a painless process, and ensures that you get the most out of the SAP
security system.
Enterprise Role Management Implementation Approach: Enterprise Role Management is implemented to
automate the creation and management of Roles. Enterprise Role Management is configured to ensure that the
Page 18 of 32
Role Definition, Development, Testing and Maintenance are carried out in a consistent manner across the
entire system landscape. With Enterprise Role Management tool, role maintenance is optimized and made
compliant to all regulatory requirements. Also, it makes role re-design and remediation easy. With optimal
utilization of the tool, role re-design and cleaning roles (get-clean) is achieved and on-going roles are
provisioned into the backend systems (stay-in-control).
The following diagram depicts the high level Role Automation in Enterprise Role Management:
Business Role Governance (ERM v10):
Page 19 of 32
6.4
Compliant User Provisioning Workflow Overview
Compliant User Provisioning workflows shall be configured to automatically trigger events such as new user
creation or a role change. The dynamic workflow provisions the actions directly into multiple Systems.
Compliant User Provisioning will be configured to facilitate business users to perform the provisioning activities
without any involvement of IT or application security personnel, in facilitating pro-active SOD analysis.
End to end automation that sequences can be automatically triggered based on events such as new
employee hire or a job change, then processed through dynamic workflow, and finally, provisioned
directly into multiple Systems. These steps can be performed by business users without any
involvement of IT or application security personnel.
The following diagram depicts the high level workflow of Compliant User Provisioning:
Page 20 of 32
Streamlined User Access Management (CUP v10):
6.5
Super User Privilege Management - Overview
Super User Privilege Management (Firefighter) will be configured to automate emergency change requests
such as access to SAP_ALL in the production system, to carry-out in a consistent, secure and compliant
manner. Automation will be enabled to cover all aspects of firefighting, from setting up of Firefight IDs, Users,
Owners and Approvers for those Firefighting IDs to automatic logons, owner notifications, activity logging and
related monitoring and administration activities.
The following diagram depicts the usage of emergency request for Super User Privilege Monitoring:
Page 21 of 32
Centrlized Emergency Access (SPM v10)
Page 22 of 32
6.6
Harmonization B/W all GRC products:
6.7
GRC - Management Oversight and Internal Audit
Management Oversight - At periodic intervals, managers need to exercise effective and

comprehensive management oversight, review, and reaffirmation of user access, etc.
SAP GRC Access Control enables management to take responsibility by running periodic access
Page 23 of 32
reviews. At a high level, management oversight should include a review of the following key areas:
All user provisioning and all emergency superuser access
Potential risks (i.e. find users having authorized access to conflicting business functions but
have not necessarily executed these transactions)
Actual risks (i.e. determine through transaction monitoring if users have actually run
transactions that constitute an access violation)
Access policy (i.e. review and fine-tune the rules library)
Internal Audit - Likewise auditors periodically need effective and comprehensive audit information
to verify that management follows policy. Typically, auditors will validate that all access has been
properly approved and that mitigations are effective.
SAP GRC Access Control supports both target audiences with an unprecedented level of ease,
effectiveness, and comprehensiveness.
6.8
Implementation Approach
A typical approach to Implement GRC is in a phased manner with the selective components and
focusing on regional implementations, selective functional modules pilot for risk analysis and
remediation. Implementation based out of a centralized location with core team participation from all
business units and locations are sought for centralized GRC tool implementation.
The typical activities spanned in the implementation/roll-outs across the regions are:
Rollout Design, Technical Implementation, and Piloting
Rule Customization and Mitigating Controls
Analysis Remediation and End User Trainings
As per Industry Best Practice, it is advised to have End User trainings as Train the Trainer concept.
Core team trained at the implementation stage, can take end user trainings internally within the
Organization.
6.9
GRC Integration Aspects
Harmonization B/W all GRC products:
Page 24 of 32
Access Risk Analysis (RAR):
User Access Management (CUP):
Page 25 of 32
Business Role Governance (ERM):
Centrlized Emergency Access (SPM)
Page 26 of 32
Page 27 of 32
7 SAP GRC Access Control Benefits

Risk analysis and remediation (Compliance calibrator)
Proactive compliance Prevent SOD issues created by role development from ever making
it live in production.
Real time risk reduction Detailed analysis of SODs and automated monitoring gives data
owners, administrators and auditors transparency of risk levels.
Reduced compliance costs Through automation the analysis is complete and accurate
and keeps the environment continuously clean; this saves time tracking down issues
retrospectively.
Compliant User Provisioning (Access Enforcer)
User administration with integrated risk analysis and mitigation keeps the system clean
Provides simulation into the production system for risk analysis before changes are
provisioned
Provides comprehensive audit trail.
Flexible configuration of multiple workflow paths & workflow triggers based on request type
Ensures corporate accountability and compliance with Sarbanes-Oxley
Automatically provision users and roles in multiple SAP systems
Automated email notification to appropriate parties
Provides numerous reports in analytical as well as chart views
Integrated with enterprise portal, providing authentication from a wide range of sources,
including single-sign on, LDAP, SAP and non-SAP systems
Enterprise Role Management (Role Expert)
Tracking progress during role implementation and monitoring overall quality of the
implementation.
Performing risk analysis at role design time.
Support workflow for role approval.
Providing an audit trail for all role modifications.
Maintaining roles after they are generated to keep role information
Page 28 of 32
Super-user privilege monitoring (Fire Fighter)
Efficient and effective super user privilege management, with tracking of all activity
Allows personnel to take responsibility for tasks outside their normal job function. Firefighter
describes the ability to perform tasks in emergency situations.
Enables users to perform duties not included in the roles or profiles assigned to their user
IDs. Firefighter provides this extended capability to users while creating an auditing layer to
monitor and record Firefighter usage.
Logging of all transactions executed during fire call usage.
Temporarily redefines the IDs of users when assigned with solving a problem, giving them
provisionally broad, but regulated access. There is complete visibility and transparency to
everything done during the period.
Page 29 of 32
8 ASAP Methodology
ASAP Methodology is SAPs proven implementation methodology spread over 5 phases in the
execution model of the GRC Implementation. Phase 0 base-lining prior to Initial Preparation or
Project Preparation phase is to Strategy the GRC Roadmap for its effective usage and Utilization. In
this phase, there is a pro-active involvement in the SAP systems are required in the Role Design,
SOD Analysis and Violations, Security Policies and Procedures re-established for the compliance
requirements and Controls Rationalization for best of the Assurances of SOX and other
Compliances.
The internal tool developed to address all kinds of SAP project execution aligned to the best
practices of CMMi level 5, ISO 9001/27001, ITIL and ISO27001 standards. Projects are managed,
monitored and tracked with the best of breed and industry standards using custom tool capabilities.
Page 30 of 32
9 Deliverables
High Level deliverables of a typical SAP GRC AC Implementation are:
Installation
Installation of SAP GRC Access Control in DEV / QA and PROD server
Training
Product overview training on SAP GRC Access Control (SAP GRC AC)
Initial configuration of GRC Access Control
Risk
Analysis
and
Developing the Company specific rules in DEV / QA server (pilot with sample
rules)
Remediation
(compliance
Calibrator)
Risk analysis and remediation for all standard business processes in DEV/QA
Validation workshop on configured rule sets with BPO / IA team & modifications
to them as per needs of Business
Super
user
privilege
management
(Fire Fighter)
Initial configuration of Super user privilege management in SAP GRC Access

Control
Define workflows for Super user privilege management - user masters and
role management
Initial configuration of Enterprise role management in SAP GRC Access Control
Enterprise role
Configuration of Roles creation / modification and backend integration with SAP
management
Systems
(Role
Expert)
Define workflows for Enterprise Role Management

Upload current Company Roles into Enterprise role management
Initial configuration of Compliant user provisioning in SAP GRC Access Control
Compliant
user
provisioning
(Access
Define workflows for User Provisioning

Configuration of Users creation / changes workflow and backend Integration with
SAP Systems
Enforcer)
Upload User masters and role assignments into Compliant user provisioning
Page 31 of 32
UAT
User Acceptance Testing of SAP GRC Access Control

Analyzing & reporting current user access status based on standard RAR
reports; CUP and ERM Reporting features
Reporting
Super user privilege management reports for all log reviews and fire fighter
activities
Training to the trainers on RAR Rule building & Reporting, Remediation,
Mitigation & Alerts
Performing & demonstrating remediation to identified non acceptable roles and
user violations
Performing & demonstrating setting up of the mitigation controls & alerts to
identified acceptable violations
Training
Training to the trainers on End-users upon request and handholding support
Workflows and Administration of Compliant user provisioning
(CUP) and Enterprise role management (ERM)
Administration and Monitoring of Super user privilege management (SPM)
reports for log reviews and fire fighter activities monitoring
Installation
Installation and re-configuration (export and re-connectivity to SAP systems) of

SAP GRC Access Control in PROD server
Cutover Plan and Execution
PROD
Initial Configuration in PRD server of SAP GRC Access Control
Preparation
Exporting / Uploading the configuration, company specific rules, roles, users into
SAP GRC Access Control in PRD server; Data Migration / Cutover and UAT
GO LIVE
GO LIVE & Post Go-Live Support for 5-10 days
Page 32 of 32

SAP GRC Access Control - Approach Document Draft v04

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SAP GRC Access Control - Approach Document Draft v04

Загружено:

Авторское право:

Доступные форматы

2012

SAP BusinessOjects GRC

SAP BO GRC Access Control

Int rodu ct ion ................................................................................................. 3

About SAP GRC Access Control ........................................................................................... 4