Академический Документы
Профессиональный Документы
Культура Документы
January 2015
BOBJ
Reme
diation
User
Position
Compliance
Check
SRM
SAP NetWeaver
Identity Management
SAP GRC
Access Control
Line Manager
Calculates Entitlements
Based on Position
Compliance Check
& Remediation
Approve Assignments
Non SAP
Systems
Create Users
Assign Privileges
New Hire /
Change Position
Web Front end
to access request
BOBJ
Reme
diation
User
Position
Compliance
Check
SRM
SAP NetWeaver
Identity Management
SAP GRC 10
Access Control
Line Manager
Calculates Entitlements
Based on Position
Approve
Using Workflow
= Not in Scope
Non SAP
Systems
Create Users
Assign Privileges
Process
Controls *
Redesigned
Roles &
Provisioning
Process
Provision &
Manage
Users
(PMU)
SAP User
Analyze &
Manage
Access Risk
(AMR)
* Design &
Manage
Role (DMR)
Centralized
Emergency
Access
(CEA)
Phase II
A.
B.
C.
D.
> 2,000
> 1,000 and < 2,000
> 500 and < 1,000
< 500
Decision:
Bite Size Inherent Conflict Free
Task Roles
T-Code Description
F-43
T-Code Description
MK01
Create Vendor
T-Code Description
F-43
MK01
Create Vendor
ME23
Display PO
Request Access
List of Roles
Manager Approve
SOD Check
(based on Rule-sets)
1: Removed User
2: Adjusted
Roles
Access
3: Adjusted
SOD
1: Removed User
Rule-set(s)
Access
2: Adjusted Roles
3: Adjusted SOD
Rule-set(s)
Reject
Approve
Apply Mitigating
Controls
Role Owners
Roles:
ZE:PR_MAINT_VNDR_MSTER_BU_IT
ZE:PR_MAINT_VNDR_MSTER_HR
ZE:PR_MAINT_VNDR_MSTR_IC_BU_IT
ZE:PR_MAINT_VND_MSTR_BU_IT_RUS
XK01
XK02
Mitigate
the users
with SOD
ME21
ME21N
Risk:
ZP008 - Maintain a
fictitious vendor and
initiate purchase to
vendor
Mitigating Control:
PRO.PROCR.EBAYI.
C01:
The Global Vendor
Manager reviews
monthly vendor adds
and change reports.
Roles:
ZE:PR_MAINT_PURCHASE_ORDER
Function:
ZPR02 - Maintain Purchase Order
Level
Risk Definition
Mitigation Strategy
Low
Medium
High
Critical
10
Process Consideration
Automated User Provisioning
11
Lessons Learned
Principle of Security Redesign
Ensure that SAP Roles are clean and inherently conflict free
Use transaction history as the basis of redesign
Log transactions 6 months before start of the project
Define stakeholders and engage. Leverage steering committee to manage changes.
Engage with External Auditors early; They are a key stake holder.
Define business SOD rule-sets early; SOD rule-sets are the basis of your SOD conflicts.
Dont believe all that your consultants promise. Think about sustaining the process and systems when
consultants are gone.
Change management, Change management, Change management: Training is key.
Articulate the Governance process.
12
Governance Model
Governance Team /
Steering Committee
Controllers/Process
Owners
Role Owners
Information
Technology
SOX PMO/Internal
Audit
Automated
Provisioning
Automated SOD and
Access Review
Fire Fighter
User reports
GRC Maintenance
Role and Rule-Set
Management
Fire Fighter Access
SOD Review
People
Process
GRC
(System)
Controls
User Access Review
Critical Access Review
Firefighter Access
Review
SOD Rule-set and
Reports Review
ITGC Control
13
14
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies.
15