Page 1

SAP Security Overview for BT

July 13, 2007 Ravi Koppakula
Applied Materials Confidential/Business Transformation

Page 2

Introduction Security Overview

Agenda

Role development approach Role construction Roles - Single, Composite, Master, Derived (Spin) Role Naming Convention Segregation of Duties SAP GRC (Virsa) Compliance Calibrator Q&A
Applied Materials Confidential/Business Transformation

Page 3

Introduction
Provide access for employees to the information and actions needed to execute their responsibilities. Restrict unauthorized access, protecting corporate information and maintaining the integrity of the SAP system Create a flexible, integrated and simplified security structure that will allow quick response for changes in the future

3
Applied Materials Confidential/Business Transformation

Page 4

Security Overview
SAP security is based on granting access to various authorizations within the different object classes. The groundwork of the design will be based on granting access to select transactions which will limit the employees access. The next step is to control the locations that the employee has access to, either logical or physical, these locations are referred to as Hierarchy Elements or Organizational Values. The final step is controlling access to Key Objects which can be used to further allocate access to specific sub functions of a process. Hierarchy Elements / Organizational Values = Company Codes, Sale Organizations, Plants, Warehouses, Purchasing Groups, Storage Locations, Shipping Points, and Business Areas are all customer defined as needed Key Objects = Order Types, Document Types, Movement Types, Account Types and Authorization Groups

4
Applied Materials Confidential/Business Transformation

Page 5

Role Development Approach

Profile Generator Is a SAP provided tool that suggests authorization objects and values based on the SAP transactions that are included in the specific job role. Role SAP terminology for user system access that was developed utilizing the Profile Generator (PG). The Role contains a User Menu and system generated profiles and authorizations that are unique to the Role. Profiles and authorizations created with the PG are not used in any other Role. Authorizations building blocks of the SAP Security Structure Authorization Concept Combining a number of unique authorization objects to enable the end user access to complete their designated tasks. There are more than 40 SAP provided object classes which group similar authorization objects.Each object may contain multiple combinations of values that can be assigned within the individual object.

5
Applied Materials Confidential/Business Transformation

Page 6

Role Construction
Analysis Security team along with Function and Business team will put together the requirements. Impact analysis will be done. Design Security team will do the design, which included creating new roles, change in SU24, Creating new t-code for reports. Construction The building process of the end user roles will utilize SAPs authorization concept and the Profile Generator. After the initial roles are created a SOD tool will be used to identify conflicts within the Role, so that Organizational Alignment, Internal Audit and Functional Management can review issues before the final design is approved. During this process the roles will be tested and moved to QA. Following guidelines will be followed while creating or modifying roles T-code will be added using User Menu. No object will be manually added to the role. Roles will be generated and re-organized when required. Derived role will only have Org. Element changes
6
Applied Materials Confidential/Business Transformation

Page 7

Master Derived Roles

7
Applied Materials Confidential/Business Transformation

Page 8

Master Derived Roles contd

Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before. The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either. Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level. The menus passed on cannot be changed in the derived roles. Menu maintenance takes place exclusively in the role that passes on its values. Any changes immediately affect all inheriting roles. You can remove the inheritance relationship, but afterwards the inheriting role is treated like any other normal role. Once a relationship is removed, it cannot be established again.

8
Applied Materials Confidential/Business Transformation

Page 9

Composite Role

9
Applied Materials Confidential/Business Transformation

Page 10

Composite Role contd

A composite role is a container with several different roles. For reasons of clarity, it does not make sense and is therefore not allowed to add composite roles to composite roles. Composite roles are also called roles. Composite roles do not contain authorization data. If you want to change the authorizations (that are represented by a composite role), you must maintain the data for each role of the composite role. Creating composite roles makes sense if some of your employees need authorizations from several roles. Instead of adding each user separately to each role required, you can set up a composite role and assign the users to that group. The users assigned to a composite role are automatically assigned to the corresponding (elementary) roles during comparison.

10
Applied Materials Confidential/Business Transformation

Role Naming Convention

Page 11

11
Applied Materials Confidential/Business Transformation

Page 12

Segregation of Duties
Segregation of duties (SOD) is a type of control needed in business processes to insure that fraud or unintended financial transactions do not occur. Functionality versus Confidentiality Broadly speaking, SoD encompasses both the functions available to an employee (i.e., what a person can do) and the information available to an employee (i.e., what a person can see). Our focus is at the technology level; we focus on the functionality component of SoD and this aspect is most relevant to the financial reporting process.

The SoD review focuses on core business processes including: Revenue Procurement Inventory Management Asset Management General Ledger Accounting HR/Payroll etc., SoD conflicts can happen within a manual process and an SAP or other application process.

12
Applied Materials Confidential/Business Transformation

Page 13

SOD contd
Segregation of duties conflicts occur at 2 levels in Enterprise Applications: 1) Security Role/Profile - When conflicting transactions are configured into one security role or profile and are assigned to an end user. Resolution: Security role/profile is redesigned to remove the conflicting transaction codes. 2) End User Assignments -When an end user is assigned multiple security roles or profiles and the transaction codes within and between the roles cause a conflict. Resolution: One or more conflicting roles are removed from the End User or a compensating control is designed, documented, approved and implemented by business.

13
Applied Materials Confidential/Business Transformation

SAP GRC (Virsa) Compliance Calibrator

Automated tool to identify, analyze and resolve all sod issues. To run SOD reports against users and roles Simulate roles and users before providing access Create, change and maintain Rules and Mitigation controls, Owners, Approvers and Monitors. Mitigate roles in case of conflicts upon approvals Mitigate users in case of conflicts upon approvals Document Risk Mitigation users and controls.

Page 14

14
Applied Materials Confidential/Business Transformation

Cross System SOD

Page 15

Q&A

15
Applied Materials Confidential/Business Transformation