SAP Analytics GRC 10.0 Access Control 10.0 Strata Fahri Batur
SAP Analytics GRC 10.0 Access Control 10.0 Strata Fahri Batur October 2013 SAP GRC 10.0 Clients Organisation Scope GRC Lab - live sandpit & demo system Live AC v10 RAR proof of concept AC v10 RAR/SPM migration LIVE AC v10 ARA, EAM : scoping, planning, design. Live July 2012 PC and AC v10 global transformation project AC migration from v4 to v10 complete AC v10 ARA, EAM AC v10: provide consultancy to support partner Migrate AC/PC v10 to complete PwC implementation Europe’s first v10 proof of concept (pre ramp-up), AC/PC/RM Agenda Day 1 Who are Integrc SAP GRC 10.0 - Overview ARA Functionality – High Level EAM Functionality – High Level ARM Functionality – High Level BRM Functionality – High Level Questions Agenda ARM Creating a request High Level ARM Processing a request High Level ARA – Rule set maintenance Background Synchronisation Access control – configuration overview Questions SAP GRC 10.0 Overview Governance, Risk & Compliance embraces (GRC) how processes, controls, security and culture integrate to ensure the organisation has integrity, GRC is thus how an organisation manages risk whilst allowing the organisation to meet its own objectives, yet remaining compliant with external and internal standards. SAP GRC 10.0 Overview Technical Landscape overview SAP GRC 10.0 Overview What’s in a name New Name New Name New Name New Name SAP GRC 10.0 Overview SAP GRC 10.0 Overview Technical Landscape overview GRC Connects to the target system via an RFC Internally GRC manages the flow of data to and from the target system which means there is only one RFC connection made between GRC and the target system You have to install a GRC 10 plug-in into the target system This contains the data extraction and integration programmes These plug ins replace the AC 5.3 RTAs SAP GRC 10.0 Overview What’s new in AC 10 Transport Mechanism OSS Notes & Support Packs Granular Security Common ABAP Platform SAP GRC 10.0 Overview What’s new in AC 10 Standard ABAP core platform GRC 10 now uses standard SAP ABAP platform Standard Remote Connection (RFC’s) to SAP ABAP systems Use of Greenlight connectors are supported for non SAP systems Single use RFC’s for Access Control Significantly Improved system response times compared with AC 5.3 Transportable core configuration Configuration is maintained through SPRO Configuration is transportable Netweaver Business Client HTML frontend NWBC is accessible from SAPGUI or directly via internal web address (URI) SAP GRC 10.0 Overview What’s new in AC 10 Integrated common user interface for Risk Management, Process Control, Access Control Integrated Master Data source Access Control & Process Control & Risk Management now use the same integrated master data Organisation structures, Business Process and Business sub-Process Centralised Emergency Access Management (Fire fighter) Single point of log-in for all systems Single point for assignment maintenance single point of reporting New workflows to enhance the firefighter log review process and provide evidence of log review having been done SAP GRC 10.0 Overview What’s new in AC 10 Easier and quicker mitigation control assignment. Mitigation can be assigned directly from the risk analysis report Mitigations can be assigned to multiple users at once Enhanced reporting tool Access Risk Analysis, Access Request Management Emergency Access Management and Business Role Management all benefit from improved reporting functionality All reports have multiple criteria for section and filtering Enhanced drill down capability on graphical reporting for more effective investigation of violations Enhanced integration with SAP Identity Management Agenda Who are Integrc SAP GRC 10.0 - Overview ARA Functionality – High Level EAM Functionality – High Level ARM Functionality – High Level BRM Functionality – High Level Business Rule Framework (BRF) Plus - Overview Questions ARA Functionality – High Level Access Risk Analysis - Overview Access Risk Analysis [ARA]:This GRC component allows the organisation to carry out detailed analysis of the access which the user community has been assigned ARA uses a Segregation of duties (SoD) matrix to create a set of rules against which the analysis can be run. The main driver is to reduce the ability for fraud to be committed or to go undetected or for a misrepresentation of financial statements to occur ARA Functionality – High Level Access Risk Analysis - Overview The SoD Matrix is a many to many relationship In Access Risk Analysis A ruleset contains a combination of each variation of the risks. A risk is formed of two or more conflicting functions. A function contains one or more transaction (or actions) and it’s associated authorization objects. A risk can be cross system. IE action in system A is in conflict with access in system B. Risk are classed as Critical, High, Medium, Low. These are defined by the client and a high risk in one client may be a low risk at another. A Critical access risk is a transaction (or action) when performed by itself is deemed to be a risk warranting either remediation or mitigation. ARA Functionality – High Level Standard reports ad-hoc risk analysis for Users Or Roles Select Access Management folder Choose what you wish to report on Select User Level, Role Level Several of the fields have alternative logic that can be applied ARA Functionality – High Level AC 10 vs AC 5.3 – Executive Summary report The same reports are available Executive Summary Management summary Summary Detailed level Reports can be exported to Excel Reports can be filtered on screen Reports can be sorted on screen ARA Functionality – High Level Ad-hoc reports run in foreground or background When you execute the report you have a choice to run it in foreground or background, same as AC 5.3 but in AC10 you can schedule the same ad-hoc jobs to run periodically as well ARA Functionality – High Level Reporting – Management reports from Batch analysis Select the Reporting and Analytics tab Select the report to run The report can be manipulated on screen You can drill down to get the report data ARA Functionality – High Level Multiple Risk rule set AC 5.3 also supported multiple risk rulesets but they could only be used in ad-hoc risk analysis In AC 10 we are able to set a default risk ruleset which can be used by Risk Terminator or by default Access Request Management We can schedule background (Batch) risk analysis to use a different risk ruleset We can select one or more risk rulesets in the ad-hoc reports Also in Access Request Management we now have the functionality to automatically select the risk ruleset to be used based on the information in the access request Agenda Who are Integrc SAP GRC 10.0 - Overview ARA Functionality – High Level EAM Functionality – High Level ARM Functionality – High Level BRM Functionality – High Level Business Rule Framework (BRF) Plus - Overview Questions EAM Functionality – High Level Emergency Access Management overview Central point for firefighter access Central point for firefighter configuration Assign criticality to firefighter IDs Document unplanned activity Consolidated log report Centralised Emergency Access Sign-off for log reports EAM Functionality – High Level Emergency Access Management overview Emergency Access Management [EAM]: This GRC component is to provide exceptional access in addition to the normal access for day to day activities. EAM grants the user regulated temporary elevated access through the assignment of a temporary ID called a firefighter ID or Role called a firefighter role. AC 10 EAM has been enhanced to centrally control, monitor and report on all firefighting activities in the connected target system(s) AC 5.3 Super User Management [SPM] access needs to be disabled in the target system AC10 does not read the AC 5.3 SPM firefighter logs in the target systems EAM Functionality – High Level Emergency Access Management overview EAM access can be granted by either one of two methods, it is recommended to only use one method per installation at any one time Firefighter ID: This is the most commonly used method. The firefighter ID exists in the target system as a service user with superior access rights and is assigned to the fire fighter in the central GRC AC 10 system. The fire fighter accesses the GRC AC 10 system and executes the transaction GRAC_SPM where they will see the EAM cockpit and the firefighter ID’s that are assigned to them and in which systems they are assigned Firefighter role: The firefighter roles which are created in the target system are assigned to the fire fighter in the AC 10 central system. The fire fighter logs-on directly to the target system using their own ID and password, and is granted the additional access, from the firefighter roles assigned in the central system EAM Functionality – High Level Enhanced monitoring Emergency Access management has enhanced monitoring, it now looks at the CDPOS & CDHDR tables and also retrieves data from STAD, and the system logs SM20, SM21 and SM49 These are also referred to as the Transaction Log, Change Log, System Log, Audit Log and OS Command Log Not all change data is logged in CDHDR, table logging should still be activated EAM Functionality – High Level Reason code, Fire Fighter ID’s Firefighter usage Reason Codes are centrally maintained Reason Codes can be assigned and used in multiple systems Reason Codes can be assigned and used in single systems Firefighter ID’s are centrally maintained Firefighter ID’s can be assigned and used in multiple systems Firefighter ID’s can be assigned and used in single systems Firefighter ID’s and Fire fighter roles are locally created in the target systems Firefighters only need to log-on to the one central system Firefighter Controllers and Owners only need to log on to one central system EAM Functionality – High Level Centralised Consolidated Log The Consolidated Log gives you all the change records and action in one report The Consolidated Log is under the Reports and Analytics tab EAM Functionality – High Level Centralised Consolidated Log The Log is updated by a scheduled background task which is generally scheduled to run hourly, but it can also be run manually directly from the Consolidated Log screen The report selection screen is similar to the ARA report screens You can select different logs from the drop down EAM Functionality – High Level Centralised Consolidated Log Agenda Who are Integrc SAP GRC 10.0 - Overview ARA Functionality – High Level EAM Functionality – High Level ARM Functionality – High Level BRM Functionality – High Level Business Rule Framework (BRF) Plus - Overview Questions ARM Functionality – High Level Access Request Management - Overview Access Request Management has changed significantly from 5.3 to 10 ARM uses the standard SAP workflow engine ARM uses Multi Stage, Multi Path technology (MSMP) All requests for access use one stream of the MSMP ARM uses Business Rule Framework (BRF+) technology for decision making BRF+ allows you to route requests based on request content, select which of the risk rulesets to use, who to send the request to (MSMP agent). Can also use SAP HR changes to trigger requests ARM uses SAP documents for email templates (text only no pictures) ARM Functionality – High Level Access Request Management – Overview ARM includes new standard workflows for:Firefighter log review workflow for reviewing and confirmation of review of the firefighters activity Ruleset maintenance workflow to protect the ruleset, risks and functions from unauthorised changes and provide an online approval mechanism for these changes ARM includes new configurable Request screen EUPs and templates End User Provisioning (EUP) – configuration allows you to include or remove fields from the request screen, default field values and set mandatory and non mandatory fields The request templates allow you to include default values for a template like a default system or role ARM Functionality – High Level Under the Access Management tab, you can select the access request options Access Request Creation, Template based Request, Copy request, Model user request ARM Functionality – High Level Out of the Box Workflows AC 10.0 comes with the following workflow processes: Each process comes with it’s own default workflow Workflows are built and modified using the 7 step process at the top of the screen ARM Functionality – High Level Global process specific settings For key events in the workflow process, specific emails can be generated and sent to specified persons In the event of a request encountering either of these conditions, the request can be routed to a specific path & stage ARM Functionality – High Level Workflow stage settings Each stage in a workflow is individually configured to allow for the appropriate level of functionality. The order of the stages is determined in the workflow path ARM Functionality – High Level Notification: Out of the box emails Every workflow event can trigger an email notification ARM Functionality – High Level Notification: Out of the box emails Emails can be sent to recipients by means of ‘Agent Rules’ ARM Functionality – High Level Notification: Out of the box emails The standard emails can be copied and the copies modified to meet your requirements (SE61) Agenda Who are Integrc SAP GRC 10.0 - Overview ARA Functionality – High Level EAM Functionality – High Level ARM Functionality – High Level BRM Functionality – High Level Business Rule Framework (BRF) Plus - Overview Questions BRM Functionality High level Business Role Management Overview Roles built & modified using PFCG Composite CUA roles compatible* User level impact analysis simulation Analysis of role usage Business Role Management RA performed against Business Roles Business Role hierarchies Role content certification BRM Functionality High level Business Role Management Overview Fully integrated with ARA, ARM Business roles concept adopted – Business roles – Cross platform role groupings. Business role can include composite roles, single roles, portal roles, from all systems BI, SRM, ECC etc Enhanced role methodology – Stream lines role definition and management Role owner approvers for assignment and content can be different people Enforce role naming conventions Supports build of Master and Derived roles Integrates with PFGC, it does not replace it BRM Functionality High level Business Roles BRM Functionality High level Role Import Role Import Role Import has it’s own step by step process Role type is set here Initial Attributes are configured here Upload templates BRM Functionality High level Roles in BRM Once Uploaded Roles can be search for. The search can be exported Additional search criteria can be added Role Search BRM Functionality High level Role Certification Allows the role owner to periodically review and certify the content of the role Certification period is an attribute of each role (optional functionality) Once the certification period has elapsed, an email is sent to the role owner It is possible to customise the email template (SE61) Agenda Who are Integrc SAP GRC 10.0 - Overview ARA Functionality – High Level EAM Functionality – High Level ARM Functionality – High Level BRM Functionality – High Level Business Rule Framework (BRF) Plus - Overview Questions Business Rule Framework Plus Business Rule Framework Plus Business Rule Framework Plus Initiator Rules • Determines the path upon submission of the request Routing Rules • Determines a detour routing based upon an attribute of a request (e.g. SoD violation) Agent Rules • Determines the recipients of a stage and notification recipients Business Rule Framework Plus Initiator Rules Routing Rules Agent Rules BRF Rules X X X BRF Flat Rules X X X Functional Modules X X X ABAP Class X X X Direct User Mapping X User Group Mapping X Role Assignment X Business Rule Framework Plus Business Rule Framework Plus Decision Table – this is where you build your logic If it’s not green, it won’t work (so highlight and click on ‘Activate’) Function – this is linked to the Decision Table If it’s not green, it won’t work (so highlight and click on ‘Activate’) ‘Activate’ Button – after editing the Decision Table, you must ‘Activate’ Decision Table & Function ‘Table Settings’ Button – this is where you select the fields to populate the Decision Table Agenda ARM Creating a request High Level ARM Processing a request High Level ARA – Rule set maintenance Background Synchronisation Access control – configuration overview Questions ARM Functionality – High Level Creating Requests: Request Types Requester selects the type of request they wish to create Each request type can be processed by one or more workflows, e.g. several workflows to create New Accounts – the attributes of the individual request will determine which of these workflow processes the request uses. ARM Functionality – High Level Creating a Request: It is possible to request access for yourself or for someone else or for multiple people need identical access. ARM Functionality – High Level Creating a Request: It is possible to request access to one or multiple systems ARM Functionality – High Level Creating a Request: Role Selection Roles can also be restricted by Business Process Create a request based upon another user’s access Multiple attributes can be assigned to roles and used for searching ARM Functionality – High Level Creating a Request: Role Selection You can review existing roles assignments, and you can choose to remove them in the same request as requesting new ones Agenda ARM Creating a request High Level ARM Processing a request High Level ARA – Rule set maintenance Background Synchronisation Access control – configuration overview Questions ARM Processing a request High Level Approvers Inbox Once submitted, the request is routed to the inbox of the first approver ARM Processing a request High Level Approvers Inbox Risk analysis during the approving of the request Processing a Request: Risk Analysis Risk Analysis of a request can be made mandatory or optional for specific approval stages ARM Processing a request High Level Approvers Inbox Audit log The full audit trail is available to each approver within the request. It is also available for review once the request has completed Agenda ARM Creating a request High Level ARM Processing a request High Level ARA – Rule set maintenance Background Synchronisation Access control – configuration overview Questions ARA – Rule set maintenance Business Process and Business Sub - Process This is one of the shared master data areas, it is mainly used by AC but Process Control (PC) also uses it. The Configuration is done in the IMG and is transportable ARA – Rule set maintenance Rule set-up Rule set-up and Maintenance is done via the Frontend Only administrators should have access to this area ARA – Rule set maintenance Functions Click on the “Function” quick link to display the existing Functions Click the Create button, a new window / tab will open Click the Open button, a new window / tab will open ARA – Rule set maintenance Functions - Action Enter the Function ID, the Business Process, Analysis Scope and a Description Click the Add button to add a transaction Select the system, the transaction and set the status to active, (repeat for all transaction) click save ARA – Rule set maintenance Functions - Permissions To change the Permission click on the Permission tab The default values are derived from table USOBT_C, in this case the values from the AC 10 system, not the target system Deactivate or activate them as required by the client ARA – Rule set maintenance Risk Access (or SoD) Risks require two or more Functions Click ‘Create’, a second window or tab will open Enter the Risk ID, Risk Type, Business Process, Description, Risk level, Status, Description and Control Objective Click ‘Add’ in the Functions tab ARA – Rule set maintenance Ruleset – rule generation Rules can be generated in the backend or in the frontend, They can also generated in the foreground or the background. Backend run transaction “GRAC_GENERATE_RULES” Front end – in the function and risk screens you will find the “Generate rules” button ARA – Rule set maintenance Ruleset – Mass maintenance and upload The mass maintenance process is identical to AC 5.3, Ruleset is downloaded, amended and uploaded. Rules are connector, or logical system dependent All files are required for the upload. Files upload can either be an Overwrite – replace or Append – add to. Rules need to be generated after upload This task is carried out in the backend of the GRC system Rulesets can be transported through landscape., This requires that the connectors and logical systems are identical through out landscape ARA – Rule set maintenance Ruleset – Mass maintenance and upload Always do a download of the ruleset first run transaction GRAC_DOWNLOAD_RULES Risk rules are allocated against a physical system or against a Logical system group. Download all rules for all Logical groups and physical systems. Save the files by ruleset ARA – Rule set maintenance Ruleset – Mass maintenance and upload The files can be manipulated in notepad, but it’s more common to change them in MS Excel The format for the saving of the file is very important, they should be Text (Tab delimited) and saved with *.TXT extension If the files are not in the correct format, then the data will not load or you will get errors so Do not add any extra columns Do not add column headings Do not add filters ARA – Rule set maintenance Ruleset – Mass maintenance and upload Before you upload the new ruleset you need to carry out a few prerequisites to comply with internal audit requirements and change control. Full role risk analysis against the affected “Logical systems” Full user risk analysis against the affected “Logical systems” Specific risk analysis to identify the reason for your change, New risk, Change to the Action or Permission content ARA – Rule set maintenance Ruleset – Mass maintenance and upload To upload the new ruleset run transaction “GRAC_UPLOAD_RULES” The Rules are allocated against a physical system or against a Logical system group If you use append mode you only need to upload against the Logical / Physical systems that you changed. ARA – Rule set maintenance Ruleset – Mass maintenance and upload After the upload remember to generate the rulesets, run transaction “GRAC_GENERATE_RULES” Then repeat your test risk analysis, and compare the results to make sure you have the desired results. ARA – Rule set maintenance Ruleset – Mass delete the rulesets It is a best practice to take a full copy of the ruleset you currently have before you do a deletion, this is to act as a back-out plan. Run transaction “GRAC_RULE_DELETE” Choose the Physical system, Logical system or Cross System, then select the check box for the data to delete ARA – Rule set maintenance Ruleset – Transporting Downloading and Uploading the ruleset was the previous way to move the ruleset through the landscape, and this is still acceptable but we can now transport them as well. Run transaction “GRAC_RULE_TRANSPORT”, select the physical or logical system. Remember the Logical systems and the physical systems have to have the identical names throughout the landscape. Agenda ARM Creating a request High Level ARM Processing a request High Level ARA – Rule set maintenance Background Synchronisation Access control – configuration overview Questions Background Synchronisation Background Synchronisation Background Synchronisation Authorization Synch Authorization synch Used to update GRC with the USOBT & USOBT_C data from the target systems The Job is connector (target system) dependent and must be run for each connector The Sync options are • Profile • Profile & role • Profile, Role & user • Incremental • Full Sync Background Synchronisation Repository Object – “The King of Syncs”. The Sync options are • Profile • Profile & role • Profile, Role & user • Incremental • Full Sync Background Synchronisation Repository Object – “The King of Syncs”. This job is the equivalent to the 5.3 User, Role and Profile sync jobs and should be run on a nightly basis (incremental mode) and weekly (full mode) It may be required to sync the users more frequently If you experience any ARA or EAM problems, try running this job as sometimes the job helps to resolve missing or inconsistent data in the system. The Job is connector (target system) dependent and must be run for each connector Background Synchronisation Action & Role Usage Synch These two jobs are used to copy the usage data from the target system to GRC These are used to populate the Usage reports The Job is connector (target system) dependent and must be run for each connector Background Synchronisation Firefighter log & Workflow Synch The Firefighter Log sync collects the Firefighter ID / Role usage data from the target system and updates the Logs. This should be run hourly, more frequent running may be required in Firefighter is used extensivly The Firefighter Workflow synch, is run after the Log synch, this populates the FF log review workflow Items and notifies the controller to review them. – (Workflow must be ARM for this to work) The Job is connector (target system) dependent and must be run for each connector Agenda ARM Creating a request High Level ARM Processing a request High Level ARA – Rule set maintenance Background Synchronisation Access control – configuration overview Questions Access control – configuration overview All the Access Control configuration is carried out in the back end system in the IMG (SPRO) The Configuration is transportable, but some configuration is also done locally like the RFC connections and the number ranges. Transportable configuration requires you to have consistent names across the entire landscape. These include, Fire fighter role name, Logical system names, connector names, Organisational structure, connections to all target systems SAP and Non-SAP. Not all configuration is required as some areas are specific to individual use Access control – configuration overview Access Control – configuration location Access control – configuration overview Configuration parameters The configuration is segregated into the following parameter groups: For the latest version see the Maintaining Configuration Settings Guide on https://service.sap.com/instguides >Analytics>Governance, Risk, and Compliance > Access Control-> Release 10.0. Access control – configuration overview Configuration parameters To create a new entry choose the parameter group from the drop down, enter the parameter ID, enter the parameter value, To update a parameter scroll down the list, locate your parameter, and update the parameter value. Access control – configuration overview Connector settings In the connector settings we maintain what type the connect is and whether it’s activated for Password Self Service (PSS) Access control – configuration overview Maintain Access Risk Levels - Maintain Business Processes and Subprocesses Maintain Access Risk Levels, this were we maintain the risk level The Default values are contained in the BC sets Maintain Business Processes and Subprocesses, are a shared component now and are used across ARA, ARM, BRM and Process Control Every Business Process must have a Sub process Access control – configuration overview Maintain Data Sources Configuration Here we set-up the order and the system that AC uses to authenticate and look up user data, This can be SAP system (SU01 record) HR System (HR Organisation) LDAP (Network directory) Access control – configuration overview Logical groups In AC 10 – the use of system groups has changed to Logical groups Logical groups are grouping of systems that preform the same task.. ERP & ERP BI & Bi Basis – All Netweaver systems The if you link two systems with different functions ERP & BI, then depending on the order in the logical grouping you may find that the transaction description is missing in the function. Access control – configuration overview Logical groups We set these in SPRO Governance, Risk and Compliance>Common Component Settings>Maintain Connectors and Connection Types The name is your choice, but SAP deliver some standard ones, (in the BC sets)
© Copyright 2024