SAP Analytics GRC 10.0
Access Control 10.0
Strata
Fahri Batur
October 2013
SAP GRC 10.0 Clients
Organisation
Scope
GRC Lab - live sandpit & demo system
Live AC v10 RAR proof of concept
AC v10 RAR/SPM migration LIVE
AC v10 ARA, EAM : scoping, planning, design. Live July 2012
PC and AC v10 global transformation project
AC migration from v4 to v10 complete
AC v10 ARA, EAM
AC v10: provide consultancy to support partner
Migrate AC/PC v10 to complete PwC implementation
Europe’s first v10 proof of concept (pre ramp-up), AC/PC/RM
Agenda
Day 1
Who are Integrc
SAP GRC 10.0 - Overview
ARA Functionality – High Level
EAM Functionality – High Level
ARM Functionality – High Level
BRM Functionality – High Level
Questions
Agenda
ARM Creating a request High Level
ARM Processing a request High Level
ARA – Rule set maintenance
Background Synchronisation
Access control – configuration overview
Questions
SAP GRC 10.0 Overview
Governance, Risk & Compliance embraces (GRC) how processes,
controls, security and culture integrate to ensure the organisation has
integrity,
GRC is thus how an organisation manages risk whilst allowing the
organisation to meet its own objectives, yet remaining compliant with
external and internal standards.
SAP GRC 10.0 Overview
Technical Landscape overview
SAP GRC 10.0 Overview
What’s in a name
New Name
New Name
New Name
New Name
SAP GRC 10.0 Overview
SAP GRC 10.0 Overview
Technical Landscape overview
GRC Connects to the target system via an RFC
Internally GRC manages the flow of
data to and from the target system
which means there is only one RFC
connection made between GRC and
the target system
You have to install a GRC 10 plug-in into the target system
This contains the data extraction and integration programmes
These plug ins replace the AC 5.3 RTAs
SAP GRC 10.0 Overview
What’s new in AC 10
Transport
Mechanism
OSS Notes
& Support
Packs
Granular
Security
Common ABAP
Platform
SAP GRC 10.0 Overview
What’s new in AC 10
Standard ABAP core platform
GRC 10 now uses standard SAP ABAP platform
Standard Remote Connection (RFC’s) to SAP ABAP systems
Use of Greenlight connectors are supported for non SAP systems
Single use RFC’s for Access Control
Significantly Improved system response times compared with AC 5.3
Transportable core configuration
Configuration is maintained through SPRO
Configuration is transportable
Netweaver Business Client HTML frontend
NWBC is accessible from SAPGUI or directly via internal web address (URI)
SAP GRC 10.0 Overview
What’s new in AC 10
Integrated common user interface for Risk Management, Process
Control, Access Control
Integrated Master Data source
Access Control & Process Control & Risk Management now use the same
integrated master data
Organisation structures, Business Process and Business sub-Process
Centralised Emergency Access Management (Fire fighter)
Single point of log-in for all systems
Single point for assignment maintenance
single point of reporting
New workflows to enhance the firefighter log review process and provide
evidence of log review having been done
SAP GRC 10.0 Overview
What’s new in AC 10
Easier and quicker mitigation control assignment.
Mitigation can be assigned directly from the risk analysis report
Mitigations can be assigned to multiple users at once
Enhanced reporting tool
Access Risk Analysis, Access Request Management Emergency Access
Management and Business Role Management all benefit from improved reporting
functionality
All reports have multiple criteria for section and filtering
Enhanced drill down capability on graphical reporting for more effective
investigation of violations
Enhanced integration with SAP Identity Management
Agenda
Who are Integrc
SAP GRC 10.0 - Overview
ARA Functionality – High Level
EAM Functionality – High Level
ARM Functionality – High Level
BRM Functionality – High Level
Business Rule Framework (BRF) Plus - Overview
Questions
ARA Functionality – High Level
Access Risk Analysis - Overview
Access Risk Analysis [ARA]:This GRC component allows the
organisation to carry out detailed analysis of the access which the user
community has been assigned
ARA uses a Segregation of duties (SoD) matrix to create a set of rules
against which the analysis can be run. The main driver is to reduce the
ability for fraud to be committed or to go undetected or for a
misrepresentation of financial statements to occur
ARA Functionality – High Level
Access Risk Analysis - Overview
The SoD Matrix is a many to many relationship
In Access Risk Analysis
A ruleset contains a combination of each variation of the risks.
A risk is formed of two or more conflicting functions.
A function contains one or more transaction (or actions) and it’s associated
authorization objects.
A risk can be cross system. IE action in system A is in conflict with access in
system B.
Risk are classed as Critical, High, Medium, Low. These are defined
by the client and a high risk in one client may be a low risk at
another.
A Critical access risk is a transaction (or action) when performed by
itself is deemed to be a risk warranting either remediation or mitigation.
ARA Functionality – High Level
Standard reports ad-hoc risk analysis for Users Or Roles
Select Access Management
folder
Choose what you wish to report
on
Select User Level, Role Level
Several of the fields have
alternative logic that can be
applied
ARA Functionality – High Level
AC 10 vs AC 5.3 – Executive Summary report
The same reports are available
Executive Summary
Management summary
Summary
Detailed level
Reports can be exported to Excel
Reports can be filtered on screen
Reports can be sorted on screen
ARA Functionality – High Level
Ad-hoc reports run in foreground or background
When you execute the report you have a choice to run it in
foreground or background, same as AC 5.3 but in AC10 you can
schedule the same ad-hoc jobs to run periodically as well
ARA Functionality – High Level
Reporting – Management reports from Batch analysis
Select the Reporting and Analytics tab
Select the report to run
The report can be manipulated on screen
You can drill down to get the report data
ARA Functionality – High Level
Multiple Risk rule set
AC 5.3 also supported multiple risk rulesets but they could only be
used in ad-hoc risk analysis
In AC 10 we are able to set a default risk ruleset which can be used
by Risk Terminator or by default Access Request Management
We can schedule background (Batch) risk analysis to use a different
risk ruleset
We can select one or more risk rulesets in the ad-hoc reports
Also in Access Request Management we now have the functionality
to automatically select the risk ruleset to be used based on the
information in the access request
Agenda
Who are Integrc
SAP GRC 10.0 - Overview
ARA Functionality – High Level
EAM Functionality – High Level
ARM Functionality – High Level
BRM Functionality – High Level
Business Rule Framework (BRF) Plus - Overview
Questions
EAM Functionality – High Level
Emergency Access Management overview
Central point
for firefighter
access
Central point
for firefighter
configuration
Assign
criticality to
firefighter
IDs
Document
unplanned
activity
Consolidated
log report
Centralised
Emergency
Access
Sign-off for
log reports
EAM Functionality – High Level
Emergency Access Management overview
Emergency Access Management [EAM]: This GRC component is to provide
exceptional access in addition to the normal access for day to day activities. EAM
grants the user regulated temporary elevated access through the assignment of a
temporary ID called a firefighter ID or Role called a firefighter role.
AC 10 EAM has been enhanced to centrally control, monitor and report on all
firefighting activities in the connected target system(s)
AC 5.3 Super User Management [SPM] access needs to be disabled in the target
system
AC10 does not read the AC 5.3 SPM firefighter logs in the target systems
EAM Functionality – High Level
Emergency Access Management overview
EAM access can be granted by either one of two methods, it is
recommended to only use one method per installation at any one time
Firefighter ID: This is the most commonly used method. The firefighter ID exists in the target
system as a service user with superior access rights and is assigned to the fire fighter in the
central GRC AC 10 system. The fire fighter accesses the GRC AC 10 system and executes
the transaction GRAC_SPM where they will see the EAM cockpit and the firefighter ID’s that
are assigned to them and in which systems they are assigned
Firefighter role: The firefighter roles which are created in the target system are assigned to the
fire fighter in the AC 10 central system. The fire fighter logs-on directly to the target system
using their own ID and password, and is granted the additional access, from the firefighter
roles assigned in the central system
EAM Functionality – High Level
Enhanced monitoring
Emergency Access management has enhanced monitoring, it now
looks at the CDPOS & CDHDR tables and also retrieves data from
STAD, and the system logs SM20, SM21 and SM49
These are also referred to as the Transaction Log, Change Log, System Log,
Audit Log and OS Command Log
Not all change data is logged in CDHDR, table logging should still be
activated
EAM Functionality – High Level
Reason code, Fire Fighter ID’s
Firefighter usage Reason Codes are centrally maintained
Reason Codes can be assigned and used in multiple systems
Reason Codes can be assigned and used in single systems
Firefighter ID’s are centrally maintained
Firefighter ID’s can be assigned and used in multiple systems
Firefighter ID’s can be assigned and used in single systems
Firefighter ID’s and Fire fighter roles are locally created in the target systems
Firefighters only need to log-on to the one central system
Firefighter Controllers and Owners only need to log on to one central
system
EAM Functionality – High Level
Centralised Consolidated Log
The Consolidated Log gives you all the change records and action in
one report
The Consolidated Log is under the Reports and Analytics tab
EAM Functionality – High Level
Centralised Consolidated Log
The Log is updated by a scheduled background task which is
generally scheduled to run hourly, but it can also be run manually
directly from the Consolidated Log screen
The report selection screen is similar to the ARA report screens
You can select different logs from the drop down
EAM Functionality – High Level
Centralised Consolidated Log
Agenda
Who are Integrc
SAP GRC 10.0 - Overview
ARA Functionality – High Level
EAM Functionality – High Level
ARM Functionality – High Level
BRM Functionality – High Level
Business Rule Framework (BRF) Plus - Overview
Questions
ARM Functionality – High Level
Access Request Management - Overview
Access Request Management has changed significantly from 5.3 to
10
ARM uses the standard SAP workflow engine
ARM uses Multi Stage, Multi Path technology (MSMP)
All requests for access use one stream of the MSMP
ARM uses Business Rule Framework (BRF+) technology for decision
making
BRF+ allows you to route requests based on request content, select which of the
risk rulesets to use, who to send the request to (MSMP agent). Can also use SAP
HR changes to trigger requests
ARM uses SAP documents for email templates (text only no pictures)
ARM Functionality – High Level
Access Request Management – Overview
ARM includes new standard workflows for:Firefighter log review workflow for reviewing and confirmation of review of the
firefighters activity
Ruleset maintenance workflow to protect the ruleset, risks and functions from
unauthorised changes and provide an online approval mechanism for these
changes
ARM includes new configurable Request screen EUPs and templates
End User Provisioning (EUP) – configuration allows you to include or remove
fields from the request screen, default field values and set mandatory and non
mandatory fields
The request templates allow you to include default values for a template like a
default system or role
ARM Functionality – High Level
Under the Access Management tab, you can select the access
request options
Access Request Creation, Template based Request, Copy request, Model user
request
ARM Functionality – High Level
Out of the Box Workflows
AC 10.0 comes with the following workflow processes:
Each process comes with it’s own default workflow
Workflows are built and modified using the 7 step process at the top
of the screen
ARM Functionality – High Level
Global process specific settings
For key events in the
workflow process, specific
emails can be generated
and sent to specified
persons
In the event of a request
encountering either of
these conditions, the
request can be routed to a
specific path & stage
ARM Functionality – High Level
Workflow stage settings
Each stage in a
workflow is
individually
configured to allow
for the appropriate
level of functionality.
The order of the
stages is determined
in the workflow path
ARM Functionality – High Level
Notification: Out of the box emails
Every workflow event can trigger an email notification
ARM Functionality – High Level
Notification: Out of the box emails
Emails can be sent to recipients by means of ‘Agent Rules’
ARM Functionality – High Level
Notification: Out of the box emails
The standard emails can be copied and the copies modified to meet
your requirements (SE61)
Agenda
Who are Integrc
SAP GRC 10.0 - Overview
ARA Functionality – High Level
EAM Functionality – High Level
ARM Functionality – High Level
BRM Functionality – High Level
Business Rule Framework (BRF) Plus - Overview
Questions
BRM Functionality High level
Business Role Management Overview
Roles built
& modified
using
PFCG
Composite
CUA roles
compatible*
User level
impact
analysis
simulation
Analysis of
role usage
Business
Role
Management
RA
performed
against
Business
Roles
Business
Role
hierarchies
Role
content
certification
BRM Functionality High level
Business Role Management Overview
Fully integrated with ARA, ARM
Business roles concept adopted –
Business roles – Cross platform role groupings. Business role can include
composite roles, single roles, portal roles, from all systems BI, SRM, ECC etc
Enhanced role methodology –
Stream lines role definition and management
Role owner approvers for assignment and content can be different
people
Enforce role naming conventions
Supports build of Master and Derived roles
Integrates with PFGC, it does not replace it
BRM Functionality High level
Business Roles
BRM Functionality High level
Role Import
Role Import
Role Import has it’s own
step by step process
Role type is set here
Initial Attributes are
configured here
Upload templates
BRM Functionality High level
Roles in BRM
Once Uploaded Roles can be search for.
The search can be exported
Additional search criteria can be added
Role Search
BRM Functionality High level
Role Certification
Allows the role owner to periodically review and certify the content of the role
Certification period is an attribute of each role (optional functionality)
Once the certification period has elapsed, an email is sent to the role owner
It is possible to customise the email template (SE61)
Agenda
Who are Integrc
SAP GRC 10.0 - Overview
ARA Functionality – High Level
EAM Functionality – High Level
ARM Functionality – High Level
BRM Functionality – High Level
Business Rule Framework (BRF) Plus - Overview
Questions
Business Rule Framework Plus
Business Rule Framework Plus
Business Rule Framework Plus
Initiator
Rules
• Determines the path upon
submission of the request
Routing
Rules
• Determines a detour routing
based upon an attribute of a
request (e.g. SoD violation)
Agent Rules
• Determines the recipients of a
stage and notification recipients
Business Rule Framework Plus
Initiator Rules
Routing Rules
Agent Rules
BRF Rules
X
X
X
BRF Flat
Rules
X
X
X
Functional
Modules
X
X
X
ABAP Class
X
X
X
Direct User
Mapping
X
User Group
Mapping
X
Role
Assignment
X
Business Rule Framework Plus
Business Rule Framework Plus
Decision Table – this is where you build your logic
If it’s not green, it won’t work (so highlight and click on ‘Activate’)
Function – this is linked to the Decision Table
If it’s not green, it won’t work (so highlight and click on ‘Activate’)
‘Activate’ Button – after editing the Decision Table, you must ‘Activate’
Decision Table & Function
‘Table Settings’ Button – this is where you select the fields to
populate the Decision Table
Agenda
ARM Creating a request High Level
ARM Processing a request High Level
ARA – Rule set maintenance
Background Synchronisation
Access control – configuration overview
Questions
ARM Functionality – High Level
Creating Requests: Request Types
Requester selects the type of request they wish to create
Each request type can be processed by one or more workflows, e.g.
several workflows to create New Accounts – the attributes of the
individual request will determine which of these workflow processes
the request uses.
ARM Functionality – High Level
Creating a Request:
It is possible to request access for yourself or for someone else or for
multiple people need identical access.
ARM Functionality – High Level
Creating a Request:
It is possible to request access to one or multiple systems
ARM Functionality – High Level
Creating a Request: Role Selection
Roles can also be
restricted by Business
Process
Create a request based
upon another user’s access
Multiple
attributes can
be assigned
to roles and
used for
searching
ARM Functionality – High Level
Creating a Request: Role Selection
You can review existing roles assignments, and you can choose to
remove them in the same request as requesting new ones
Agenda
ARM Creating a request High Level
ARM Processing a request High Level
ARA – Rule set maintenance
Background Synchronisation
Access control – configuration overview
Questions
ARM Processing a request High Level
Approvers Inbox
Once submitted, the request is routed
to the inbox of the first approver
ARM Processing a request High Level
Approvers Inbox
Risk analysis during the approving of the request
Processing a Request: Risk Analysis
Risk Analysis of a
request can be
made mandatory or
optional for specific
approval stages
ARM Processing a request High Level
Approvers Inbox
Audit log
The full audit trail is
available to each
approver within the
request.
It is also available
for review once the
request has
completed
Agenda
ARM Creating a request High Level
ARM Processing a request High Level
ARA – Rule set maintenance
Background Synchronisation
Access control – configuration overview
Questions
ARA – Rule set maintenance
Business Process and Business Sub - Process
This is one of the shared master data areas, it is mainly used by AC
but Process Control (PC) also uses it.
The Configuration is done in the IMG and is transportable
ARA – Rule set maintenance
Rule set-up
Rule set-up and Maintenance is done via the Frontend
Only administrators should have access to this area
ARA – Rule set maintenance
Functions
Click on the “Function” quick link to display the existing Functions
Click the Create button, a new window / tab will open
Click the Open button, a new window / tab will open
ARA – Rule set maintenance
Functions - Action
Enter the Function ID, the Business Process, Analysis Scope and a
Description
Click the Add button to add a transaction
Select the system, the transaction and set the status to active,
(repeat for all transaction) click save
ARA – Rule set maintenance
Functions - Permissions
To change the Permission click on the Permission tab
The default values are derived from table USOBT_C, in this case the
values from the AC 10 system, not the target system
Deactivate or activate them as required by the client
ARA – Rule set maintenance
Risk
Access (or SoD) Risks require two or more Functions
Click ‘Create’, a second window or tab will open
Enter the Risk ID, Risk Type, Business Process, Description, Risk
level, Status, Description and Control Objective
Click ‘Add’ in the Functions tab
ARA – Rule set maintenance
Ruleset – rule generation
Rules can be generated in the backend or in the frontend, They can
also generated in the foreground or the background.
Backend run transaction “GRAC_GENERATE_RULES”
Front end – in the function and risk screens you will find the
“Generate rules” button
ARA – Rule set maintenance
Ruleset – Mass maintenance and upload
The mass maintenance process is identical to AC 5.3, Ruleset is
downloaded, amended and uploaded.
Rules are connector, or logical system dependent
All files are required for the upload.
Files upload can either be an Overwrite – replace or Append – add to.
Rules need to be generated after upload
This task is carried out in the backend of the GRC system
Rulesets can be transported through landscape.,
This requires that the connectors and logical systems are identical through out
landscape
ARA – Rule set maintenance
Ruleset – Mass maintenance and upload
Always do a download of the ruleset first run transaction
GRAC_DOWNLOAD_RULES
Risk rules are allocated against a physical system or against a
Logical system group. Download all rules for all Logical groups and
physical systems.
Save the files by ruleset
ARA – Rule set maintenance
Ruleset – Mass maintenance and upload
The files can be manipulated in notepad, but it’s more common to
change them in MS Excel
The format for the saving of the file is very important, they should be
Text (Tab delimited) and saved with *.TXT extension
If the files are not in the correct format, then the data will not load or
you will get errors so
Do not add any extra columns
Do not add column headings
Do not add filters
ARA – Rule set maintenance
Ruleset – Mass maintenance and upload
Before you upload the new ruleset you need to carry out a few
prerequisites to comply with internal audit requirements and change
control.
Full role risk analysis against the affected “Logical systems”
Full user risk analysis against the affected “Logical systems”
Specific risk analysis to identify the reason for your change,
New risk, Change to the Action or Permission content
ARA – Rule set maintenance
Ruleset – Mass maintenance and upload
To upload the new ruleset run transaction “GRAC_UPLOAD_RULES”
The Rules are allocated against a physical system or against a Logical system
group
If you use append mode you only need to upload against the Logical /
Physical systems that you changed.
ARA – Rule set maintenance
Ruleset – Mass maintenance and upload
After the upload remember to generate the rulesets, run transaction
“GRAC_GENERATE_RULES”
Then repeat your test risk analysis, and compare the results to make
sure you have the desired results.
ARA – Rule set maintenance
Ruleset – Mass delete the rulesets
It is a best practice to take a full copy of the ruleset you currently
have before you do a deletion, this is to act as a back-out plan.
Run transaction “GRAC_RULE_DELETE”
Choose the Physical system, Logical system or Cross System, then
select the check box for the data to delete
ARA – Rule set maintenance
Ruleset – Transporting
Downloading and Uploading the ruleset was the previous way to
move the ruleset through the landscape, and this is still acceptable
but we can now transport them as well.
Run transaction “GRAC_RULE_TRANSPORT”, select the physical or
logical system. Remember the Logical systems and the physical
systems have to have the identical names throughout the landscape.
Agenda
ARM Creating a request High Level
ARM Processing a request High Level
ARA – Rule set maintenance
Background Synchronisation
Access control – configuration overview
Questions
Background Synchronisation
Background Synchronisation
Background Synchronisation
Authorization Synch
Authorization synch Used to update GRC with the USOBT &
USOBT_C data from the target systems
The Job is connector (target system) dependent and must be run for
each connector
The Sync options are
• Profile
• Profile & role
• Profile, Role & user
• Incremental
• Full Sync
Background Synchronisation
Repository Object – “The King of Syncs”.
The Sync options are
• Profile
• Profile & role
• Profile, Role & user
• Incremental
• Full Sync
Background Synchronisation
Repository Object – “The King of Syncs”.
This job is the equivalent to the 5.3 User, Role and Profile sync jobs
and should be run on a nightly basis (incremental mode) and weekly
(full mode)
It may be required to sync the users more frequently
If you experience any ARA or EAM problems, try running this job as
sometimes the job helps to resolve missing or inconsistent data in the
system.
The Job is connector (target system) dependent and must be run for
each connector
Background Synchronisation
Action & Role Usage Synch
These two jobs are used to copy the usage data from the target
system to GRC
These are used to populate the Usage reports
The Job is connector (target system) dependent and must be run for
each connector
Background Synchronisation
Firefighter log & Workflow Synch
The Firefighter Log sync collects the Firefighter ID / Role usage data
from the target system and updates the Logs.
This should be run hourly, more frequent running may be required in
Firefighter is used extensivly
The Firefighter Workflow synch, is run after the Log synch, this
populates the FF log review workflow Items and notifies the controller
to review them. – (Workflow must be ARM for this to work)
The Job is connector (target system) dependent and must be run for
each connector
Agenda
ARM Creating a request High Level
ARM Processing a request High Level
ARA – Rule set maintenance
Background Synchronisation
Access control – configuration overview
Questions
Access control – configuration overview
All the Access Control configuration is carried out in the back end
system in the IMG (SPRO)
The Configuration is transportable, but some configuration is also
done locally like the RFC connections and the number ranges.
Transportable configuration requires you to have consistent names
across the entire landscape.
These include, Fire fighter role name, Logical system names, connector names,
Organisational structure, connections to all target systems SAP and Non-SAP.
Not all configuration is required as some areas are specific to
individual use
Access control – configuration overview
Access Control – configuration location
Access control – configuration overview
Configuration parameters
The configuration is segregated into the following parameter groups:
For the latest version see the Maintaining Configuration Settings
Guide on https://service.sap.com/instguides >Analytics>Governance, Risk, and Compliance > Access
Control-> Release 10.0.
Access control – configuration overview
Configuration parameters
To create a new entry choose the parameter group from the drop
down, enter the parameter ID, enter the parameter value,
To update a parameter scroll down the list, locate your parameter,
and update the parameter value.
Access control – configuration overview
Connector settings
In the connector settings we maintain what type the connect is and
whether it’s activated for Password Self Service (PSS)
Access control – configuration overview
Maintain Access Risk Levels - Maintain Business Processes and
Subprocesses
Maintain Access Risk Levels, this
were we maintain the risk level
The Default values are contained in the BC
sets
Maintain Business Processes and
Subprocesses, are a shared
component now and are used across
ARA, ARM, BRM and Process Control
Every Business Process must have a
Sub process
Access control – configuration overview
Maintain Data Sources Configuration
Here we set-up the order
and the system that AC
uses to authenticate and
look up user data,
This can be
SAP system (SU01 record)
HR System (HR
Organisation)
LDAP (Network directory)
Access control – configuration overview
Logical groups
In AC 10 – the use of system groups has changed to Logical groups
Logical groups are grouping of systems that preform the same task..
ERP & ERP
BI & Bi
Basis – All Netweaver systems
The if you link two systems with different functions ERP & BI, then
depending on the order in the logical grouping you may find that the
transaction description is missing in the function.
Access control – configuration overview
Logical groups
We set these in SPRO
Governance, Risk and
Compliance>Common
Component Settings>Maintain
Connectors and Connection
Types
The name is your choice, but
SAP deliver some standard
ones, (in the BC sets)