SAP GRC Access Control
8 May 2008 Carl Clicteur
!" #$% &'(%#$ &'(% #$)* )*+ + (((%%,( #$(-.- #$ (-.-!((, !((,
%,%-.,(-,/(-%0(
/!(-(%0(((,(%(1 (----(-(2%-,(,3 #%('%4.5%61,%7 (( 8% -%,,(%23((%--(- %-2(, ,(0(93 8%,!(2(-,3(-(-%! -(--
((!-(%-:(%((%((%8%-(-,* ,'%((%% ,,(%(%- audit audit k s i r
audit
Continuous monitoring
time
(%(%((- ,!1(-(
Non-awareness
Spreadsheets
; Lack of visibility
; Lack of visibility
; Lack of control
; Lack of control
; Manually-intensive Business & IT processes
; Manually-intensive Business & IT processes
; Reactive and non-integrated approach ; Overwhelming sample sizes (audit)
Confusion
; Reactive and nonintegrated approach ; Approach not driven by risk
Automation of controls
True Vision
; Approach driven by risk
; Embedded risk & control library
; Embedded risk management
; Automated user access process
; Proactive approach by simulation of changes
; True Business transparency
; Real-time risk analysis ; Integrated, but reactive approach ; Reduced sample sizes for audit
; Large sample sizes for audit
Manual
Continuous Compliance
Automated
; Alerts & monitor effectiveness of controls ; Business value ; Audit trial of all changes and approvals
Monitoring
; Increased stakeholder confidence ; Improved Business performance and sustainability
Benefit
!" #$% &'(%#$)*+ (((%%,( #$(-.-!((,
!!"
Stage 1: Get clean
Stage 2: Stay clean by continuous Access Management
Risk Identification & Remediation
Emergency Access Control
Role Change Management
SAP GRC Super user Privilege Management (Firefighter)
SAP GRC Enterprise Role Management (Role Expert)
User Access Management
Stage 3: Stay in control Periodic Review & Audit
SAP GRC Compliant User Provisioning (Access Enforcer)
SAP GRC Risk Analysis and Remediation (Compliance Calibrator) SAP GRC Access Control 5.2
(!(--(2<1((((3 =((-%'%(-.5 (0--(-/ (1(-1!((! -(( #(-%!%( %-(!(,% 9 SAP GRC Enterprise Role Management (Role Expert)
SAP GRC Super user Privilege Management (Firefighter)
SAP GRC Compliant User Provisioning (Access Enforcer)
SAP GRC Risk Analysis and Remediation (Compliance Calibrator)
#$ e g a u g n a l s s e n i s u B
k l a t l a c i n h c e T
% #
P001: Procure to Pay Process
PR07: Maintain a Vendor's Bank Account Number and Release Invoice for payment, might lead to monetary loss.
Risk *
Function 1
PR01: Maintain Vendor Master Data AP03: Release Blocked Invoices
Function 2
Actions
Actions
Permissions
Permissions
Org. rules
SAP transaction codes: FK01, FK02, XK01, XK02, XK99 & MRBR SAP authorization objects and values: F_LFA1_APP: ACTVT= 01 or 02 APPKZ = F F_LFA1_BUK: ACTVT= 01 or 02 BUKRS= $BUKRS F_LFA1_GRP: ACTVT= 01 or 02 KTOKK= VEN1 Organizational rules: Belgium => $BUKRS = BE00
Org. rules
% )1--%111<
(/#,2<1(3
>,0-(8% %(-((((,2''3 ((!8%(( 5(('(((2%(,%(,3 %(-%,# %(,,,8%(((--( SAP GRC Super user Privilege Management (Firefighter)
SAP GRC Enterprise Role Management (Role Expert)
SAP GRC Compliant User Provisioning (Access Enforcer)
SAP GRC Risk Analysis and Remediation (Compliance Calibrator)
&!' (!!" User Data Source User Data & Authentication
2
SAP GRC Access Enforcer Automated Provisioning
1 Initiator SAP end users or Line Managers
Workflow Connectors
Request
6
3
4
Risk Analysis
SAP GRC Risk Analysis & Remediation
5
Notifications & Reminders
Email Server
Approvals Line Managers Role Owners Risk Owners
SAP System
%/#,((,2<1(=, #3
#1(-,!( %(1(('=, -((%(-,, (-(%-(-( %-(!2==1%? #@AA1%3 1(-,%-,((!
SAP GRC Super user Privilege Management (Firefighter)
SAP GRC Enterprise Role Management (Role Expert)
SAP GRC Compliant User Provisioning (Access Enforcer)
SAP GRC Risk Analysis and Remediation (Compliance Calibrator)
&! !!"
regular mode Pre-approved access to use Firefighter
User activates Firefighter mode
Firefighter mode User enters Business justification
User receives elevated privileges
E-mail notification sent to Controller
Log files collected for User
User leaves Firefighter mode
Log report sent to Controller
User looses elevated privileges
((,2<1<3 (((,(%0( %(((,B' (''(, #((! %(,(#! %-((-,((, Role Definition
Authorizations
Risk Analysis
Approval
SAP GRC Super user Privilege Management (Firefighter)
SAP GRC Enterprise Role Management (Role Expert)
Generation
SAP GRC Compliant User Provisioning (Access Enforcer)
SAP GRC Risk Analysis and Remediation (Compliance Calibrator)
!" #$% &'(%#$)*+ (((%%,( #$(-.-!((,
")*+,-./ # ,A(%#(-(%((2%'-'(! 3 #( #((-/,(2((!(-%,3 .:<%2,%(4,(-((3 (-, C (!(---(-(<C .,(%,
((,((,%-5( ((,!< C .-%,(- C #-,((%(!
")*+,-0/ &! -1%8%%0( .,('%-((% #('- C %-B(#(-D-'(- C /('-1'((,
1!((!(8% (/#,B(#(-D-'(- /0>,,# (/% .,('(,! .-!((,.,('(E.-
")*+,-,/
1 (--(2,(%(3 (-((!(-%( !,(%!( !!( %(1#(-1'- .,('##F #$(2#=$3
&! (-, %'=,. %(((A,
!" #$% &'(%#$)*+ (((%%,( #$(-.-!((,
) ,(,,%(-.5( -%0(-1% -(-,((8%*(-(%'.(%-* ((,%1 (, %(( ,(0('((--,( % ; %-(-,,(0(G!%(' (%((2%3 % 6-,(,7 ; %-,%$% !('((((%((% .((*.,( ; (((((# (6-(!7 H'(%%,(8%% (-< -%,(0( !-,(( %((2*,*('E''! (,,(0(3
!" #$% &'(%#$)*+ (((%%,( #$(-.-!((,
2'
Thank you for your attention
