This action might not be possible to undo. Are you sure you want to continue?
Date : 16-Apr-2011
Welcome SAP Security Overview SOX Overview Access Control Solution Overview
Overview Rules Architect Risk analysis & Informer Mitigation Controls Alerts Compliance Configuration
Firefighter Access Enforcer
Overview Overview Module Breakdown Process Walkthrough
Overview Module Breakdown
Example R/3 Role Design model
Process Role Role Role: performs one or more transactions Composite Role Position: performs one or more roles
Job: General category For jobs Org Unit: Division
Sub-Process Sub-Process Activity Activity Activity Workstep Workstep Workstep
Transaction: SAP worksteps
SAP Security – The major elements of the SAP authorization concept
Users Composite Profiles Simple profiles Authorization Objects Authorizations Fields Values (Activities, Organizational elements) Transactions
User Profile User Profile
Composite Composite Profile Profile
Composite Composite Profile Profile
SAP Security To address this complexity and flexibility, SAP has developed a solution called SAP GRCAccess Controls Suite. We will guide through how CC addresses some of these issues.
Simple Simple Profile Profile
Simple Simple Profile Profile
Object Access and Restrictions
Securing Financial Applications Systems for SOX Compliance SOX…. 2003) Claimed revenues of $111 billion in 2000 Fortune named Enron "America's Most Innovative Company" for six consecutive years At the end of 2001 It was revealed that its reported financial condition was sustained substantially by institutionalized.000 people (McLean & Elkind. systematic. Texas. Enron Corporation was an American energy company based in Houston. Enron figures in late 2001 – Enron employed around 22. and creatively planned accounting fraud Enron filed for bankruptcy protection in the Southern District of New York 5 GRC Basic .. The Sarbanes-Oxley Act of 2002 also called as Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox in response to major corporate scandals like Enron………….
Some interesting facts 6 GRC Basic .
They can’t understand hurdles on business side. contractors. and partners and so on. but they lack the technical depth to manage user access.Present access and authorizations approach IT does not own the responsibility for proper segregation of duties. However with manually maintained spreadsheets listing the access and authorizations of all employees. as they lack the collaboration tools and language to efficiently collaborate with the business owners. Lines of the business managers are responsible for SoD. 7 GRC Basic . they can only perform a very limited audit at a very high cost. so they rely on IT Internal auditors are trying desperately to stay on top of the SoD issue.
Many customized 'Z' transactions or 'Y' transactions built in to suit the business process.SAP access had not been revoked for employees who had been terminated. SU12. the whole SAP environment is put at risk. SM13. 8 GRC Basic .Top 7 Control Deficiencies in SAP 1. Unrestricted Posting Periods . 2.Unauthorized Access to SAP BASIS . Unsecured Customized Programs .segregation of duties as the most important point of control focus or deficiency. Database and OS Hardening .The data in SAP sits on databases like Oracle etc and SAP Portal as such runs on an operating system. KE54 etc to users in production. This can become a severe control deficiency under SOX 6.Allowing unrestricted access to open Posting periods in SAP can result in unauthorized entires in previous open periods. SM59. SAP Access to Terminated Employees .Many companies make the mistake of giving access to sensitive BASIS transactions like SE13.Sarbanes Oxley and SAP . Segregation of Duties . SU10. SC38.Business procedures not matching the actual process is another problem area in many SAP implementations. 5. SE38. Such unrestricted access can lead to a potential control deficiency under Sarbanes Oxley. Inconsistent Business Process Procedures . If databases and operating systems are not hardened. 4. 3. This can potentially lead to control deficiency 7. SM49.
Prohibiting and controlling access to critical basis. 9 GRC Basic . . developer and sensitive business transaction. .Developing solutions for risk management and control.Identifying risks arising through user access privileges. .Stopping risk from being introduced into the production system through change updates. IT / Security Challenges .Prohibiting and controlling access to critical basis.Ensuring that mitigating controls exists for user access risks and are executed. developer and sensitive business transaction. . .Knowing when users have executed transactions that constitute a risk .Stopping risk from being introduced into the production system through change updates.GRC – Governance Risk Compliance SAP Compliance Calibrator Business Challenges .
Modern IT applications ERPs like SAP. Sensitive Access Controls SAT – SATs coupled with SODs can act as the foundation for IT based antifraud controls. J D Edwards. Segregation of duties in applications can act as a major antifraud controls and lead to better SOX compliance.SOD & SAT Segregation of duties in applications SOD – The basic premise of segregation of duties is that users should not be in a position to initiate and authorize their own transactions. This sensitive information can be misused. . Access to specific transactions in the system can be restricted based on user roles and profiles.IT Based Antifraud Controls . profit and loss account etc. From an IT perspective users have access to a lot of information such as payroll data. Oracle Apps. balance sheet. The other important antifraud control is restricting user access to sensitive transaction in the system. It is therefore important to restrict users access to this sensitive information in applications. Peoplesoft can be configured based on roles. 10 GRC Basic .
H 11 . Post Goods Receipt and Post Payments H Post Goods Receipt and Process Outgoing Payments H Post Goods Receipt and Process Inventory H Post Goods Receipt and Process Inventory Documents H Post Goods Receipt and Goods Issue H Post Goods Receipt and Process Materials A user could create or change a fictitious receipt and create/change a material document to hide the deception.MM SoD Conflicts – Sample data SoD Controls (Functions that should be segragated) Risks RISK LEVEL A user could post or change a fictitious or incorrect goods receipt and set up a fraudulent automatic payment or create a fraudulent check. The vendor would be paid for the excess recorded receipt. A user could post or change a fictitious or incorrect goods receipt and create/change an inventory document/count to hide the deception or clear the inventory count to hide the deception. A user could post or change a fictitious or incorrect goods receipt and post a fraudulent payment or clear the invoice to hide the deception. A user could post or change a fictitious or incorrect goods receipt and create/change an inventory document/count to hide the deception or clear the inventory count to hide the deception. A user could post or change a fictitious or incorrect goods receipt and then use a goods issue to hide the deception.
This is achieved by assuring no single individual has control over separate phases of a business transaction. which could cause error or irregularities within the system. and ensure corrective action is taken. identify problems. which form as part of Actions. you attribute one or more rule sets to that risk. but more often a role comprises multiple functions. Order to Cash. Rule Sets –Ccategorize and aggregate the rules generated from a risk. rules and rule sets by business function e. Action. or decrease the risk of errors or regulatory irregularities. All risks and functions are assigned to business functions. .Identifies the tasks an employee performs to accomplish a specific portion of their job responsibilities. SoD – Segregation of Duties.Compliance Calibrator Key Terms Business Process – Used to classify risks. Similar to business process. To perform a function. when you define a risk. Function .g. are primary internal controls intended to prevent. Risks – Identify potential problems your enterprise may encounter. Purchase to Pay. 12 GRC Basic . Permission – Object in SAP. Record to Report are all types of Business Processes. This can be analogous to a role.Known as Transactions in SAP. more than one action may be required to be performed.
Business Process. Permissions 5.Definitions – Function. Business process 3. Function 2. Action. Permissions & Activities 1 2 3 4 1. Action 4. Activities 5 13 GRC Basic .
. 14 GRC Basic . SAP CC is used to execute security controls for period review and approval for SOD conflict and critical transaction risks.. Alert SOD violations Alert CT usage Analyse SOD conflicts …. User Provisioning (preventative) Request Access Identify Risks Business Approval Update user ………….Process Overview SAP Compliance Calibrator Analyse & Approve Role change Approve Change Deploy Change Role Maintenance (preventative) Request Role change Build Change Risk Analysis SAP CC is used to identify SOD conflicts before the change enters production. …. The alert monitoring can also be used to identify business or control leads when a SOD violation occurs or a critical transaction is used. Execute Controls Deeper understanding of risks inherent in the security design allows business approvers to make a proactive choice as to whether they allow a user to have an SOD risk or critical transaction. Note: Rules have to be pre-defined before Risk Analysis is performed. This allows control leads to reject the introduction of risk or assign / implement a mitigating control before risk is apparent. Security Controls (detective) Analyse Critical Transactions …..
and the appropriate response to that condition.Rules Architect – SOD risk SAP Compliance Calibrator Rules are created in compliance calibrator based on the “risks” you define. This is commonly represented as an If-Then statement. IF Employee X can Create a Vendor & Employee X can Authorize Pay vendor Then Employee X has been granted High Risk Conflicting Roles This is an example of a SOD risk. Rules are logical constructions composed of a circumstance or condition. Risks 15 GRC Basic Compliance Calibrator Rules .
For each identified risk the rules need to be configured so that the risk is properly recorded. 4. False positives are identified when at the object level potential risk is not realized e. grouped into functions. 16 GRC Basic . Multiple rule sets can also be set up to act as reporting filters. SAP CC creates rules based on the risks which are used for risk analysis reporting and alert monitoring. Building rule sets 1. 2.g. Business process can also be defined and mapped to risks for ease of reporting e. 5. version control and other uses. This library will contain conflicting transactions. Set up functions (groups of activities that users perform to carry out their role) by mapping transaction activities. the action is to read only. Finance Accounting. in essence this means the removal of false positives.Rules Architect – The Rules Library SAP Compliance Calibrator The core engine of SAP CC contains a rules library that maintains the risks for SOD conflicts. Map two or more functions together to define a risk 3. including the object and activity settings and runs to 1000s of records.g.
Key Drivers SAP Compliance Calibrator Building rule sets can be complex and time consuming. SAP Functional Expert Provides expertise on the business process configuration in SAP . knowledge on objects and activity values. SAP CC Expert Provides knowledge on rules setting in SAP CC performing mass upload changes and risk analysis. Typically three distinct roles and skills are involved.Rules Architect. Internal Controls Expert Provides information on SOD risks. Helps to set the configuration data for the rule set library. Internal Control Expert Rules Generation SAP Functional Expert SAP CC Expert 17 GRC Basic . Helps identify false positives. criticality and represents business (process) owners in decisions to mitigate or remove risks.
18 GRC Basic . 2.Risk Analysis SAP Compliance Calibrator Once the rule set has been defined and implemented risk analysis can be performed to identify the SOD conflict and critical transaction risks in the staging and production system. Risk Analysis and remediation is most efficient when a structured authorizations concept is implemented that maps roles to job and people. In these circumstance remedial efforts correct risks for large groups of users. During the project lifecycle before users are allowed in the production system. Risk analysis can be performed at the user or role level. To execute periodic security controls. 3. Risk Analysis can be performed: 1. Before provisioning exceptional roles to individual users 4. Before each change request for role maintenance is deployed to production.
by their nature. Critical Permission risk Just as some individual actions can be critical. Defining a critical permission risk ensures that risk analysis identifies any employee who has been assigned an action that includes a potentially risky permission. create a vulnerability. a critical risk is according to your company policies. for example. The severity of a risk can be categorized as either: •Low •Medium •High •Critical You use the Risk Level to categorize risks—and the rules they generate—by severity. That is to say. What determines. Any employee who has permission to perform one of these actions automatically poses a risk. when assigned to a single employee. inherently risky.Risk Analysis – Types of risks Segregation of Duties (SoD) risk A combination of two or more actions or permissions that. but not both. Defining a critical action risk ensures that any employee assigned this permission is identified by the risk analysis process. 19 GRC Basic . Critical Action risk Certain actions are. the same is true for some permissions. in the case of two conflicting actions an employee may have permission to perform one of these actions.
HR Objects or Organizations. “Role Analysis”. Background Job .Informer Informer allows a appropriate user to access specific reports. there are specific user-selected focus areas available on many of the reports. Informer tab report types include: Management View. HR Object or Organization has access to two or more conflicting actions. 20 GRC Basic . Roles. Role. In addition to the default report formats. Audit Reports. Each Audit report menu item contains links to reports that may be user modified to fit needs requested. “Controls Library” Risk Analysis.Allows SoD conflicts to be analyzed for a large number of Users. “Alerts”.Performed to see if any User.Can view reports in the following types: “Risk Violations”.Provides report headings covering different aspects of the enterprise. “Comparisons”. Security Reports .Provides an access point for reports on every aspect of product and enterprise security compliance issue. “Rules Library”. “Users Analysis”.
Pie Charts and Line Charts By clicking upon a certain chart area.Informer Compliance Calibrator provides Interactive visual analysis in the form of Bar charts. detailed statistics are accessed 21 GRC Basic .
HR Objects and Organizational Levels 22 GRC Basic .Informer SAP Compliance Calibrator You can generate reports for Users. User Groups. Profiles. Roles.
An example is a supervisory review and sign off. or profiles. The Controls Library displays the Controls by Risk level and are sorted by: Risk Risk Level (Low.The ID of the User who is assigned as a Monitor. or HR Object 23 GRC Basic . A choice also exists on who to give responsibility for maintaining data in the SAP CC tool. Role. Risk is removed from risk reporting. Controls Library option lists all the existing Mitigation Controls (active/inactive). Medium. roles. Monitor ID . who is assigned the specific Controls. Many clients will have separate cross-enterprise process controls software and we suggest three options for implementation: 1) Simplest option.g.Rather than remove the cause of the risk. High) Business Unit Monitor User. process control software. This can be centralized in IT or Controls or fully distributed to the business. Once documented and assigned to a Monitor the tool can be used to track execution of the control or non compliance. a mitigating control should be implemented and executed. you may want to control certain risk violations that you want available to specific users.Mitigation Control Mitigation Controls. SAP CC gives you the functionality to document the mitigating controls for each risk. Profiles. 2) Associate the risk with a mitigating control in an alternate repository e. identify risk as controlled. 3) Fully document the mitigating control within the SAP Compliance Calibrator. Where risks are accepted in the system.
When an alert message has been delivered and cleared. Mitigation monitoring – If a Monitor does not execute a control to a specified frequency then an alert will be generated which is sent to the Monitor and visible to the control leads.Alerts Monitor Compliance Calibrator includes functionality which can alert business and controls leads by email when a critical or conflicting action is executed. Alerts are available within the following risk areas: Conflicting and Critical Actions – When a user performs both transactions in an SOD rule or uses a critical transaction. Cleared alerts. 24 GRC Basic . Alerts remain as an archived record and can still be tracked and monitored.
critical transaction codes.SAP Compliance Configuration The configuration Tab is the main starting point for post installation setup. NOTE: Only an User with Administrative authority can access and use this aspect of Compliance calibrator. These characteristics are the foundations of the SoD rules. Risk Violations. critical objects etcetera. Background Job Scheduling is used for activating Monitoring e. The Rule set upload function is used to load the standard rules or customized rule set – e. 25 GRC Basic . frequency of SoD analysis.g. The Java Connector (JCO) acts as the integration point between the Java application and the SAP system to be monitored / analyzed.. The Workflow component is used to trigger email alerts to named Process Owners within the User Provisioning. It is an integrated part of the Access Enforcer solution.g. The User Management Engine provides for out-of the box J2EE Administrator profiles to be defined or activated .
SAP Compliance Configuration STANDARD GRC RULESET SCHEDULING RISK ANALYSIS 26 GRC Basic .
Assembly Test.g. Test functionality Define risks and configure risk rule set Run Risk analysis Remedial actions SAP Compliance Calibrator Technical installation Core ECC. Re-run risk analysis. Export reports and update Risk Logs. Agree SODs conflicts and critical transactions. Establish design concepts and principles for mapping roles to jobs and users e. Monitors and Control Approvers. Plan authorization changes. Risk Descriptions. Update procedures to introduce SAP CC as a preventative control and reflect governance for business ownership. Deploy new procedures. Stabilization support Mitigate Accepted Risks Update procedures and security controls. Test risks. Agree whether to accept or reject risks. business approvers. RFC connections to Modules. Identify and remove false positives. Business Approvers. Transition to live 27 GRC Basic . Run risk analysis in staging environment. Business Process. Update risks rule set. Role Maintenance and UP processes.Major Activities Walkthrough Activity Install and set up SAP CC Agree security design principles and dependencies with SAP CC Confirm Project governance and high level processes Master data and functional set up. Update mitigating controls in tool. Define Security controls. Agree mitigating controls for each risk. Agree control owners and business approvers (execution). Categorise risk (H/M/L). Agree master data definitions. control owners. 1 Composite role to each user Agree business owners. Train and enable operations staff. Control Approvers. update security design templates and raise change request to security maintenance. Organization. Run Risk Analysis in production environment.
28 GRC Basic .
providing the capability to review activities used during an emergency situation. Role 1 Role 2 Role 3 Firefighter ID 1 User 1 Before users can access Firefighter.fighter The Firefighter application allows a user to take responsibility for tasks outside their normal job function. For each Firefighter ID you define the following roles. Owner Owners can assign Firefighter IDs to Firefighters Controllers Receives email notification and reviews the Firefighter Log report. 29 GRC Basic . Provides this extended capability to users while creating an auditing layer to monitor and record Firefighter usage. Enables users to perform duties not included in the roles or profiles assigned to their user IDs. in a emergency situation.Fire. they must be assigned a Firefighter ID. In addition the Administrator perform the creation of Firefighter ID and assign authorization roles.
another employee who usually verifies invoices may be assigned a Firefighter ID to perform this task temporarily. monitors. Assign Firefighter account Update Production Review Control Log Firefighter enables users to perform duties not included in the roles or profiles assigned to their userIDs. Benefits of Firefighter are: Avoid business obstructions with faster emergency response Reduce audit time Reduce time to perform critical tasks GRC Basic 30 . and logs all emergency access activities Example If the employee who normally works with vendor accounting. Firefighter tracks. Through automated emergency access administration. but is on vacation or sick leave.Process Overview SAP Firefighter Request access to production Approve Request Request access to Production. Firefighter provides this extended capability to users while creating an auditing layer to monitor and record Firefighter usage.
fighter Firefighter dashboard Firefighter Log Report 31 GRC Basic .Fire.
32 GRC Basic .
Roles and permissions are automatically applied to the enterprise directories when the access request are approved. This workflow is customized to reflect your company policy. Access Enforcer automatically forwards the access request to designated managers and approvers within a pre-defined workflow. Access Enforcer automates the role provisioning process within the identity management environment. When a user requests access to resources for which they do not have permission. 33 GRC Basic . It is connected to multiple data sources such as an LDAP and SAP backend system. Access Enforcer automates the end-to-end access provisioning approval process by combining roles and permissions with workflow. It ensures corporate accountability and compliance with Sarbanes-Oxley along with other laws and regulations.Access .Enforcer Access Enforcer is a web-based application within J2EE and NetWeaver environments.
Configuration The Configuration module is for Access Enforcer Administrators who define defaults. Approvers can also request access for other end-users.Access Enforcer Access Enforcer has four task modules for specific usage. Approvers include line managers and IT security. They include: Requestors The Requestors module is for end-users who are requesting access to SAP and non-SAP backend systems. workflow. 34 GRC Basic . Informer The Informer module is a reporting tool that provides graphical and analytical reports for managers. Approvers The Approvers module is for approvers who approve access requests. and other attributes that are based on their corporate business processes and policies.
An Approver can only approve or reject requests that they own and cannot approve requests for other approvers unless they are assigned as a alternate approver. you use the Requestor module to create various access requests for an SAP backend system. Reports are divided into two categories: Analytical lets you drill down to individual role change and access permission requests. or other application (server). Requestor As a Requestor. Security Approver is usually the last approver in a typical workflow. The standard Approver types are: Manager Approver is usually the requestor’s manager. 35 GRC Basic .Access Enforcer Module Breakdown Approver Access Enforcer provides three standard Approver types. there may be other Approver types that can be added to Access Enforcer. if necessary. Chart generates a graphical view of the request approval information. There are three types of Requestors: Department Member Creates requests for access permissions or roles. Role Owner Approver has the authority to approve or reject a request. Manager can review and approve their workflow stage during the approval process. which can be used to analyze various activities. for themselves or for their team members Managers Creates requests for roles for their subordinates Approvers Other managers can also create requests Informer Access Enforcer provides the ability to generate various reports for the purpose of viewing and analyzing request approval activities. non-SAP system. The Approver can put a request on hold and add additional roles to the request. The Security Approver can provision access to the target system that has been requested. Depending on your organizational hierarchy and process.
36 GRC Basic . Request Approver Page for a request submitted.displays pending requests assigned to you.Access Enforcer Screenshots Request for Approval List.
When conflict arises. Upon approval. which could involve the IT security team for entry to the SAP backend system or application server. This triggers a Workflow process. which can be set to specific or multiple data sources (e. for which they do not have the necessary roles 2. Receives email notification of access request at each approval stage. access request is routed to next stage. Provides Access Request page. SAP HR system or non-SAP systems) to complete the request process Requestor 3. Submits completed Access request page. approver can mitigate the problem or reject the Request. Automatic provisioning to the target system could take place.Access Enforcer Walkthrough 1 Makes access Request for specific application. Approver 37 GRC Basic SAP .g. which is made up of several pre-defined approval stages and is customized to reflect the business and security policies and procedures. Access Enforcer 4. Performs Risk analysis and SOD assessments. 5.
Benefits 38 GRC Basic .Access Enforcer .
39 GRC Basic .
and facilitates approval workflow. and manage roles across multiple enterprise applications ad enforces best practices. allowing role owners to define. Role Expert provides a complete audit trail. tracks changes. eliminating the inefficient back-and-forth exchanges between business managers and IT. and control test results and allows SAP security administrators and Role Owners to document important role information that can be of great value for better role management such as: Tracking progress during role implementation Monitoring the overall quality of the implementation Performing risk analysis at role design time Setting up a workflow for role approval Providing an audit trail for all role modifications Maintaining roles after they are generated to keep role information current 40 GRC Basic . covering role definition. resulting in lower ongoing maintenance and effortless knowledge transfer Automatically analyzes roles for potential security risks (audit and SoD issues). document. detailed change history.Role Expert Role Expert is a solution for compliant enterprise role management.
Value Mapping Approval Criteria Org Level. Displays an interactive graphical interface of the roles broken down by system landscape. 41 GRC Basic . It also shows the number of roles with violations and roles belonging to different role types.Maps the hierarchical structuring of organization. Role Designer allows you to define: Role Building Methodology Naming Conventions Role Attributes Org. enabling to manage roles effectively. or business process. Role designer. role owner.Dashboard of all the roles in Role Expert.Allows you to synchronize the SAP Back-end systems with Role Expert by importing roles that already exist in the SAP system. Change history provides you with an audit trail for all the changes made to roles within Role Expert or your SAP system Mass Maintenance.Provides you with a step-by-step guide for designing roles across your enterprise.Role Expert Role Library.
Please let me know if any concerns. Thanks Biju 42 GRC Basic .
This action might not be possible to undo. Are you sure you want to continue?