AC 10.

0 Enhanced Access Risk Analysis
Customer Solution Adoption June 2011

Version 2.0

Purpose of this document
This document describes the major enhancements to the access risk analysis capability of GRC, including end user customization and personalization. It covers how to navigate through the different reports, and also about new functionality such as new bulk maintenance, automation, audit trail, and mitigation options.

Agenda

 Introduction  Rule Set Maintenance  New Risk Analysis Framework

 System Specific Mitigation
 Mass Mitigation  Approval Process for Functions  Additional Audit Trail Tracking

© 2011 SAP AG. All rights reserved.

3

Introduction • Enhanced Access Risk Analysis Overview .

 Reduce broad application of controls  Ability to repurpose workflows including routing and escalation logic. including assignment and maintenance with bulk updates New function maintenance workflow Enhanced Audit Trail       © 2011 SAP AG. All rights reserved. flexible access risk analysis options and improved ability to analyze results  Faster deployments and easier data maintenance over time. New bulk maintenance.Enhanced Access Risk Analysis Overview Enhances the leading access analysis engine with an intuitive interface that supports end user customization and personalization. automation. by utilizing the standardized workflow engine New interface allows targeted risk analysis as well as importing. editing. and mitigation options enable a faster and more efficient path to compliance. and reusing analysis criteria New ability to customize and personalize access risk results Enables Business Role and CUA composite role risk analysis New ability to mitigate by system and by access rule ID New support for mass mitigation. audit trail. Solution Enhancements  Key Benefits  More efficient. 5 .

Rule Set Maintenance • Overview • Maintaining Rules • User Interface Elements .

7 .Rule Set Maintenance Overview Rule Set Maintenance: • Consistent user experience throughout the application • Ability to filter and sort reports listing rule sets. functions and risks © 2011 SAP AG. All rights reserved. functions and risks • Ability to hide and rearrange columns listing rule sets.

All rights reserved.Maintaining Rules Rule Setup  Navigate to Access Rule Maintenance for creation and maintenance of rules © 2011 SAP AG. 8 .

9 .Maintaining Rules Function  Select Function to create or maintain the function with actions and permissions  Change History tab available © 2011 SAP AG. All rights reserved.

Maintaining Rules Function Mass Maintenance  Streamlined user interface with step by step process © 2011 SAP AG. 10 . All rights reserved.

All rights reserved. 11 .Maintaining Rules Risk  Select Access Risk to create or maintain the risk  Change History available © 2011 SAP AG.

12 .Maintaining Rules Generate Rules  The Generate Rules button in the Function and Risk menu bar is available to update the rules in either Foreground or Background © 2011 SAP AG. All rights reserved.

All rights reserved.User Interface Elements Filtering  The query result set can be filtered © 2011 SAP AG. 13 .

All rights reserved. 14 .User Interface Elements Sorting  The column can be sorted in ascending or descending order by clicking the column name © 2011 SAP AG.

15 . All rights reserved.User Interface Elements Hide and Rearrange Columns  Columns can be hidden and the sequence can be changed © 2011 SAP AG.

Filter. and Print Settings can be maintained and saved as user specific view © 2011 SAP AG.User Interface Elements Rearrange Columns  The Sorting. Display. Calculation. 16 . All rights reserved.

User Interface Elements
User Query and Personalization

 Streamlined user interface with step by step process to define a new query  User Personalization available to define the default view

© 2011 SAP AG. All rights reserved.

17

User Interface Elements
User Help
 A quick user help or field help can be displayed with the right button of the computer mouse

© 2011 SAP AG. All rights reserved.

18

New Risk Analysis Framework
• • • • • Overview and Benefits Conditions Multiple Risk Analysis Types Multiple Selections and File Upload Report Options

All rights reserved.Risk Analysis Framework Overview and Benefits New risk analysis framework includes: • • • • • • • • Different conditions can be configured and combined Multiple risk analysis reports can be run at the same time Multiple selections can be imported from a file Drill-downs available across the reports Columns in the report can be hidden and rearranged Reports provide transaction execution data Crystal and PDF reports available The reports can be sorted by any column The new risk analysis framework provides the following benefits: • Provides a consistent interface with other GRC modules • Faster report processing by including only the information required by the users • It saves time to the users by allowing them to import report variables from files © 2011 SAP AG. 20 .

Risk Analysis Framework Conditions Conditions can be added and removed as required. 21 . All rights reserved. Multiple operators are provided depending on the condition. © 2011 SAP AG.

All rights reserved. 22 .Risk Analysis Framework Multiple Risk Analysis Types When executing a risk analysis it is now possible to perform multiple risk analysis types at the same time © 2011 SAP AG.

All rights reserved.Risk Analysis Framework Multiple Selections and File Upload When a condition is switched to multiple selections a new window can be launched. © 2011 SAP AG. 23 . This not only will allow multiple selections but also upload values from a text file.

24 . All rights reserved.Risk Analysis Framework Large Reports: Result Sets When the reports are too large they are split in different “Result Sets”. this allows exporting them in multiple files preventing file size restrictions and providing better memory management. © 2011 SAP AG.

25 .Risk Analysis Framework Report Settings Filter and Settings to customize and search the Result Set. All rights reserved. Customize the columns the user wants to see and also sorting controls available © 2011 SAP AG.

All rights reserved. 26 .Risk Analysis Framework New Columns: Last Executed On and Execution Count You can now see in the risk analysis results how many times and when the transaction was last executed © 2011 SAP AG.

Risk Analysis Framework Drill-down on Reports In the access risk analysis reports it is now possible to drill down on the User IDs and Access Risk IDs. 27 . © 2011 SAP AG. All rights reserved.

28 . All rights reserved.Risk Analysis Framework Drill-down on Risk Definitions It is possible to drilldown on functions and user ID who modified a risk © 2011 SAP AG.

Risk Analysis Framework Crystal Reports Reports can be now shown as Crystal Reports. All rights reserved. © 2011 SAP AG. No additional software is required on the server. but the clients require to install the Crystal Report Adapter. 29 .

All rights reserved. 30 . This functionality requires an Adobe Document Services instance in the GRC landscape. © 2011 SAP AG.Risk Analysis Framework Export to PDF Users can create a PDF version of the reports by clicking on the Print Version button.

System Specific Mitigation • Overview and benefits • Assigning a Mitigating Control • Listing mitigating controls .

All rights reserved. • More flexibility as of which risks are mitigated on specific systems © 2011 SAP AG. 32 .System Specific Mitigation Overview and Benefits System Specific Mitigation • Allows assigning a mitigating control to specific systems • Multiple systems can be chosen while assigning a mitigating control Benefits of this feature include: • Less complexity while defining risks and assigning mitigating controls due to an easy interface for assigning controls to multiple systems.

Assigning a Mitigating Control User When assigning a mitigating control to a user it is possible to select multiple systems © 2011 SAP AG. 33 . All rights reserved.

as shown here on the Mitigated Roles screen. All rights reserved. © 2011 SAP AG.Assigning a Mitigating Control Role This also applies for all other types of mitigations. 34 .

All rights reserved. 35 .Listing Mitigating Controls Reporting The System column will show on which systems the respective mitigating control has been assigned. © 2011 SAP AG.

Mass Mitigation • Overview and Benefits • Assigning a Mitigating Control to Multiple Risks .

All rights reserved. less steps to mitigate multiple risks means less potential errors introduced by the user. 37 .Mass Mitigation Overview and Benefits Mass Mitigation: • While viewing an access risk analysis report. multiple risks can now be mitigated at once Benefits of this feature include: • Speed up the mitigation process by assigning multiple mitigations in a single step • Improve mitigating control quality. © 2011 SAP AG.

38 . © 2011 SAP AG. All rights reserved. simply select multiple entries and click the Mitigate Risk button • A single mitigating control can be assigned to all selected risks.Assigning Mitigating Controls Multiple Risk Selection • Every access risk analysis report provides a button for mitigating risks.

Assigning Mitigating Controls Control Parameters After clicking Mitigate Risk. All rights reserved. any control assigned to the risk id will be auto-populated. 39 . The control can be replaced by clicking in the Control ID field and searching available controls or creating a new control with the Create Control button © 2011 SAP AG.

All rights reserved. (mass update to validity period shown) © 2011 SAP AG. 40 .Assigning Mitigating Controls Validity Periods You can update the status and validity periods for multiple control assignments by selecting one or many rows and selecting the Status or Validity Period buttons.

All rights reserved. monitor. and so on) © 2011 SAP AG. short description. Enter * to mitigate across all systems and all rule ID’s. Select a row and click View Details to see additional details about the assigned Control (long.Assigning Mitigating Controls System and Rule ID Selection Mitigation can be done at the access rule ID level or system level. 41 . assigned risks.

Approval Process for Functions • Overview • Configuration Setup • Workflow .

0  Functions are the building blocks of risks in manage and analyze access risk  Any changes in functions will have a direct effect on the access rule set  Changes in functions need to be tracked and audited © 2011 SAP AG. 43 . All rights reserved.Approval Process for Functions Overview  New feature in Access Control 10.

Configuration Setup Launching IMG Task Addition of New Functions or Changes to Existing Functions for the Rule Architect can have their own Approval Process Workflow for Function Maintenance is enabled as part of the Access Control Configuration parameters. All rights reserved.  Execute transaction SPRO  SAP Reference IMG  Governance Risk and Compliance  Access Control  Maintain Configuration Settings © 2011 SAP AG. 44 .

45 .Configuration Setup Adding configuration parameters Click New Entries Enter Configuration     Parameter Group – 5 Workflow Parameter ID – 1064 Function Maintenance Parameter Value – YES Click Save © 2011 SAP AG. All rights reserved.

All rights reserved. 46 . the button to complete the maintenance will specify SUBMIT instead of SAVE  To access Functions: From NWBC or Portal  Rule Setup Workbox  Access Rule Maintenance  Functions © 2011 SAP AG.Workflow Submitting Changes  When configuration for workflow is active.

All rights reserved. © 2011 SAP AG. 47 .Workflow Workflow Inbox  Upon Submission a workflow will be delivered to the workflow approver for approval or rejection  If configured. the user will receive an Email notifying that a new work item has arrived in their workbox.

Workflow Approval / Rejection Decision  The workflow approver can then approve or reject each item in the Workflow Inbox. © 2011 SAP AG. 48 . All rights reserved.

All rights reserved.Workflow Configuration Workflow is configured in SAP Reference IMG  Transaction SPRO  SAP Reference IMG  Governance Risk and Compliance  Access Control  Workflow for Access Control  Maintain MSMP Workflows Terminology – MSMP is abbreviation for Multi-State. 49 . Multi-Path Workflow © 2011 SAP AG.

Workflow Process ID Function Maintenance workflow is delivered in the Business Configuration (BC) Set  The first step is Process Global Settings © 2011 SAP AG. 50 . All rights reserved.

Additional Audit Trail Tracking • • • • Overview Benefits Configuration Viewing the Audit Trail .

52 .Audit Trail Overview All changes related to access rules can be tracked. The following components can have an audit trail:  Function  Risk  Org Rule  Supplementary Rule  Critical Role  Critical Profile  Rule set A new configuration parameter has been included for maintaining the components to be tracked © 2011 SAP AG. All rights reserved.

53 . rule sets. but also information such as the old and new values. All rights reserved. including changes to functions.Audit Trail Benefits Quick access to the history of changes of the access rules. critical access rules and additional access rules. Administrators and power users can easily track who changed the different components of an access rule. Higher visibility of changes. as the application is able to log information about every type of change to the rules. This is useful when finding problems related to inconsistent rules. Comprehensive information about the changes to access rules including not only who made the change and when that change was made. Auditors can have a detailed view of all changes in a single location. © 2011 SAP AG.

54 .Configuration Launching IMG Task Components to be tracked are configured using IMG under Maintain Configuration Settings © 2011 SAP AG. All rights reserved.

55 . This parameter can be configured for each required component. All rights reserved. © 2011 SAP AG.Configuration Adding Configuration Parameters   A new parameter is available: Change Log A list of all available components is shown.

56 . © 2011 SAP AG. if the respective configuration entry was set in IMG a complete audit trail will be shown. All rights reserved. who applied these changes. and the time of the operation.Viewing the Audit Trail Change History Each access rule component (please refer to the Overview) has a Change History tab. The report will show the old and new values.

57 .Viewing the Audit Trail Exporting the Change History The report can be exported in Excel for further processing. Also. a printer-friendly version can be shown by clicking the respective button © 2011 SAP AG. All rights reserved.

All rights reserved.Viewing the Audit Trail Change Log Report A change log report is available in the reports & analytics workcenter that provides reporting of all audit trail enabled AC objects. © 2011 SAP AG. 58 .

bustamante@sap.com .Thank You! Contact information: Luis Bustamante Customer Solution Adoption (GRC) luis.

or consequential damages that may result from the use of these materials. z10. Outlook. System z10.. text. eServer. Sybase 365. SAP NetWeaver. R/3. VideoFrame. Massachusetts Institute of Technology. The information contained herein may be changed without prior notice. AS/400. Inc. SAP. DB2. XML. HTML. Microsoft. OpenPower. product strategy. and Motif are registered trademarks of the Open Group. This limitation shall not apply in cases of intent or gross negligence. RACF. Excel. Power Architecture. and/or development. PostScript. either express or implied. System p. StreamWork. Parallel Sysplex. SQL Anywhere. BladeCenter. DB2 Universal Database. links. copied. or transmitted in any form or for any purpose without the express prior written permission of SAP AG.© 2011 SAP AG. System i5. OSF/1. used under license for technology invented and implemented by Netscape. iAnywhere. Please note that this document is subject to change and may be changed by SAP at any time without notice. Crystal Decisions. the Adobe logo. pSeries. XHTML and W3C are trademarks or registered trademarks of W3C®. GPFS. All rights reserved. Acrobat. POWER.S. 60 . POWER6+. graphics. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. special. This document is provided without a warranty of any kind. HACMP. DB2 Connect. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. S/390 Parallel Enterprise Server. World Wide Web Consortium. SAP assumes no responsibility for errors or omissions in this document. Java is a registered trademark of Sun Microsystems. iSeries. and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. PowerPC. Crystal Reports. SAP shall have no liability for damages of any kind including without limitation direct. ByDesign. or non-infringement. WinFrame. POWER5. z/VM. and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. and PowerPoint are registered trademarks of Microsoft Corporation. z9. MVS/ESA. System p5. and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. OS/400. Xcelsius. Linux is the registered trademark of Linus Torvalds in the U. Sybase is an SAP company. The information in this document is proprietary to SAP. xSeries. RETAIN. AIX. X/Open. Inc. Sybase and Adaptive Server. z/OS. WebSphere. i5/OS. Web Intelligence. fitness for a particular purpose. This document contains only intended strategies. ICA. POWER6. JavaScript is a registered trademark of Sun Microsystems. BatchPipes. Oracle is a registered trademark of Oracle Corporation. developments. All other product and service names mentioned are the trademarks of their respective companies. System i. Netfinity. UNIX. MetaFrame. Citrix. Intelligent Miner. Inc. and other countries. indirect. PartnerEdge. System x. System z9. POWER5+. System z. OS/390. SAP does not warrant the accuracy or completeness of the information. OS/2. zSeries. National product specifications may vary. The statutory liability for personal injury and defective products is not affected. or other items contained within this material. Redbooks. System Storage. including but not limited to the implied warranties of merchantability. Adobe. IBM. Business Objects is an SAP company. BusinessObjects. SAP BusinessObjects Explorer. Windows. PowerVM. Inc. Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Duet. Program Neighborhood. and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo. No part of this document may be reproduced. S/390. © 2011 SAP AG. Data contained in this document serves informational purposes only. and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. and MultiWin are trademarks or registered trademarks of Citrix Systems.

Sign up to vote on this title
UsefulNot useful