You are on page 1of 26

GettingStarted Newsletters

Welcome,Guest

Login

Register

Store

SearchtheCommunity

Products

Services&Support

AboutSCN

Downloads

Industries

Training&Education

Partnership

DeveloperCenter

LinesofBusiness

UniversityAlliances

Events&Webinars

Innovation

Governance,RiskandCompliance / / AccessRequest(ARQ)

SegregationofDutiesReview(SODReview)DescriptionandWorkflowConfiguration
AddedbyShailyKulshreshtha,lasteditedbyShailyKulshreshthaonNov28,2014

SegregationofDutiesReview(SODReview)
SegregationofDutiesReviewisaprocesswherethesystemchecksperiodicallyforanyriskandviolationsassociatedwithauserorfunctions.Thisfunctionalitycanbeusedduringtheinitialcleanupof
riskviolationsaswellasalongtermstrategytoreviewandaffirmpreviousMitigationassignments.
WhenSODreviewisperformed,itgeneratesrequestsautomatically,basedonorganizationsinternalpolicy.SODreviewprovidesWorkflowBasedreviewandapprovalprocess.

Purpose
ThisdocumentwillexplaincompetefunctionalityofSODreview.

SODReviewOverview
KeyfeatureofSOSReview:
DecentralizedreviewofSegregationofDutiesviolation.
WorkflowrequestforAccessReviewandapproval
ReaffirmationofMitigationControlassignment
AudittrailandReportforAudits

SODReviewProcess
ThereisabackgroundjobwhichgeneratesSODReviewrequest.
ThesystemsendsSODreviewnotificationtoreviewers.
Thereviewerreviewtherequestandperformthefollowingoption.
RejectRequestItems
MitigateRiskbyassigningMitigationControl.
RemoveAccessforitemsthatarecreatingviolations.
ThereisonemoreoptionalstepwherewecaninvolveAdminforAdminreviewbeforesendingrequesttoreviewers

SODReviewProcessExplanation
AdminReview.
ThereisanoptionforAdminReviewwhichprovidesadministratortovalidaterequestdataafterrequestaregenerated(bySODreviewjob)butbeforegeneratingWorkflowtask(butpriorSOD
ReviewupdateWorkflowjob).IfanyreviewerinformationismissionorneedtobemodifythenAdmincandosobeforegeneratingworkflow,orcanalsodeleterequestsifrequired
ReviewStage
WecanspecifywhetherReviewerstageisaddressedbyusersManagerorRoleOwner.
SecurityStage:WecanalsoincludeSecuritystageifrequired.

WorkflowStageConfigurations
AfterdecidingwhichstagetoincludeintheSODreviewworkflow,weneedtodeterminethespecificbehaviorforeachstagetoreflectthereviewprocess.Like
EmailNotification
Firstofallweneedtodeterminethecontentoftheemailnotificationtobesendtoapproverofeachstage.Recipientalsoneedstobedetermined.
Reminder
WecanalsosetEmailreminderinthiscase.Wecanspecifytheintervalofremindernotification.
Escalation
YoucanspecifyEscalationoneachstagebasedontimespentinaparticularstage.IfaReviewerdoesnotcompletehisreviewwithinthetimespecifiedinthedateparameterdefinedinconfiguration,
thentherequestwillbeescalated.TheAuditlogwillshowthisescalation.Wecanalsospecifywhetherescalationautomaticallyremovestheaccessthatisnotapprovedbyacertaindate.

RolesinSODReview
ThefollowingrolecanappearinSODReviewRequest

Administrator
AdministratorsperformSoDReviewspecificadministrativetaskssuchasperforminganAdminReviewbeforegeneratingaworkflowfortherequest
Reviewer
ReviewersareapproversattheReviewerstage.AReviewercanbeaUsersManagerortheRiskOwner
UsersManager
UsersManageristhedirectmanagerofaparticularuser,asdefinedintheUserDetailsDataSource.
RiskOwner
RiskOwneristheownerspecifiedinyourRiskAnalysisandRemediation(RAR)masterdata.
Coordinator
CoordinatorsareusersassignedtooneormoreReviewers.CoordinatorsmonitortheSoDReviewprocessandcoordinateactivitiestoensurethattheprocessiscompletedinatimelymanner

Prerequisites

ThefollowingjobsshouldbeexecutedinthebelowsequencebeforerunningSODreviewJobs.

RepositorysyncforUser,Role,Profile(SPRO>GRC>AccessControl>SynchronizationJobs>RepositorySync)
BatchRiskAnalysisJob(SPRO>GRC>AccessControl>AccessRiskAnalysis>BatchRiskanalysis>ExecuteBatchRiskAnalysis)
ActionUsageReport(SPRO>GRC>AccessControl>SynchronizationJobs>ActionUsageSync)
RoleUsageSync(SPRO>GRC>AccessControl>SynchronizationJobs>RoleUsageSync)
AlsomakesurethatRiskOwnersaremaintained.

ConfigurationSettings
ThissectionwillexplainsyouSODReviewConfigurationsettings

IMGConfiguration
BeforerunningSODreviewjobtherearesomeIMSsettingsthatneedstobedone
GotoIMG>GRC>AccessControl.>MaintainConfigurationSettings>
1. ForPARAMRiskAnalysis:SetParameter1027EnableOfflineRiskAnalysistoYES
2. ForPARAMSODReview:SetthebelowParameters

a. 2016RequestTypeforSOD:ChooseDefaultRequesttypeforSOD
b. 2017DefaultPriorityforSOD:ChooseDefaultPriorityforSOD
c. 2018WhoAreReviewers:ChooseRoleOwner/Managers
d. 2019AdminReviewrequiredbeforesendingtasktoReviewer:ChooseYES/No
e. 2020NumberofuniquelineitemsperSODrequest:Maximumvalueofthisparametercanbe9999.Beyond9999,therequestwillgetsplitandallitemswillbemovedtoanewrequest.
ThisparameterisintroducedinGRC10.0SP17(SAPNote#1994429)
f. 2021Isactualremovalofroleallowed:ChooseYes/No

ManagingCoordinators
GoToNWBC>AccessManagement>ComplianceCertificationReview>ManageCoordinators


Screenwillopen.Nowselectanylineitemtochangeorcreateanewone.

SpecifyingEscalations
GoToSPRO>GRC>AccessControl>UserProvisioning>MaintainServiceLevelAgreement

HereyoucancreateSLAforSODreviewprocess.YoucanspecifythisviatypeFixedbyDateorFixedbynumberofdaysandFormula.

GeneratingdataforRequest

ForgeneratingdataforSODreviewyouneedtoscheduleajobfromNWBC>AccessManagement>Scheduling>BackgroundScheduler

YoucangiveJobNameandselectGeneratedataforAccessRequestSODReviewandclickonnext.
AfterclickingonNextscreenyoucangivetheparametersforwhichyouwanttorunthisjob.

Now,onclickingNextandthenFinishthejobwillbescheduled

YoucancheckthisjobunderNWBC>AccessManagement>Scheduling>BackgroundJobs

RequestReview
ThisstepisonlyrequiredifyouhaveenabledAdminReviewoption.
TheadministratorreviewstherequeststoensurecompletenessandaccuracyoftherequestinformationpriortosendingtoReviewers.
GotoAccessManagement>ComplianceCertificationReview>RequestReview

OntheRequestReviewscreen,searchfortheSoDReviewrequestsbyselectingtheSoDRiskReviewWorkflowandthenreviewthedatatoconfirmtheReviewerandCoordinatorinformationis
accurate.

Onthisscreenyoucanenterinformationaboutthereviewertotherequestsifnotavailable.
AnAdministratorcanalsocanceltherequestifSoDReviewsarenotrequiredorifthereisincorrectdata.

UpdateWorkflowJob
ThisstepisonlyrequiredifyouhaveenabledAdminReviewandtheAdminReviewhasbeencompleted.
ExecutetheSoDReviewUpdateWorkflowJobtopushtheworkflowtaskstotheReviewers.
GotoAccessManagement>Scheduling>BackgroundScheduler.
ClickBackgroundscheduler.
TheScheduleAccessManagementScreenwillappear.
ChooseCreatetocreateanewrequestforUpdateWorkflow.
TheCreateSchedulescreenwillappear.
EnterScheduleName.
SelectScheduleActivityfromthedropdownlist.ForSoDRequests,selectUpdateWorkflowforSoDRequest.

ChooseFinish.
GotoRequestReview,andcheckthestatusoftherequestifithasbeencompleted.
Aftercompletingalloftheabovementionedsteps,therequestswillnowcometotheReviewersWorkInboxtoworkonit.
NowyoucanviewthatrequestintheWorkinbox.Onopeningtherequestitwilllookasbelow.

SinceYESwasselectedforActualremovalofRolesduringtheconfigurationprocess,theACTUALREMOVALpushbuttonappearsonthescreen.IfNOwasselected,thenthePROPOSEREMOVAL
pushbuttonappearsinstead.
ByselectingRiskandthenchoosingtheActualRemovalpushbutton,youcanremovetheactualroleassociatedwiththisRisk.BychoosingtheProposeRemovalpushbuttonyoucanonlyproposethe
removal,noactualremovalisdoneonanyroles.ChooseSubmittocompletetheReviewprocess.

WorkflowConfiguration
ToprocessSODreview,youneedtosettheworkflowsettingsfromMSMP.
ProcessID:SAP_GRAC_SOD_RISK_REVIEW

YoucanmaintainRuleatthe2ndstep.YoucanconfigureFunctionModulerules,BRFplusrules,ABAPclassbasedrules,andBRFplusflatrules.

Therulescanbeoneofthefollowingtypes:
InitiatorRule:Tocheckwhichpathyourrequestwilltake
RoutingRule:Todirectyourrequesttotakeadetour
AgentRule:Tocheckforagents(Reviewers)fortherequestinaparticularstage
NotificationRule:Usedfornotificationpurposesonly
Atthe3rdstepyoucandefineAgent
Thepossibleagenttypesare:
DirectlyMappedUsersAgroupofuserscreatedwithintheworkflowconfiguration
PFCGRolesAlluserswhohavespecifiedPFCGroleassignments
PFCGUserGroupAlluserswhoarepartofthespecifiedPFCGgroup
GRCAPIRulesAllusersreturnedbytheconfiguredruleforagents

Oncetheagentsaremaintained,choosetheNEXTpushbuttontomaintaintheVARIABLESANDTEMPLATES.
Inthisscreen,youcanmaintaincustomnotificationtemplatesaswellastheirvariablesandreminders.

Nextstepistomaintainpaths

SelectapathandchoosetheADDorMODIFYpushbuttonstodefinethepathstages.
IntheMaintainStagestable,choosetheMODIFYTASKSETTINGSbuttontochangethestagesettings.
IntheApprovalTypecolumn,selectAllApproversorAnyOneApproverfromthedropdownlist.Thisdeterminesifallapproversoranyoneapproverisrequiredtoapprovethestage.
IfyouchooseYesforEscalation,specifytheescalationsettingbyenteringtheidletimeinminutes.Idletimeistheamountoftimebywhich,ifthestageisnotapprovedorrejected,thetaskiseithersentto
thespecifiedagentortheworkflowmovestothenextstage.

ChoosetheNEXTpushbuttontogototheMaintainRouteMapppingscreen.Inthisstepyoucanmaintainroutemappingsbetweentheinitiatorrulesresultandtheactualpathfortheresult.

NowGenerateMSMPversion

CheckingSODReviewRequests
Afterarequestisgenerated,itissenttothereviewersWorkInboxandcanbeaccessedbyperformingthefollowingsteps:

YoucanalsosearchthisrequestunderSearchRequest>SelectProcessIDasSODRiskReviewWorkflow

ManagingRejection
ThelineitemsthatarerejectedbyanapprovercanbeaccessedandreworkedfromtheManagingRejectionsscreen.
GoToAccessManagement>ComplianceCertificationReviews>ManageRejections.

SelecttheProcessTypeandclickonSearch

Youcanfindtherejectionsonthisscreen.

RelatedDocuments
TherearemanymajorSODreviewfixesafterSP14GRC10.0
BelowaretheimportantSAPNoteregardingthis.

1994429UAM:RunningBatchRiskAnalysisismandatoryforSODReviewRequestcreation
2057848UAM:IncorrectvalueisdisplayedfortheVariableREQUESTER_NAMEintheSODNotifications
2058766Removalofreviewernotpossiblefromrequestreviewer
1888260UAM:IssueswithSODReviewrequest
1973155ProvidingtablesortingoptioninSODReviewrequestandmitigationsnotsavedonsavingSODrequest

Nolabels
ContactUs
Privacy

SAPHelpPortal
TermsofUse

LegalDisclosure

Copyright

FollowSCN