Protiviti Event Sap Security Compliance 26sept Vitens

SAP GRC & S/4 at Vitens
Tinette Beuving/ Virgil Verloop

26-09-2019
Vitens maximizes SAP GRC 12.0 in a SAP & non-SAP landscape and is
using GRC as an Identity & Access Management system, including a S/4
Fiori role concept
Introduction
15:00h - 16:00h SAP GRC & S/4 at Vitens

• Introduction Vitens
• Framework and architecture
• EAM (Firefighter)
• ARA (SoD Scanning, SoD Review)
• ARM (Position Bases Access Control, User Access Review)
• BRM (Role management)
• S/4 FIORI Role Concept
• GRC Integration to S/4
• FIORI Access Request app
• Provisioning to Active Directory/Legacy
• Roadmap IAM & GRC
2 2
Introduction Vitens
• Vitens is the largest drinking water company in the Netherlands

• Service 5 provinces
• 5.6 MLN customers
• 49.000 km water mains
• Centrally controlled water distribution
• Drinking water laboratory in Leeuwarden
3 3
Introduction Projects
• In 2016 the project ‘Implementation Authorization Policies’ was completed. With it a full
redesign of the authorization roles and the procedures was delivered. In this project we used
the CSI tool as a risk analysis tool;
• Vitens decided to automate it’s authorization processes with SAP GRC. Not only the access risk
analysis module, but a full integration of the GRC modules (Nov 2017 – Dec 2018)
• In 2019 the S/4HANA Redesign project and the IAM project started
‒ IAM – connect SAP GRC to Active directory/Legacy, update procedures, deprovision current MS
IAM system and redesign and clean up roles
‒ S/4HANA redesign - complete redesign of the Vitens SAP landscape. Transfer current systems
to S/4HANA, Succesfactors and C4C
4 4
Project Approach
STUURGROEP
GRC Access Control
1x
OG/SU: Erwin Westerveld maand
SS: Geuje van Dijk
PROJECTMANAGER
Tinette Beuving
PROJECTTEAM
Functioneel beheer: Roeland Siemons
Netwerkbeheer: nnb
Architect: Marion Eijkelkamp
Informatie analist:Virgil Verloop
Technisch beheer:nnb
Systeembeheer:nnb
Contract & Servicemanager: Martin
Schoonderbeek/Simon Gjaltema
OSE’s: Klaas Luth, Patrick van der Kraats
Scrum TEAM
Scrum Master: Tinette Beuving
5 5
Security Organisation
SAP ECC SAP IS-U SAP CRM SAP BW BPMS
ICT
K&F
F&C
HR
N&L
W&Z
O&A
Lab
Afdelingsmanager / proceseigenaar Systeemeigenaar
OSE (van de afdeling / het proces) Gedelegeerd systeemeigenaar
6 6
Framework and Architecture

• BRM (Rolemanagement)
7 7
Framework
I de nt it y Life cycle M a na ge m e nt Aut h or iza t ion M a n a ge m e n t Bu sine ss Alignm e nt
Vitens BR:CONTROLEUR_DRINKWATERINSTALLATIES
(Joiners/Movers/ Leavers)
Employees Responsibility SoD
(Controleur Drinkwaterinstallaties)
Authoritative Sources SAP
HR
Partners
User Business Role
Context
repository Management
Customers
Consumers Desired
state
provisioning
Sign - on Ta r ge t Ap plica t ion s
Current
state
Access
Digit a l ide n t it ie s
Level 1 Attestations
Primary SSO Manual Access
Risk Analysis
Emergency Access Management SODREV
Level 2
Policy based (Firefighter)
(application level) UAR
Level 3 De(central) Log Review Control Role

Policy based Recertification
Monitoring
(transaction level)
FFID Review
Aut he nt ica t ion Pr ivile ge d Acce ss M a n a ge m e nt Re vie w
8 8
Documentation Structure
Vitens Information Security Policy
SAP Authorization Policy
Standards Procedures Registrations
SAP Usermanagement SAP Operational Security Experts

SAP Authorization Naming convention
SAP Role management SAP SOLL Matrix
SAP System paramaters (incl. GRC)
SAP Firefighter
SoD Ruleset (VITENS_H) SAP System Owners
SAP SoD Review
SAP Authorization Concept
SAP User Access Review
SoD Baseline
SAP Control Monitoring
SAP SoD Rule set management
SAP Mitigated Role Administration
SAP SOLL Matrixmanagement
9 9
Documentation Mapping to Framework
Identity Lifecycle Management Authorization Management Business Alignment
SAP SoD Rule set
On Boarding management
Vitens BR:CONTROLEUR_DRINKWATERINSTALLATIES
(Joiners/Movers/Leavers)
(Controleur Drinkwaterinstallaties) Responsibility SoD
Authoritative Sources
Employees SAP Mitigated Role
SAP
HR Administration
Partners
User Business Role
Context
repository Management SAP SoD Rule set
Customers
SAP Role management
Consumers SAP User management Desired SAP SoD Baseline
state
Provisioning
Sign-on
Target Applications
Current
state
Access
Digital identities
Risk Analysis
Emergency Access Management SODREV SAP SoD Review
Level 2 (Firefighter)
Policy based UAR
(application SAP User Access Review
De(central) Log Review Role
level) Control Monitoring
Recertification
Level 3
SAP System parameters SAP Firefighter
Policy based FFID Review
(transaction
Authentication level) Privileged Access Management Review
SAP Control Monitoring
10 10
Framework Solution Overlay
Identity Lifecycle Management Authorization Management Business Alignment

Vitens
(Joiners/Movers/Leavers)
Responsibilit
SAP HR BR:CONTROLEUR_DRINKWATERINSTALLATIES
SoD
Authoritative Sources
Employees SA (Controleur Drinkwaterinstallaties) y
P
Partners
HR Business
User Role
Context
repository Managemen
Customers t
Consumers Desired
state
provisioning
Sign-on Target Applications
Current
state
Access
SAP GRC Access Control
Digital identities
Level 2 Emergency Access Risk Analysis
SODREV
Policy based Management (Firefighter)
(application UAR
level)
SAML 2.0 via Azure AD Level 3
Policy based
De(central) Log Review Control
Role
Recertificati
(transaction Monitoring
level)
on
FFID Review
Authentication Privileged Access Management Review
11 11
Architecture GRC 12.0
• No portal integration we are using NWBC and later Fiori
• SAP Portal will be provisioned via Web Service. Later
integration with SuccessFactors
• Integratie to BW is not neccessary because we can use
GRC Analytics Foundation together with BO front end tools
• GRC search only neccessary for PC and RM to search in
documents
• Integration with IDM is not applicable (we are using GRC
as IDM tool)
• Integration with non SAP software is not applicable.
We are only using the LDAP/AD connector in component
• Integratie met non SAP software is niet van toepassing.
We gebruiken alleen de LDAP/AD connector in component
“Other Business Applications” and do not need to buy a GL
adaptor
• Any DB with SLT is not neccessary because we run native
on HANA (HANA integration)
• Integration with S/4 is done via RFC with NW plugin, same
for other SAP systems
• Identity & Access Governance is not being used yet but
will be to provision C4C and Azure AD
• AC HANA plugin only for GRC HANA. S/4 not (yet) using
analytical/smart business/factsheets FIORI apps.
12 12
Emergency Access Management

13 13
Emergency Access Management (Firefighter)
Firefighter (central Firefight log review

1 and decentral)
2
Access Risk Analysis

Accurately identify and remediate SoD and critical access
violations with embedded risk analysis
Business Role Management Access Request Management

Define and maintain compliant roles Emergency Access Management Automate user access assignments
in business- friendly terms and across SAP and
Temporarily grant super-user status with
language. non-SAP systems
“firefighter” login IDs – in a controlled,
auditable environment
14 14
Central and Decentral
Firefighter is able to firefight:

• Central (GRx) and
• Decentral (S/4HANA/ECC/ISU/CRM/BI)
For each session the firefighter needs to fill in a form with

• Reason code
• Ticket number
• Description of transaction codes
15 15
Firefight Dashboard
16 16

17 17
Access Risk Analysis (SoD management)
1 SoD Ruleset 2 SoD Review 3 Adhoc scan


language. non-SAP systems
18 18
SoD Ruleset
• Translation from CSI ruleset, 97% match

• Ruleset devided (Critical/High vs Medium/Low)
‒ Performance reasons
‒ SODREV reasons
• Change management on ruleset is active
(ruleset is treated as masterdata)
• The following steps have been followed:
Risk  Risk Owners

Function  Security Team (4 eyes principle)
19 19
SoD Review (Safety Net)
Includes the following functionality:

• Plan periodic jobs
• 5 reaction types
• Submit by OSE
• Submit (formal close by DSO)
20 20
SoD Dashboard
21 21
SoD Dashboard
22 22
Access Request Management

23 23
Access Request Management (usermanagement)
Position Based Requests by Password User Access

1 Access Control 2 user (10%) 3 Self Service 4 Review
(90%)


language non-SAP systems
24 24
Position Based Access Control
HR (ECC) GRC BRF+ GRC Standard Roles Target Systems
• Employee Self Service Manual

• Manager Self Service
• HR Specialist
Automated
Assign roles based on

Joiners function and system
Movers
Update identity with HR
Logic converted to GRC attributes
actions
Leavers
Risk Analysis with VITENS_H Identity (de)provisioned in

ruleset target system
Master data Updates
25 25
Onboarding Form (PDF)
26 26
Joiner (GRC actions)
Onderwerp
Welkom bij Vitens!
Body
Beste Virgil Verloop
Op basis van je functie binnen Vitens is er een SAP account voor je

aangemaakt.
Je SAP gebruikersnaam is: VERLOOPV.
Vanaf nu kun je inloggen op de SAP GRC Portal
Op de SAP GRC portal kun je:

* je wachtwoord resetten op ieder SAP systeem
* een SAP toegangsaanvraag doen (indien je nog niet beschikt over de
juiste rechten)
* inzicht verkrijgen in je huidige toegangsrechten in SAP
Je hebt de volgende rol(len) toegewezen gekregen:

BR:F&C_FINANCIEEL_CONTROLLER
Met vriendelijke groet,
Functioneel Beheer Autorisaties
(voor meer hulp zie GRC Quick Refereference Guides )
27 27
Position Based Access Control via Standard role
Business role assignment based on function code (via location)
Generic role assignment based on system
Manual activities:
• PPOME provisioning (org model in i.e. CRM)
• License code in UMR > role based classification in USMM
28 28
Movers, Leavers and Masterdata Updates
We have similar processes for movers, leavers and masterdata updates.
29 29
Password Self Service
Request reset Login target and

(select system) excecute reset
Login GRC E-mail notification

(with SSO)
30 30
Password Reset Menu
• Password reset possible on production

and non production systems
• Reset is not possible when user has an
admin lock
• Valid @vitens.nl e-mail address is
manditory in UMR
31 31
User Access Review
Periodic control (twice a year) of user role assignments
The OSE (Operational Security Expert) has two weeks to finish the UAR
• After that the UAR work item escalates to the DSO (Delegated System Owner)
The following actions are allowed for every line item:

• Approve
• Delete(role is immediately deleted!)
• Forward to another OSE
32 32
User Management Dashboard
33 33
Business Role Management

34 34
Business Role Management (Rolbeheer)
Business role Role management

1 hierarchy
2 process


Define and maintain compliant Emergency Access Management Automate user access assignments
across SAP and
roles in business- friendly Temporarily grant super-user status with
non-SAP systems
terms and language “firefighter” login IDs – in a controlled,
35 35
GRC Business Role Hierachy
GRC
1 BR:CONTROLEUR_DRINKWATERINSTALLATIES
BO-BI BW ECC ISU CRM MOBILE HR Portal
2 Enterprisegroup: BI
Functierol: Functierol Functierol Functierol Functierol Portalrol
Rapportagedomein Aansluitingen
FR:B_LAB_CONTROLEUR_DWI FR:E_LAB_CONTROLEUR_DWI FR:I_LAB_CONTROLEUR_DWI FR:C_LAB_CONTROLEUR_DWI FR:M_LAB_CONTROLEUR_DWI nl.vitens.F_medewerker
- User
Taakrol: Query
3 Object: Applications (InfoProvider)
Taakrol: Taakrol: Taakrol: Taakrol:
TR:E_M_ALG_BASIS TR:I_M_ALG_BASIS TR:C_M_ALG_BASIS TR:I_M_ALG_BASIS
TR:B_W_LAB_AANNEMERI
Taakrol:
(analysiDatas) Taakrol: Taakrol: Taakrol: Taakrol:
Object: Folders
authorizations TR:E_B_LAB_DWI_ORDER TR:I_W_LAB_OVERIGEN TR:C_M_LAB_SERV_ORDE TR:I_W_ALG_DOESYNC
TR:B_ANA_VITENS
Application | Folder Query ABAP FR rol ABAP FR rol ABAP FR rol ABAP FR rol Menu
1) Business role (can be requested in GRC) - owner

2) Function role (can be requested in GRC) - owner
3) Task role (can be requested in GRC) – owner
36 36
Role Management Simplified
Manager OSE Change Control
Approval Maintain Risk analysis & Unit test (UAT Transport to

Role Request Define Role Approval OSE Approval CCB
Manager Authorizations Mitigation Security business) production
End User Security Security Transport Team
37 37
Composite Role Methodology (Example)
38 38
Business Role Management Dashboard
39 39
S/4 FIORI Role Concept

40 40
S/4 HANA Authorization Model
S4H ABAP S4H FIORI
Catalogus 1
• Function –task role model
Functierol FR:S_LAB_CONTROLEUR_DWI
A B C D • Task role is connected to catalog
Basis Taakrol TR:S_M_ALG_BASIS

Groep 1 • Groups are linked to task roles
D A
TADIR +
Autorisatie
Taakrol • Authorizations (TADIR) in task roles are generated
TR:S_B_LAB_DWI_ORDER
based on the catalog
Groep 2
TADIR + Taakrol
Autorisatie TR:S_ALG_LEVERANCIERS
H E
Groep 3
Catalogus 2
E F G H
FIORI app
41 41
Principles
Sub process related catalogs
Sub process related task roles
Sub process related groups
Catalog role is the classical task role
Catalog has to be SoD free
Task role has to be SoD free
42 42
FIORI Startup Screen
43 43
Role Design/Build Approach
Organize workshops with OSE’s and consultants to design authorization roles
Analyze current roles and compare to design 0.1
Build new roles

• Copy current task roles • Build group
• Build catalog • Add group and catalog to task role
Define Risk Control Matrix
Analyze outcomes RCM and add to ruleset if necessary
SoD scan roles
Discuss outcomes with OSE’s and consultants
Unit test
UAT
44 44
Responsibilities
45 45
Fiori – Tiles
A tile consists of the following data:
Common
• Title
• Subtitle
• Keywords
• Symbol
Navigation
• Semantic object
• Action
• Parameters
• Target-URL
46 46
Fiori – Target Mapping
In the target mapping the combination of Semantic object and Action (= Intention) is linked to the app
(= Target), transaction or Web Dynpro which has to be executed.
In the Target you can define the app, transactie or Web Dynpro which has to be started
47 47
GRC Integration to S/4

48 48
GRC Ruleset Upgrade Approach for S/4HANA
• Download ruleset from GRC PRD in spreadsheet format
• Benchmark and analysis ruleset (Protiviti)
‒ Disable obsolete tcodes
‒ Modified authorization objects
‒ New S/4 tcodes (S/4HANA 1809)
‒ Generated FIORI oData services from table USOBHASH
‒ Mapping FIORI apps to tcodes for placement in GRC function
‒ FIORI apps without tcode mapping manual placement in GRC function
• Download active ruleset from GRC PRD (SPRO)
• Upload active ruleset to GRC DEV (SPRO)
• Append ruleset (VITENS_H) to GRC DEV on connector SAP_S4_LG (new adjustments from Protiviti analysis)
• Role level scan ECC PRD (validate new ruleset is still working on old system)
• Role level scan S/4 DEV (validate new ruleset works for new FIORI roles)
• Final acceptance Vitens
49 49
GRC Connection to S/4
Activities to connect to S/4 system

• Install GRC plug on S/4 system
• Extend sync jobs on GRC
• Configure GRC parameters on S/4
• Import S/4 function/task roles with attributes in GRC
• Extend business roles in GRC with S/4 composite roles (joiners/movers/leavers get S/4 authorizations)
• SPRO extensions for S/4 system (leaver process, connections, user parameters etc.)
• Create firefight roles in S/4
• Testing (unit test, UAT and production validation)
Issues
• Firefighters need to use FIORI launchpad instead of tcodes. We created composite roles per module with
broad catalogues. Firefighters can login to S/4 and need to start tcode /UI/FLP for FIORI launchpad
• Link between oData services [SVC] and FIORI app [FAPP] is not transparent
• Link with FIORI app ID is also not available in the system
• Limited hits (false negatives) due to incorrect usage action tab, see note 2655122 for correct usage
50 50
FIORI Access Request App

51 51
FIORI Access Request App
• Currently 90% of our access request is via the PBAC trigger and manual access requests are rare
• When expanding to Active Directory the expectation is that manual access request become more common (i.e. access
to MS Visio etc.), thus the Access Request app becomes an important part of the IAM solution
• The current NWBC request app takes about 10 clicks to select the role
• GRC has a standard FIORI request app delivered in 12.0 but is not that user friendly
• Custom app development was necessary to meet expectations from the business
52 52
FIORI App Development Process
(supported by build.me)
• Discover, design and

develop
• Feedback from
participants
• Heatmap to view
hotspots
53 53
FIORI High-Fidelity Design
• Based on web shops:
‒ Bol.com
‒ Coolblue.nl
• Search bar on top
• Navigate per category
• Use real data with

Excel upload feature
• Collect feedback and iterate
• Transfer to SAP Cloud platform and

connect oData services
(role search/ order submission)
• Publish on GRC development
• Transport to GRC production
54 54
Provisioning to Active Directory/Legacy

55 55
Provisioning to Active Directory
Provision on premise AD using SAP GRC AC
Extend business roles with AD “groups”
AD processes can make use of the existing processes for:

• Joiners/Movers/Leavers/Updates
• Business Role model
• User Access Review
• SoD Review (AD critical access risks)
• Access Request process
• Reporting
Azure Cloud can be provisioned via the Identity Access

Governance cloud
56 56
Manual Provisioning
• Legacy system connector

• File based provisioning
57 57
GRC Business Role Hierachy
1 BR:CONTROLEUR_DRINKWATERINSTALLATIES
GRC GRC FIORI GRC HDB S4H ABAP S4H FIORI PA AD
Functierol Functierol OU=Resources OU=Resources

2 FR:G_ALG_MANAGER
Group Functierol FR:H_ALG_MANAGER FR:S_LAB_CONTROLEUR_DWI
Group
AppData AppData
Taakrol: Taakrol (privilege): Taakrol: Applications Applications

Catalog Catalog
TR:G_M_ALG_BASIS TR:H_M_ALG_BASIS TR:S_M_ALG_BASIS
3 File File
Taakrol Business Content: Taakrol (privilege): Taakrol Business Content: Web Web
Application Application
TR:G_M_ALG_AC_APPROVA TR:H_VIEW_MANAGER TR:S_B_LAB_DWI_ORDER
OU=Mail OU=Mail
Taakrol Services: Taakrol Services:
Tile Tile
TR:G_M_ALG_AC_FAPAPPR TR:S_B_LAB_DWI_ORDER
Shared Mailboxes Shared Mailboxes
ABAP FR rol FIORI FR rol HANA privilege ABAP FR rol FIORI FR rol Manueel AD Groep
1) Business role (can be requested in GRC) - owner

2) Function role (can be requested in GRC) - owner GRC
3) Task role (can be requested in GRC) – owner
58 58
IAM Chain - User Creation (part 1)
User creation with all relevant attributes in

1 Create on boarding (HR portal) 6 GRC system
LDAP SYNC creates user in Active Directory

2 Processing in HR backend 7
with all relevant attributes
system
GRC detects new employee and Active Directory script enables account,
3 8 creates home drive and moves to correct OU
generates User ID/Mail on GRC
and syncs account to Azure AD (cloud)
4 GRC writes User ID/Mail back to HR 9 Azure AD generates mailbox and Office 365
backend system
GRC triggers joiner process based on

5 IT0105-0001 and creates access
request
59 59
IAM Chain - Authorizations Assignment (part 2)
Pre Employment Screening

Provisioning to target systems (SAP and non
1 (PES) needs to be completed by 6 SAP)
HR
2 HR sets PES indicator to OK in 7 Welcome e-mail is sent to new employee

HR system
GRC generates second trigger and

3
assigns authorization based on PBAC
4 GRC generates initial password
Initial Windows password is sent to

5 manager via e-mail
60 60
Attribute Mapping HR  GRC  UMR  LDAP (AD)
61 61
Roadmap IAM & GRC

62 62
Roadmap GRC & IAM
2018-2019 2020 2021 2022
Doel Compliant Access Control SAP
Compliant Access Control non SAP
Optimized Control Cycle
Autorisatie inrichting S/4 HANA stream 2 tm 4

Projecten/
Automatisering AC processen Backlog GRC Pro
Processen
Provisioning KA
Provisioning PA M/A Control Performance Disclosure Surveys
Provisioning LAB Key controls IT ToD/ToE Assessments
Cloud provisioning IAG Key controls S1 tm S4
Overige controls
IC verklaring via PC
Reguliere audits (intern & extern)
Opzetten IAM team

Organisatie
Professionaliseren 1ste/2de line of defence
PC beheer inbedden IAM team
Inrichten Vitens control culture
MS FIM
Systemen
SAP GRC AC - LDAP MS EXCEL/ SharePoint
NWBC Eindgebruikers SAP GRC Process Control
FIORI
SAP GRC AC – Manual Provisioning
SAP IAG bridge Success Factor EC 2 GRC
Jira integratie SAP IAG full suite
PO/Portal
aansluiten
63 63
Feedback and Questions
64 64

Protiviti Event Sap Security Compliance 26sept Vitens

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Protiviti Event Sap Security Compliance 26sept Vitens

Uploaded by

Copyright:

Available Formats

SAP GRC & S/4 at Vitens

Tinette Beuving/ Virgil Verloop

15:00h - 16:00h SAP GRC & S/4 at Vitens

• Vitens is the largest drinking water company in the Netherlands

SAP ECC SAP IS-U SAP CRM SAP BW BPMS

Afdelingsmanager / proceseigenaar Systeemeigenaar

OSE (van de afdeling / het proces) Gedelegeerd systeemeigenaar

15:00h - 16:00h SAP GRC & S/4 at Vitens

I de nt it y Life cycle M a na ge m e nt Aut h or iza t ion M a n a ge m e n t Bu sine ss Alignm e nt

Level 3 De(central) Log Review Control Role

Aut he nt ica t ion Pr ivile ge d Acce ss M a n a ge m e nt Re vie w

Vitens Information Security Policy

SAP Authorization Policy

Standards Procedures Registrations

SAP Usermanagement SAP Operational Security Experts

SAP SoD Rule set management

SAP Mitigated Role Administration

SAP SOLL Matrixmanagement

SAP Control Monitoring

Identity Lifecycle Management Authorization Management Business Alignment

Authentication Privileged Access Management Review

15:00h - 16:00h SAP GRC & S/4 at Vitens

Firefighter (central Firefight log review

Access Risk Analysis

Business Role Management Access Request Management

Firefighter is able to firefight:

For each session the firefighter needs to fill in a form with

15:00h - 16:00h SAP GRC & S/4 at Vitens

1 SoD Ruleset 2 SoD Review 3 Adhoc scan

Access Risk Analysis

Business Role Management Access Request Management

• Translation from CSI ruleset, 97% match

Risk  Risk Owners

Includes the following functionality:

15:00h - 16:00h SAP GRC & S/4 at Vitens

Position Based Requests by Password User Access

Access Risk Analysis

Business Role Management Access Request Management

HR (ECC) GRC BRF+ GRC Standard Roles Target Systems

• Employee Self Service Manual

Assign roles based on

Risk Analysis with VITENS_H Identity (de)provisioned in

Op basis van je functie binnen Vitens is er een SAP account voor je

Je SAP gebruikersnaam is: VERLOOPV.

Vanaf nu kun je inloggen op de SAP GRC Portal

Op de SAP GRC portal kun je:

Je hebt de volgende rol(len) toegewezen gekregen:

Functioneel Beheer Autorisaties

(voor meer hulp zie GRC Quick Refereference Guides )

Business role assignment based on function code (via location)

Generic role assignment based on system

We have similar processes for movers, leavers and masterdata updates.

Request reset Login target and

Login GRC E-mail notification

• Password reset possible on production

Periodic control (twice a year) of user role assignments

The following actions are allowed for every line item:

15:00h - 16:00h SAP GRC & S/4 at Vitens

Business role Role management

Access Risk Analysis

Business Role Management Access Request Management

BO-BI BW ECC ISU CRM MOBILE HR Portal

1) Business role (can be requested in GRC) - owner