Professional Documents
Culture Documents
Vitens maximizes SAP GRC 12.0 in a SAP & non-SAP landscape and is
using GRC as an Identity & Access Management system, including a S/4
Fiori role concept
Introduction
2 2
Introduction Vitens
3 3
Introduction Projects
• In 2016 the project ‘Implementation Authorization Policies’ was completed. With it a full
redesign of the authorization roles and the procedures was delivered. In this project we used
the CSI tool as a risk analysis tool;
• Vitens decided to automate it’s authorization processes with SAP GRC. Not only the access risk
analysis module, but a full integration of the GRC modules (Nov 2017 – Dec 2018)
• In 2019 the S/4HANA Redesign project and the IAM project started
‒ IAM – connect SAP GRC to Active directory/Legacy, update procedures, deprovision current MS
IAM system and redesign and clean up roles
‒ S/4HANA redesign - complete redesign of the Vitens SAP landscape. Transfer current systems
to S/4HANA, Succesfactors and C4C
4 4
Project Approach
STUURGROEP
GRC Access Control
1x
OG/SU: Erwin Westerveld maand
SS: Geuje van Dijk
PROJECTMANAGER
Tinette Beuving
PROJECTTEAM
Functioneel beheer: Roeland Siemons
Netwerkbeheer: nnb
Architect: Marion Eijkelkamp
Informatie analist:Virgil Verloop
Technisch beheer:nnb
Systeembeheer:nnb
Contract & Servicemanager: Martin
Schoonderbeek/Simon Gjaltema
OSE’s: Klaas Luth, Patrick van der Kraats
Scrum TEAM
Scrum Master: Tinette Beuving
5 5
Security Organisation
ICT
K&F
F&C
HR
N&L
W&Z
O&A
Lab
6 6
Framework and Architecture
7 7
Framework
Vitens BR:CONTROLEUR_DRINKWATERINSTALLATIES
(Joiners/Movers/ Leavers)
Employees Responsibility SoD
(Controleur Drinkwaterinstallaties)
Authoritative Sources SAP
HR
Partners
User Business Role
Context
repository Management
Customers
Consumers Desired
state
provisioning
Sign - on Ta r ge t Ap plica t ion s
Current
state
Access
Digit a l ide n t it ie s
Level 1 Attestations
Primary SSO Manual Access
Risk Analysis
Emergency Access Management SODREV
Level 2
Policy based (Firefighter)
(application level) UAR
FFID Review
8 8
Documentation Structure
9 9
Documentation Mapping to Framework
Identity Lifecycle Management Authorization Management Business Alignment
SAP SoD Rule set
On Boarding management
Vitens BR:CONTROLEUR_DRINKWATERINSTALLATIES
(Joiners/Movers/Leavers)
(Controleur Drinkwaterinstallaties) Responsibility SoD
Authoritative Sources
Employees SAP Mitigated Role
SAP
HR Administration
Partners
User Business Role
Context
repository Management SAP SoD Rule set
Customers
SAP Role management
Consumers SAP User management Desired SAP SoD Baseline
state
Provisioning
Sign-on
Target Applications
Current
state
Access
Digital identities
Level 1 Attestations
Primary SSO Manual Access
Risk Analysis
Emergency Access Management SODREV SAP SoD Review
Level 2 (Firefighter)
Policy based UAR
(application SAP User Access Review
De(central) Log Review Role
level) Control Monitoring
Recertification
Level 3
SAP System parameters SAP Firefighter
Policy based FFID Review
(transaction
Authentication level) Privileged Access Management Review
10 10
Framework Solution Overlay
(Joiners/Movers/Leavers)
Responsibilit
SAP HR BR:CONTROLEUR_DRINKWATERINSTALLATIES
SoD
Authoritative Sources
Employees SA (Controleur Drinkwaterinstallaties) y
P
Partners
HR Business
User Role
Context
repository Managemen
Customers t
Consumers Desired
state
provisioning
Sign-on Target Applications
Current
state
Access
SAP GRC Access Control
Digital identities
Level 1 Attestations
Primary SSO Manual Access
Level 2 Emergency Access Risk Analysis
SODREV
Policy based Management (Firefighter)
(application UAR
level)
SAML 2.0 via Azure AD Level 3
Policy based
De(central) Log Review Control
Role
Recertificati
(transaction Monitoring
level)
on
FFID Review
11 11
Architecture GRC 12.0
• No portal integration we are using NWBC and later Fiori
• SAP Portal will be provisioned via Web Service. Later
integration with SuccessFactors
• Integratie to BW is not neccessary because we can use
GRC Analytics Foundation together with BO front end tools
• GRC search only neccessary for PC and RM to search in
documents
• Integration with IDM is not applicable (we are using GRC
as IDM tool)
• Integration with non SAP software is not applicable.
We are only using the LDAP/AD connector in component
• Integratie met non SAP software is niet van toepassing.
We gebruiken alleen de LDAP/AD connector in component
“Other Business Applications” and do not need to buy a GL
adaptor
• Any DB with SLT is not neccessary because we run native
on HANA (HANA integration)
• Integration with S/4 is done via RFC with NW plugin, same
for other SAP systems
• Identity & Access Governance is not being used yet but
will be to provision C4C and Azure AD
• AC HANA plugin only for GRC HANA. S/4 not (yet) using
analytical/smart business/factsheets FIORI apps.
12 12
Emergency Access Management
13 13
Emergency Access Management (Firefighter)
14 14
Central and Decentral
15 15
Firefight Dashboard
16 16
Access Risk Analysis
17 17
Access Risk Analysis (SoD management)
18 18
SoD Ruleset
19 19
SoD Review (Safety Net)
20 20
SoD Dashboard
21 21
SoD Dashboard
22 22
Access Request Management
23 23
Access Request Management (usermanagement)
24 24
Position Based Access Control
Movers
Update identity with HR
Logic converted to GRC attributes
actions
Leavers
25 25
Onboarding Form (PDF)
26 26
Joiner (GRC actions)
Onderwerp
Welkom bij Vitens!
Body
Beste Virgil Verloop
27 27
Position Based Access Control via Standard role
Manual activities:
• PPOME provisioning (org model in i.e. CRM)
• License code in UMR > role based classification in USMM
28 28
Movers, Leavers and Masterdata Updates
29 29
Password Self Service
30 30
Password Reset Menu
31 31
User Access Review
The OSE (Operational Security Expert) has two weeks to finish the UAR
• After that the UAR work item escalates to the DSO (Delegated System Owner)
32 32
User Management Dashboard
33 33
Business Role Management
34 34
Business Role Management (Rolbeheer)
35 35
GRC Business Role Hierachy
GRC
1 BR:CONTROLEUR_DRINKWATERINSTALLATIES
(Controleur Drinkwaterinstallaties)
2 Enterprisegroup: BI
Functierol: Functierol Functierol Functierol Functierol Portalrol
Rapportagedomein Aansluitingen
FR:B_LAB_CONTROLEUR_DWI FR:E_LAB_CONTROLEUR_DWI FR:I_LAB_CONTROLEUR_DWI FR:C_LAB_CONTROLEUR_DWI FR:M_LAB_CONTROLEUR_DWI nl.vitens.F_medewerker
- User
Taakrol: Query
3 Object: Applications (InfoProvider)
Taakrol: Taakrol: Taakrol: Taakrol:
TR:E_M_ALG_BASIS TR:I_M_ALG_BASIS TR:C_M_ALG_BASIS TR:I_M_ALG_BASIS
TR:B_W_LAB_AANNEMERI
Taakrol:
(analysiDatas) Taakrol: Taakrol: Taakrol: Taakrol:
Object: Folders
authorizations TR:E_B_LAB_DWI_ORDER TR:I_W_LAB_OVERIGEN TR:C_M_LAB_SERV_ORDE TR:I_W_ALG_DOESYNC
TR:B_ANA_VITENS
Application | Folder Query ABAP FR rol ABAP FR rol ABAP FR rol ABAP FR rol Menu
36 36
Role Management Simplified
37 37
Composite Role Methodology (Example)
38 38
Business Role Management Dashboard
39 39
S/4 FIORI Role Concept
40 40
S/4 HANA Authorization Model
Catalogus 1
• Function –task role model
Functierol FR:S_LAB_CONTROLEUR_DWI
A B C D • Task role is connected to catalog
Groep 3
Catalogus 2
E F G H
FIORI app
41 41
Principles
42 42
FIORI Startup Screen
43 43
Role Design/Build Approach
Organize workshops with OSE’s and consultants to design authorization roles
Unit test
UAT
44 44
Responsibilities
45 45
Fiori – Tiles
Common
• Title
• Subtitle
• Keywords
• Symbol
Navigation
• Semantic object
• Action
• Parameters
• Target-URL
46 46
Fiori – Target Mapping
In the target mapping the combination of Semantic object and Action (= Intention) is linked to the app
(= Target), transaction or Web Dynpro which has to be executed.
In the Target you can define the app, transactie or Web Dynpro which has to be started
47 47
GRC Integration to S/4
48 48
GRC Ruleset Upgrade Approach for S/4HANA
• Download ruleset from GRC PRD in spreadsheet format
• Benchmark and analysis ruleset (Protiviti)
‒ Disable obsolete tcodes
‒ Modified authorization objects
‒ New S/4 tcodes (S/4HANA 1809)
‒ Generated FIORI oData services from table USOBHASH
‒ Mapping FIORI apps to tcodes for placement in GRC function
‒ FIORI apps without tcode mapping manual placement in GRC function
• Download active ruleset from GRC PRD (SPRO)
• Upload active ruleset to GRC DEV (SPRO)
• Append ruleset (VITENS_H) to GRC DEV on connector SAP_S4_LG (new adjustments from Protiviti analysis)
• Role level scan ECC PRD (validate new ruleset is still working on old system)
• Role level scan S/4 DEV (validate new ruleset works for new FIORI roles)
• Final acceptance Vitens
49 49
GRC Connection to S/4
Issues
• Firefighters need to use FIORI launchpad instead of tcodes. We created composite roles per module with
broad catalogues. Firefighters can login to S/4 and need to start tcode /UI/FLP for FIORI launchpad
• Link between oData services [SVC] and FIORI app [FAPP] is not transparent
• Link with FIORI app ID is also not available in the system
• Limited hits (false negatives) due to incorrect usage action tab, see note 2655122 for correct usage
50 50
FIORI Access Request App
51 51
FIORI Access Request App
• Currently 90% of our access request is via the PBAC trigger and manual access requests are rare
• When expanding to Active Directory the expectation is that manual access request become more common (i.e. access
to MS Visio etc.), thus the Access Request app becomes an important part of the IAM solution
• The current NWBC request app takes about 10 clicks to select the role
• GRC has a standard FIORI request app delivered in 12.0 but is not that user friendly
• Custom app development was necessary to meet expectations from the business
52 52
FIORI App Development Process
(supported by build.me)
53 53
FIORI High-Fidelity Design
‒ Bol.com
‒ Coolblue.nl
54 54
Provisioning to Active Directory/Legacy
55 55
Provisioning to Active Directory
56 56
Manual Provisioning
57 57
GRC Business Role Hierachy
1 BR:CONTROLEUR_DRINKWATERINSTALLATIES
(Controleur Drinkwaterinstallaties)
AppData AppData
Taakrol Business Content: Taakrol (privilege): Taakrol Business Content: Web Web
Application Application
TR:G_M_ALG_AC_APPROVA TR:H_VIEW_MANAGER TR:S_B_LAB_DWI_ORDER
OU=Mail OU=Mail
Taakrol Services: Taakrol Services:
Tile Tile
TR:G_M_ALG_AC_FAPAPPR TR:S_B_LAB_DWI_ORDER
Shared Mailboxes Shared Mailboxes
ABAP FR rol FIORI FR rol HANA privilege ABAP FR rol FIORI FR rol Manueel AD Groep
58 58
IAM Chain - User Creation (part 1)
GRC detects new employee and Active Directory script enables account,
3 8 creates home drive and moves to correct OU
generates User ID/Mail on GRC
and syncs account to Azure AD (cloud)
4 GRC writes User ID/Mail back to HR 9 Azure AD generates mailbox and Office 365
backend system
59 59
IAM Chain - Authorizations Assignment (part 2)
60 60
Attribute Mapping HR GRC UMR LDAP (AD)
61 61
Roadmap IAM & GRC
62 62
Roadmap GRC & IAM
2018-2019 2020 2021 2022
Doel Compliant Access Control SAP
Compliant Access Control non SAP
Overige controls
IC verklaring via PC
MS FIM
Systemen
SAP GRC AC - LDAP MS EXCEL/ SharePoint
FIORI
PO/Portal
aansluiten
63 63
Feedback and Questions
64 64