GRC Access Control IAG Presentation

SAP Governance, Risk, Compliance and Security Solutions
SAP Cloud Identity Access Governance and GRC Access

Control
Senthildev Ramachandran, SAP
CONFIDENTIAL
SAP GRC and Security Solutions
SAP GRC and Security solutions
Solution mapping to key themes
Enterprise Risk Identity & Access Cybersecurity, Data International Trade

& Compliance Governance Protection & Privacy Management
ü Manage risks, controls, ü Manage access for enterprise ü Manage cyber risk with greater ü Manage import and export
and regulatory requirements applications – cloud or on-premise alignment to information security compliance as well as free
in business operations ü Manage identities, authorized standards trade agreements in global
ü Screen third parties and detect information access, data use, ü Identify potential cyber threats supply chains
anomalies and fraud and sharing conditions and vulnerabilities in applications ü Optimize trade utilizing special
ü Provide independent assurance ü Eliminate excessive logins ü Secure files and data using customs procedures such as
of risk and compliance standards with single sign-on transportable policies and bonded warehouses, processing
encryption trade in China, and free trade
ü Mitigate access risk violations
zones in NA
and monitor financial impact ü Enable greater control with ü Screen third parties for improved
sensitive data masking compliance
and logging
INTERNAL – SAP and Customers Only 3

SAP GRC and Security solutions
Solution mapping to key themes
Enterprise Risk Identity & Access Cybersecurity, Data International Trade

& Compliance Governance Protection & Privacy Management
ü SAP Process Control ü SAP Access Control ü SAP Enterprise Threat Detection ü SAP Global Trade Services
ü SAP Risk Management ü SAP Cloud Identity Access ü SAP Privacy Governance ü SAP S/4HANA for international
Governance trade
ü SAP Audit Management ü SAP Customer Data Cloud
ü SAP Single Sign-On ü SAP Watch List Screening
ü SAP Business Integrity Screening ü SAP Data Custodian
ü SAP Cloud Identity Services –
ü SAP Data Custodian, Key
Identity Authentication
Management Service (KMS)
ü SAP Identity Management
ü UI masking for SAP
ü SAP Cloud Identity Services –
ü UI logging for SAP
Identity Provisioning
ü SAP Code Vulnerability Analyzer

SAP Cloud Identity Access Governance
Optimize role definition and streamline governance
Privileged Access
Management
Access Analysis Achieve super-user access, log
Analyze access, refine user consolidation, and review with
assignments, manage controls Access automated log assessment
Governance
Role Design Access Certification

Optimize role definition and Review access, role, risk, and
streamline governance mitigation control
Access Request
Optimize access, workflow based assignment, and
INTERNAL – SAP and Customers Only processes 5
Access
SAP Cloud Identity Access Governance, access analysis Governance
Analyze access, refine user assignments, manage controls
Access Analysis
§ Delivers insight into segregation of duties (SoD) and critical

access for on-premise and cloud solutions with built-in risk scoring
§ Built-in access refinement workbench to optimize compliance and risk
§ Allows management of controls including integrated control monitoring
and testing
§ Integrated audit reporting for access refinement and remediation
§ Mature risk definitions based on industry best practices
§ Visualization-driven UI with integrated risk-scoring prioritization,
reporting and dashboards
§ Supports business applications such as SAP S/4HANA Cloud, SAP
Ariba, SAP Fieldglass, etc.

Delivers insight into SoD and critical access risk
Analyze access, refine user assignments, manage controls
Assess SoD and critical access risks

Key benefits
Business Function
Group Reduces risks associated with
SoD conflicts and sensitive access
for on-premise and cloud solutions
Business Process Business process Business process n
Order to cash finance (unlimited number)
Optimizes time and efficiency in

Risk n
Risk A Risk B
(unlimited number)
determining correct role
assignments
Function 1 Function 2 Function 3 Function 4 Function n

Supports key audit reporting
Actions/Permissions Actions/Permissions Actions/Permissions Actions/Permissions Actions/Permissions requirements
Business application Business application Business application Business application Business application
§ Mature risk definitions based on industry best practices

§ Visualization-driven UI with integrated risk-scoring prioritization, reporting and dashboards
§ Supports business applications such as SAP S/4HANA Cloud, SAP Ariba, SAP Fieldglass, etc.

SAP Cloud Identity Access Governance offering
Analyze access, refine user assignments, manage controls – access analysis service
Dashboard Select users Refine user Optimize based Mitigate Audit Monitor
analytics to analyze assignments on business risks report controls
requirement

Access Analysis - Overview
Delivers built-in risk scoring and trending
Key benefits
Greater visibility into potential

issues
Streamline and prioritize

mitigation activities
More easily remediate high-

impact issues and improve
security
§ Customizable risk scoring and trending based on potential impact and

sensitivity
§ Focus on issues with the greatest potential risk
§ Visualization with link to user analysis and remediation dashboard
Access Analysis - Risk Score Policy
A Risk Score is a quantifiable number based on the user's access, usage,
risks, and mitigation.
The default formula is: (Total Roles + Used Roles + Risks) - Mitigated Risks
= Risk Score of an Individual
For example: 10 roles assigned + 7 roles used + 4 risks - 2 mitigated risks
= Risk Score 19
Field Comment
Risk Score Policy The name of the Risk Score Policy

Description Details about how your company uses this policy.
Long Description (optional) More details about how your business uses this policy
Weighting Factor for Risk Each risk is multiplied by the weighting factor entered here.
The default is 0.
Weighting Factor for Mitigated Risk Each mitigated risk is multiplied by the weighting factor
entered here. The total is subtracted from the total of the
other factors (Risks, Roles, Used Roles). The default is 0.
Weighting Factor for Role Each role is multiplied by the weighting factor entered here.
The default is 0.
Weighting Factor for Used Role Each used role is multiplied by the weighting factor entered
here. The default is 0.
Status Active or Inactive. Only one Risk Score Policy is active at
any time.
For Weighting factors - Negative numbers are allowed, but fractions (decimal points) are not allowed
Access Analysis - Access Effectiveness
Access Effectiveness
The Access Effectiveness score in
the header is derived from the
percentage of access that is being
used.
For example, if 2 out of 7 roles are
being used, the Access Effectiveness
score is 29%.

Access Analysis - Access Compliance
Access Compliance
The Access Compliance score is
obtained from dividing the number of
mitigated risks by the total number of
risks.

Access Analysis - Remediation
Guided user-refinement process

process to identify and remove
unnecessary role assignments based
on usage and SoD risk
Remediate from the User Access

Analysis results to reduce or
eliminate the user's access risks and
remove unused access.
Built-in simulation to check proposed

new assignments

Simple Refinement
The app proposes actions to refine the user's
access, such as removing access to a system.
All roles for the user are shown.
The Simple Refinement functionality looks for

roles that have no usage and/or contain
Critical Risks.
If you accept the recommendation for the

removal of a role, the access to the system is
removed for the user after you Save and
Confirm.

Advanced Refinement
§ Refinement is done at the
functions level.
§ You can carry out refinement
based on usage-based access,
risk-free access, or your own
specific needs.

Remediation Audit Log Report

You use the Remediation Audit Log
Report to research actions taken
during Access Analysis.
On this report, you can see all

refinement and remediation that
has been taken on identified risks

Access Analysis - Mitigation
Mitigation Control
§ Create Test Plan,
§ Create Mitigation control and assign
owner, risk ,test plan and frequency.
assign, and
§ Monitor mitigating controls

Access Analysis - Mitigation
Periodically monitor mitigation controls.
The Monitoring Process:

Job Scheduler : You use the Job Scheduler app to schedule
the Control Monitoring Job. This job generates a list of the
mitigation controls that are eligible to be monitored.
The Mitigation Control Monitoring app uses this list to select
the mitigation controls that are ready to be monitored.
Mitigation Control Monitoring :

This app supports you in performing reviews of mitigation
controls.
Using the app, you perform the test, determine whether the
mitigation control has passed the test, update the test results
document, and upload it to SAP Cloud Identity Access
Governance.
Mitigation Control Monitoring Report: The Mitigation

Control Monitoring Report app shows the latest test results for
each mitigation control including the user ID of the person who
performed the test and the testing date. You use the report to
keep track of the testing status of each mitigation control.

Access
SAP Cloud Identity Access Governance, access request Governance
Optimize access, workflow, policy-based assignment, and processes
Access Request
• Automated user access request for user on-boarding to enterprise

applications
• Intuitive self-service access request
• Auditable access request workflow
• Complete integrated identity access governance platform
• Review and approval of access requests
• Remediation of Segregation of Duties (SoD) and critical access risks
• Auto provisioning of user access

Access Request - Optimize processes and streamline governance
Approve Provision
Analyze Simulate
o
it t er
Request
ubm rov Remediate Adjust as Audit
S pp risks needed workflow
a
Select access Check Cancel or

needed for job Status Resubmit
Adjust as
needed
This is the current state of planning and may be changed by SAP at any time.
Access Request- Integrated provisioning for hybrid landscapes
For the latest listing please see help.sap.com/viewer/product/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/
Integrated Provisioning: Key benefits

• SAP SuccessFactors
• SAP ABAP (on-premise)
• SAP Ariba Increased scope for provisioning
• SAP Fieldglass across hybrid landscapes
• SAP S/4HANA Cloud SoD rule content now available for:
Cloud • SAP S/4HANA (on-premise) • SAP Ariba
• Microsoft Azure Platform
• SAP SuccessFactors
• SAP Marketing Cloud
• SAP Integrated Business • SAP S/4HANA Cloud
Planning • SAP S/4HANA Simplified architecture leveraging
• SAP Analytics Cloud • SAP ECC
• SAP Cloud Foundry
common components
• LDAP System
• SAP Identity Authentication
On premise
• SAP Cloud Platform
• ….
Enable and govern users for
§ Seamless access governance across hybrid landscapes processes that span multiple
§ Automated access request approval and provisioning based on HR events applications
§ Expanded system connectors for key business applications on-premise and cloud
§ S/4 HANA native integration including rule content and support for new authorization
model
Access Request- HR Driven Identity Lifecycle Management
There are three overall steps to enable HR trigger

integration between SAP SuccessFactors and
the SAP Cloud Identity Access
Governance solution and its services:
• In the SAP Business Technology Platform, set

up one destination to connect to the SAP
SuccessFactors tenant.
• Use the SAP Cloud Platform Business Rules

service to define the rules for converting user
changes from SAP SuccessFactors to access
requests.
• Run the Job Scheduler for the HR Trigger job

and to sync user data for SAP
SuccessFactors.

Access Request- Upload Template
The Template Upload app consists of the workflow

and notification templates. You require these
templates to create access requests, including
those for Privileged Access Management, and
Privilege Access Monitoring.
Open the Template Upload app. Navigate

to Workflow, choose Upload to transmit the
relevant workflow template to the server.
For Notification, choose Download. The template

is downloaded as a ZIP file. Save the ZIP file on
to your system. If required, make the relevant
changes to the template you downloaded and
choose Upload to transfer the modified file. The file
is uploaded in a zip file format.

Access Request- Workflow
Workflow Template (path name) Behavior
Manager - Role Owner - Security Owner •The access request goes to the following roles for approval before it
is provisioned:manager
§ .The access request service •role owner
includes non-modifiable out-of- •security owner
Manager - Role Owner - Risk Owner - Security •The access request goes to the following roles for approval before it
the-box workflow templates as Owner is provisioned:manager
shown in the table •role owner
•risk Owner
§ Custom Workflow Template : •security owner
Note
With custom workflow you have Risk Owner stage is to be skipped if there are no risks for the access
the option of customizing your requested.
Manager - Security Owner •The access request goes to the following roles for approval before it
workflow templates, including is provisioned:manager
the stage sequences •security owner
Manager Only The access request goes only to the manager for approval before it is
§ You can now configure provisioned.
parameters for each stage Auto Path The access request goes to an automated approval process and
proceeds directly to provisioning without any additional manual
sequence including Risk approval steps..
Analysis Mandatory and
Remediation Mandatory and Security Only The access request goes only to the security owner for approval
before it is provisioned.
change path stage descriptions. Role Owner - Security •The access request goes to the following roles for approval before it
is provisioned:role owner
§ Once stages are approved, the •security owner
system initiates provisioning Role Owner - Manager •The access request goes to the following roles for approval before it
is provisioned:role owner
•manager
Role Owner Only The access request goes only to the role owner for approval before it
is provisioned.

Access Request- Workflow
§ Auto Approval Stage for Auto Provisioning-

§ Access Requests for which auto approval paths are selected do not require additional approvals
from approvers and are automatically sent for provisioning
§ In the Workflow Template app, the pre-delivered auto approval path is listed on the Workflow
Templates screen.
§ Workflow Configuration for Initiator

§ Different workflow paths can be applied to various types of requests based on the attributes of the
request and the requesting user
§ This capability enables customized routing and processing of requests according to specific criteria
and attributes, providing a more tailored and efficient workflow
§ Even if a new business rule, AttributesRule, is defined and conditions are maintained within it,
the RequestTypeRule serves as a fallback option. If no conditions in the AttributesRule rule are
met, the RequestTypeRule is used as the default rule to determine the appropriate path for the
request.

Access Request- Request Administration
§ Request Administrators can cancel and/or

forward requests to Approvers if an
approver is not available.
§ If manager is on vacation or sick leave,
you can forward a request for other
individual colleague or colleagues
an Approver or Approvers.

Access Request- Create Access Request
§ Select Existing Assignments to search for and

display the access
§ By default, the various access listed are the
ones that expire within 30 days.

Access Request- Create Access Request
• Manger field can be populated automatically if

data source is maintained as IAS in
configuration app.
• The following file types are allowed: Text files

(TXT),Image files (JPG, PNG),PowerPoint files
(PPT),Documents (DOC, DOCX,
PDF),Spreadsheets (XLS, XLSX)The
maximum file size is 100 MB.

Access Request- Access Request Status
• You use the Access Request

Status app to check on the progress
of access requests that you have
submitted for approval or extension.
• The app displays the status of each

access that you requested. It also
displays any attachment that you
added to the request.

Access Request- Access Request Approval
§ Approver can approve or reject the request

§ Approvers can use Remediate Risks to assign
Mitigation Controls to mitigate the user's
Segregation of Duties (SoD) risks and Critical
Access risks.

Access Request- Access Request Remediation
§ The Access Compliance score is the
percentage of the user’s risks that have
been mitigated.
§ When your remediation, approval and

rejection actions are complete,
select Simulate to see the affect on the
user's SoD and Critical Access risks and the
Access Compliance score.

Access Request- Second Stage or Final Stage
§ The rejected item in the First

stage will not be editable in the
second stage

Access Request- Provisioning Report
§ This report is to check the status of the request .

Access
SAP Cloud Identity Access Governance, role design Governance
Optimize role definition and streamline governance
Role Design
§ SAP Cloud Identity Access Governance, role design service is a

cloud solution for creating, optimizing, and maintaining business
roles for on-premise and cloud source systems.
§ Provides integrated processes for designing and managing business
roles and reduces complexity in managing access for business
applications
§ It helps you to optimize business roles by using real-time analytics
and rule-driven algorithms to propose candidate business roles.
§ Access risk simulation ensures SoD free business roles

Optimize role definition and streamline governance – role design service
Enhanced user experience and productivity with optimized access definition
Mine Optimize Refine Analyze Provision

roles access access impact users
§ Roles, privileges, § Analyze mined access § Propose optimal user § Adjust role content to § Assign access
and information access remediate risks to users
authorizations
§ Discover optimal § Orchestrate access § Mitigate risks as § Notify users
§ User access granularity of for an end-to-end applicable
authorizations business process
§ Usage activity

Business Roles
Business roles are groups of technical application

authorizations by job function, user type, or
organization.
The purpose of a business role is to make

managing access more efficient by congregating
different access types into one object that you can
assign to a user.

Candidate Business Roles
• A candidate business role is an optimal business Create Candidate

role proposed by the SAP Cloud Access business roles
Governance, role design service.
• The service suggests business roles that should Select Candidate

business roles
be created based on existing user-to-technical
role associations. This service supports you in
simplifying your business applications by using
My Inbox
business roles more efficiently.
• The service generates a list of proposed Refine Candidate

business roles
candidates for business roles that you can adjust
as needed. Once you activate the candidate
business role, it becomes a standard business Activate Candidate
role. business roles
Reconcile Candidate
business roles

Create candidate Business Roles
Enter criteria for generating candidate business

role
Select Candidate Business Roles
Select candidate business role to process and

submit.

Refine:
Choose Edit to modify the candidate business

role. From here, you can:
§ Change the Role Name, Description, Business
Process, and Long Description
§ Add and delete associated Access
§ Assign a Content Approver (Other
Attributes section)
§ Assign an Assignment Approver (Other
Attributes section)
§ Add any comments in the Notes section
Choose Simulate to see how your changes have

impacted the SoD or Critical Access risks.
Continue making adjustments until you are
satisfied with the results.
Save changes and Submit to route the request for the

candidate business role to the next stage, Activate.
Activate the candidate Business roles
Click submit in reconciliation step to begin the

provisioning process

Use Role Design Audit Log Report to research

actions taken during the Candidate Business Role
design process

The Role Designer

Overview provides information
about how effectively your company
is using business roles as well as
links to business role functionality.
Unassociated Technical Roles -

Shows the number of technical roles
that are not associated with a
business role. It also shows the
trend over the past four months. The
goal is to have zero unassociated
technical roles.
Users - Shows the percentage of

users that are assigned to a
business role. It also shows the
trend over the past four months. The
goal is to have 100% of users
assigned to business roles.

Access
SAP Cloud Identity Access Governance, privileged access Governance
Account-based access, log consolidation, and review with automated log assessment
Privileged Access
Management
§ Track and approve requests for emergency access through a formal,

documented process.
§ Review the intended and actual usage of emergency access in a formal,
documented process. Investigate any differences between intended and
actual usage.
§ Implement a periodic audit of PAM ID usage and logs. Verify that PAM
activities are documented and reviewed, and that exceptions are
investigated according to policy.

Privileged Access Management
Privileged access management (PAM) allows granting of elevated access to perform critical tasks, with activity tracking
and embedded machine learning capabilities to easily identify anomalies.
Grant Privileged Access Elevated Privilege Review Log process

• Approval Workflow sessions • Capturing the privileged access
• Risk assessment • Ease of initiating elevated privilege • Automated Review process
• Granting Access sessions • Machine leaning opportunity
• Governance on session access

PAM – Process
§ Create Privileged Access User ID (PAM ID) is created in the Maintain PAM App.
§ Use the Create Access Request app to request or extend privileged access that you need for performing
critical actions.
§ Open the Privileged Access Inbox app to view and approve the Privileged Access Request
§ The assigned Privileged Access user (PAM User) must log on to the designated system with their own
credentials and call the transaction SIAG_PAM_LAUNCH_PAD.( Need to assign RFC Access)
§ The Privileged Access Monitoring app logs all critical actions that users perform once privileged access
has been granted to them.

PAM – Process
§ Business roles associated with a Privileged Access Management

(PAM) ID should have access or a role that has authorization to
launch a remote session
§ In your ABAP system, create a role (for example: ZSIAG_PAMID_RFC_ACCESS)
§ Sync this role to the IAG application using the Repository Sync job. This role
should be part of all the business roles that will be associated with the PAM ID.

PAM ID creation – Process
§ Create Privileged Access User ID (PAM ID) is
created in the Maintain PAM App. Business role is
pre-requisite for creating PAM ID
§ Once a Privileged Access ID is activated, it has
the status In Progress
§ Once the PAM_ID is provisioned then it can be
used for assignment. Check Provisioning report to
see if PAMID Provisioned

PAM ID – Process
Check Provisioning report to see if PAMID Provisioned

PAM ID to PAM user – Process
§ Use the Create Access Request app to request or extend
privileged access that you need for performing critical actions.
§ A new access type called Privileged Access has been added.
Selecting it displays a list of all privileged access that a user
may request.
§ Once you have filled in the required information,
choose Submit Request. The app assigns your request a
number and routes it to the Privileged Access Inbox.
§ Approvers/reviewers use the Privileged Access Inbox app to
approve and review access requests.
§ Sequence of Approval Stages
Sequence Approver Stage

Manager Approval
Role Owner Approval
Security Approval





1. Run Privileged Access Log Sync Job to see results in

Privileged Access Log Report
2. Run job for the Privileged Access Review Request.

SAP Cloud Identity Access Governance, access certification Access
Governance
Review access, role, risk, and mitigation control
Access
Certification
§ Access certification service is a cloud solution for periodically reviewing

and certifying access to business applications in the cloud and on-
premise. Enable reviews specific to organizational needs
§ It reduces complexity in processing periodic certifications Support large-
scale reviews
§ Ensures users have optimized access assignments. Manage the
review process

Access certification service
Streamlined access certification process automates periodic/ad-hoc access review process, and reduces access
maintenance activity when there are organizational changes that impact user access
Create
Campaign Start Review Manage Update
Campaign Access Campaign Access
Review
• Select campaign • Check review items • Remove rejected

duration in inbox • Review processing access from users
• Assign Coordinator • Send notifications • Approve or reject status in business
• Select users and access • Send reminders or applications
access for review • Submit for the next reassign items • Audit reporting
• Select workflow process step
template

Access certification service – Process
§ Define campaign details , Select campaign data ,Select workflow template and Save, review, and submit the
campaign
§ Review the campaign . The default view is View by User, if you prefer to evaluate the campaigns by access,
select View by Access.
§ Campaign automatically closes after all review items are processed. Rejected access is removed.
§ Verify Campaign using the app Access Certification Audit Log. Use the Access Certification Audit Log to view the
audit-relevant actions taken on Access Certification campaigns.
§ Review your certification campaigns with Manage active campaign app, and act as needed. If authorized, you can
close an existing one, Reassign tasks to a different Reviewer, or Remind a current Reviewer of items to evaluate.

Access certification service
Select users by group, system,

org
Choose Workflow Selection.

Here, three workflow modules
are available:
§ 1-step approval by manager
§ 1-step approval by role owner
§ 3-step approval by manager,
role owner, and security expert

Access certification service – Monitor
Coordinator uses Manage

Campaings app to see the
overall status of campaigns
assigned to them

Access certification service – Monitor
§ Select an individual Ongoing
Campaign to see the details.
§ This section includes the options to
§ Reassign to another reviewer,
§ Release the claimed task.
§ The Escalate option sends an e-
mail notification to the manager,
and
§ The Remind option sends an e-
mail notification to the Reviewer.

Access certification service – Review
Two View are possible
§ View by User
§ View by Access
Removal is executed after you

submit the review items. In a
multi-step workflow, the removal
is triggered based on the result
of the last workflow step. The
deprovisioning of user access
from the systems will start after
the last stage

Access certification service – Report
Status of the deprovisioning can be

checked in the Provisioning report
with process Access Certification

Access certification Audit Log
§ You use the Access

Certification Audit Log to view
the audit-relevant actions
taken on Access Certification
campaigns.
§ The audit log lists all the
campaigns.

Access certification Campaign Log
You use the Access Certification Campaign Log app
to view details about the creation of review requests
after the campaign has been started.

Authorization Policy
§ The authorization concept is based on the
assignment of authorizations to users
via policy sets.
§ A policy set is a grouping of policies.
§ Within policies are contained the tasks and
authorization objects.
§ You enable data level security by selecting the
authorization object attributes to which
the policy applies
§ You maintain authorization policies via
the Authorization Policy app
§ Refer to the help page for Default Authorization
Policy

IAG API
Entity Description
§ Create Access Request API supports event-based Access Search Searches the accesses that can be requested
interface for creating access requests and provides
Lookup interface for specific entities that are required
Application Users Retrieves the list of Application Users for SAP Cloud
to create requests Identity Access Governance
§ https://api.sap.com/package/SAPCloudIdentityAcces Creates Access Request Creates a request for assignment creation or update
sGovernanceAccessRequestService/rest
Custom Field* Configures the list of custom fields in SAP Cloud Identity
Access Governance To configure field mapping for custom
fields so they can be used in Access Request API, refer to
Field Mappping
Request Priorities Retrieves the list of priorities
Request Reason Code Retrieves the list of reason codes

Request Status Retrieves the list of status details for requests that have
already been submitted
Check User has Risk Assesses potential risks for a user

IAG Roadmap
IAG Roadmap

Benefits and capabilities
Benefits Capabilities
No installation requirements other than a Access governance solution based on
Web browser; complement and extension SAP Business Technology Platform
of the existing SAP Access Control
application around access risk analysis Intuitive user interface design on SAP
Fiori user experience
Better user experience with personalized
information and graphical views Instant visibility into access issues
including access analysis, role design,
Improved application security and access request, access certification, and
compliance privilege access management
Central management of access risk Support for cloud applications

across hybrid landscapes

SAP GRC Access Control
Technical System Landscape-
Governance Risk and Compliance solution
Governance Risk and Compliance

solution includes following products
§ Access Control
§ Process Control
§ Risk Management

Architecture Overview – Access Control 12

SAP Access Control
Emergency Access
Access Risk Analysis (ARA)
Management (EAM)
Find and remediate segregation
Monitor emergency access and
of duties and critical access
transaction usage
violations
Access Request Management

(ARM)
Access
Automate access administration
User Access Review (UAR) Control for enterprise applications
Certify that access assignments
are still warranted
Business Role Management

(BRM)
Define and maintain roles in
business terms

Defining SoD and Critical Permissions
Find and remediate SoD and critical access violations, analyze at the lowest
authorization level
Rule set
Business process order Business process Business process n

to cash finance (unlimited number)
Risk n
Risk A Risk B
(unlimited number)
Function 1 Function 2 Function 3 Function 4 Function n
Actions and Actions and Actions and Actions and Actions and
permissions permissions permissions permissions permissions
SAP ERP SAP ERP SAP ERP Oracle PeopleSoft

The standard SAP Rulesets
The standard Rulesets
SAP pre-delivers with standard Rulesets

that can be reused in implementations.
§ Rulesets are comprising of the most commonly

observed scenarios of SoD and Critical Access
and general best practices;
§ We recommend that customers use their own

custom Ruleset; but the standard often proves
to be a good place to start;
§ SAP recently delivered new Rulesets for:

– HANA DB (Note 2524840)
– S/4HANA and Fiori (Note 2539742)

Risk Analysis report

Take action to mitigate access risk violations
Remove, delimit, or mitigate role assignments to reduce risk exposure

Key benefits
Document and assign mitigation

controls to users, roles, profiles,
and HR objects
Integrate with SAP Process

Control for enhanced mitigation
options
Exclude mitigated objects from

reporting to focus on unmitigated
risks

Decreasing Risk exposure
Remediation options
Once a Risk is identified, there are two

main remediation options:
1. Remove and/or reassignment of access: one

of the conflicting functions is removed from
the user with the Risk and may be assigned to
another user;
2. The Risk is accepted and a Control is placed

to reduce risk exposure. Activities
documented in the Control might include
monitoring or formal documentation
(agreements, Risk waivers).

Access Request Management (ARM)
Access Request Management

(ARM)
Access
Automate access administration
Control for enterprise applications

Access
SAP Access Control Governance
Automate access administration for enterprise applications
Manage Access
§ Self-service, automated access requests
§ Workflow-driven approval process
§ Embedded risk analysis simulations to “stay clean”
§ Automated provisioning to enterprise applications

Self-service, automated access request
Workflow-driven request management

Key benefits
Access request
Self-service through SAP Fiori Enable users to request the roles
apps they need more quickly and easily
Identity management systems

Reduce manual tasks and
Request
streamline access request
submitted
HR systems processing
Make access decisions from

Other anywhere with SAP Fiori apps for
§ Help desk, training, education access request and approval
§ More…
§ Flexible access request and approver views

§ Automated provisioning and removal of access
§ Password self-service capabilities

HR events for movers, joiners, and leavers
Integration with SAP SuccessFactors solutions Key benefits
Employee event in SAP

SuccessFactors solutions
triggers fully auditable workflow
in SAP Access Control.
Elimination of manual activities

in user-provisioning requests,
increasing process speed,
efficiency, and accuracy
Training support with workflows

routed based on role-level
training verification requirements

Workflow-driven approval process
Workflow-driven request management Key benefits
Access request Access approval Enable users to request the

through SAP Fiori through SAP Fiori roles they need more quickly
apps apps and easily
Reduce manual tasks and

Request
Risk analysis Approval(s) streamline access request
submitted processing
Make access decisions from

Mitigation exception anywhere with SAP Fiori apps
workflow
for access request and approval
§ Flexible access request and approver views

§ Automated provisioning and removal of access
§ Password self-service capabilities
Workflows
Multi-stage, Multi-path
(MSMP)
Requestor GRC Access Control Role Owners GRC Access Control
§ The technology powering the
Role Owner workflows in Access Control allows
Submit Request Risk Analysis Provisioning
Approval multiple paths and multiple stages in
each workflow process;
If SoD conflicts exist § Workflows can be routed or even split
to parallel paths, assuming different
Remediation statuses in each;
Remediation Provisioning
Approval § Different workflows can exist for each
purpose in GRC;
§ Rules and advanced workflow logic
can be implemented in the BRF+ API,
with no coding effort required.
Risk Owners Internal Controls GRC Access Control

Integration HCM / Success Factor
HCM Success Factor

§ RFC Connection between GRC AC and HCM § Connection via SAP Cloud Platform
systems; Integration Service between GRC AC and
§ BRF+ construction to trigger HR events; Success Factor Systems;
§ SPRO settings for HR trigger § BRF+ construction to trigger HR events;
§ 1591291 - GRC 10.0 - HR Trigger § SPRO settings for HR trigger

configuration. § 2644298 - FAQs : GRC Access Control
§ HR Trigger configuration Integration with SuccessFactors.
§ 2180164 - Integrate SuccessFactors
Employee Central with SAP Access Control

Business Role Management (BRM)
Access
Control
Business Role Management

(BRM)
Define and maintain roles in
business terms

Access
SAP Access Control Governance
Define and maintain roles in business terms
Maintain Roles
§ Rely on a configurable methodology for role definition

and maintenance
§ Define roles in business terms and align with

business processes
§ Analyze and optimize business roles

Configurable methodology for role definition and maintenance
Key benefits
Role owner Role approver
Close loop between business and
technical owners with a collaborative
Security role governance process
Define Maintain Analyze Derive Request Generate
role authorizations access risk role approval roles
Streamline role definition and

management
Optimize role definition and reduce

role redundancy
Security
Support both technical and § Business roles and composite roles

business users, centrally manage § Single/technical roles
the lifecycle of various role types: § Derived roles

Define roles in business terms and align with business processes
Consistent and repeatable process for role maintenance Key benefits
Improved efficiency in role

maintenance
Greater collaboration to close

the loop between business and
technical owners
Role definitions used to simplify

the user access request process

Create compliant business roles by business function across a
heterogeneous landscape
Analyze and optimize business roles Key benefits
Comprehensive business-role
definition covers end-to-end
authorizations.
Access consolidation reduces

the number of roles that the end
user needs to request.
Harmonized, business process-

oriented role management
reduces maintenance costs for
an improved end-user
experience.

Role definition
Owners / approvers
§ There are 2 types of Role Owners: Role Content Approver and Assignment Approver;
§ To be assigned on this page, the user must be listed as a Role Owner in Access Control Owners.

Role definition
Role mapping

Role configuration settings
Role type settings
Role Type Settings:

Disable unused Role Types
Maintain Labels for Role Type:

Set custom Labels for role types

User Access Review (UAR)
Access
User Access Review (UAR) Control
Certify that access assignments
are still warranted

Automated periodic certification reviews
User access review Firefighter review Access risk reviews

§ Automated review distribution § Firefighter review – a review of § SoD and critical access risk review
based on real-time assignments firefighter assignment
§ Distribution by risk owner
§ Workflow distribution by manager § Complete certification for access
§ Integrated remediation risks
§ Easy-to-use forms § Based on real-time assignments
Key benefits
§ Certify access assignments periodically for continued compliance
§ Lower costs and optimize efficiency for user and role lifecycles
§ Minimize audit time and audit-related costs

Typical UAR process
Prepare data
Generate reports Prepare data
§ Jobs are run to populate the UAR
tables
§ Data is checked for accuracy and
completeness
Reviewers take action User Access Generate Requests
Review
Send Requests Admin review

Typical UAR process
Generate Requests
§ Job is run to take verified data and
create UAR requests.

Review

Typical UAR process
Admin review
§ Last sanity check for data accuracy;
§ Provides admins time to correct any
invalid requests.

Review

Typical UAR process
Send Requests
§ Job is run to send validated UAR
requests to appropriate reviewers via
email and GRC work inbox.

Review

Typical UAR process
Reviewers take action

§ Reviewers approve, remove, reject
access
§ Admins process removals and
rejections daily during review.
Review

Typical UAR process
Generate reports
§ UAR is finalized and audit reports are
generated to document activities.

Review

Emergency Access Management (EAM)
Emergency Access
Management (EAM)
Monitor emergency access and
transaction usage
Access
Control

Emergency User concept
Clear database tables
Free filesystem space
Restart server
No authorization

Emergency User concept
Firefighter ID
✓ Clear database tables

✓ Free filesystem space
✓ Restart server
Firefighter Reviewer Fix applied
“Firefighter”
receives Log Report

Centralized Firefighting
Centralized Firefighting
SAP ECC
§ Firefighters access a Centralized

dashboard that resides in the GRC Access
Control host;
Firefighter RFC Logon § In this model, users can see all of the
GRC Access Control SAP BW Firefighter IDs assigned to all systems in a
single dashboard;
§ Might require high availability for the

User logon Access Control instance.
SAP CRM

Decentralized Firefighting
Decentralized Firefighting
SAP ECC
§ The Firefighter IDs are accessed directly in

the target systems;
§ Does not require RFCs, as users log in

User logon
directly to the target system of choice;
SAP BW
§ User is not required to access GRC
Access Control, but must have his own
logon for each of the target systems that
require Firefighting.
SAP CRM

Starting a Firefighter session: Centralized

Starting a Firefighter session: Decentralized

Starting a Firefighter session: Centralized
User logs in as the Firefighter ID

Firefighter Login notification

Documenting additional activities
Started your Firefighter session, but need to run an

additional transaction? Go to the Firefighter dashboard and
document it under “Additional Activity”.

Firefighter Log Report: Notification and Work item

Firefighter Log Report: content

Real-time reporting for enterprise systems
Analyze single or cross-system user and role assignments

Gain insights using interactive overview pages and reports
Key benefits
Gain visibility into user access

across heterogeneous
applications
Drive business ownership of

access risk with user-friendly
reports in business terms
Reduce audit costs with

predefined reports

Access Control Integration:
SuccessFactors Employee Central
Integration: SAP SuccessFactors solutions
Event-driven employee lifecycle

management
§ New hire
§ Change in job or position HR Event
§ Retirement and termination
Request Automated
Approval(s)
generated provisioning
Mitigation exception
Risk analysis
workflow as needed
Enterprise
applications

Integration: SAP SuccessFactors solutions (continued)
Event-driven employee lifecycle management
Public cloud
Middleware On premise SAP Other systems (SAP CRM,
SAP SuccessFactors
SAP Cloud Platform governance, risk, and SAP ERP, SAP Enterprise
Employee Central
Integration service compliance solutions Portal, third-party products)
Role: HR specialist
Entitlements calculated
based on position
Hire an employee
Identity updated with
Rehire an employee other systems’ attributes
Data converted to
Transfer or format for SAP
change position Access Control
Risk analysis and
Employee provisioned in
remediation for other
Terminate an employee appropriate target systems
systems
Legend: Process step Process step

(mainly manual) (mainly automated)
© 2016 SAP SE or an SAP affiliate company. All rights reserved.
GRC Webservices
GRAC_ROLE_DETAILS to see all

the roles
GRAC_USER_ACCESS_WS - To
submit request
– To check details in the request
GRAC_REQ_DETAIL_WS
GRAC_REQ_STATUS_WS- To
check request status

SAP GRC IAG Bridge
IAG Bridge- Hybrid landscape On-prem driven
SAP Cloud Identity Access

Governance
Access Analysis
Business Role Design
SAP Analytics
Access Request Cloud
SAP Cloud Identity Service Users Provisioning*

(Identity Authentication & Groups
Identity Provisioning)
Connectors
IAG Bridge
Role & Request
User- & Account-Provisioning
Synchronization CLOUD
ON-PREMISE
End User SAP Access Control SAP NetWeaver
Access Analysis
Role Design
SAP S/4
Access Request
Self-Services
Workflows Emergency Access Management
INTERNAL – SAP and Customers Only * For a detailed list of applications currently supported by Identity Provisioning, please refer to the online documentation 120
IAG Bridge
§ Run Enable SAP Access Control 12.0 (on-premise) to use SAP Cloud Identity Access Governance as a
bridge to facilitate creation of access requests, and performing risk analysis, for cloud applications.
§ Use the access control on-premise application to create access requests for your cloud application
§ The risk analysis, assignment of mitigation controls (if needed), and provisioning is handled by the SAP
Cloud Identity Access Governance.

IAG Bridge
§ Create request for sap cloud
application from Access Request
§ Perform risk analysis from
Access Request
§ Use existing approval workflow
in Access Request

IAG Bridge Process
§ Complete the Integration between IAG and Cloud application

§ In IAG run repository sync
§ Complete the integration between GRC and IAG( Cloud Connector)
§ Create three connectors( Auth, SOD and connector)
§ Enable configuration in SPRO
§ In GRC run repository sync for the connector with IAG import checkbox checked
§ Create Access Request in GRC
§ Run Provisioning job in IAG

Security and Compliance Support
GRC and IAG Proof of Concept (PoC)
Focus Area: IAM
IAM Proof of Concept (PoC) is designed to safeguard your IAM strategy and help your security, technical, and management teams assess work effort for implementation while
allowing business users to validate a planned solution. It also helps address potential technical issues and workflow queries early in the project lifecycle. This Security Focus
Topic supports customers implementing IAM strategy in a highly heterogeneous environment. This service should be proceeded by an IAM Planning workshop.
Objectives
§ Deliver a working PoC for IAM strategy validation covering IAG, GRC AC, subject to scope agreement which could be
identified .
§ Hands-on implementation experience and support for your team. Alternatively, SAP can act as implementation partner where
you provide us with sufficient permissions to perform the PoC. We track all changes performed in the system for audit trail.
§ Provide documented knowledge-transfer for your team from the PoC implementation.
Deliverables
– Preparation: Scoping call with the customer to define precise scope and agenda for the service
– Target GRC and IAG architecture review for chosen PoC solution scenario and Scope definition (what’s in and out of scope
in PoC).
– We support your team or work directly on the chosen environment in collaboration with your team or partner.
– Testing and validation with sample business users, not just technical administrators.
– Comprehensive service report with visual and written record of target architecture per PoC scenario, configuration screens
captured from your Sandbox or Development systems per step and Issues & Recommendations with status on issue and
action plan provided by SAP for issue closure.
– Delivery follow-up.

Thank you.
Contact information:
© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.

GRC Access Control IAG Presentation

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GRC Access Control IAG Presentation

Uploaded by

Copyright:

Available Formats

SAP Governance, Risk, Compliance and Security Solutions

SAP Cloud Identity Access Governance and GRC Access

Enterprise Risk Identity & Access Cybersecurity, Data International Trade

INTERNAL – SAP and Customers Only 3

Enterprise Risk Identity & Access Cybersecurity, Data International Trade

INTERNAL – SAP and Customers Only 4

Role Design Access Certification

§ Delivers insight into segregation of duties (SoD) and critical

INTERNAL – SAP and Customers Only 6

Assess SoD and critical access risks

Optimizes time and efficiency in

Function 1 Function 2 Function 3 Function 4 Function n

§ Mature risk definitions based on industry best practices

INTERNAL – SAP and Customers Only 7

INTERNAL – SAP and Customers Only 8

Delivers built-in risk scoring and trending

Greater visibility into potential

Streamline and prioritize

More easily remediate high-

§ Customizable risk scoring and trending based on potential impact and

Risk Score Policy The name of the Risk Score Policy

INTERNAL – SAP and Customers Only 11

INTERNAL – SAP and Customers Only 12

Guided user-refinement process

Remediate from the User Access

Built-in simulation to check proposed

INTERNAL – SAP and Customers Only 13

The Simple Refinement functionality looks for

If you accept the recommendation for the

INTERNAL – SAP and Customers Only 14

INTERNAL – SAP and Customers Only 15

Remediation Audit Log Report

On this report, you can see all

INTERNAL – SAP and Customers Only 16

INTERNAL – SAP and Customers Only 17

The Monitoring Process:

Mitigation Control Monitoring :

Mitigation Control Monitoring Report: The Mitigation

INTERNAL – SAP and Customers Only 18

• Automated user access request for user on-boarding to enterprise

INTERNAL – SAP and Customers Only 19

Select access Check Cancel or

For the latest listing please see help.sap.com/viewer/product/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/

Integrated Provisioning: Key benefits

There are three overall steps to enable HR trigger

• In the SAP Business Technology Platform, set

• Use the SAP Cloud Platform Business Rules

• Run the Job Scheduler for the HR Trigger job

INTERNAL – SAP and Customers Only 22

The Template Upload app consists of the workflow

Open the Template Upload app. Navigate

For Notification, choose Download. The template

INTERNAL – SAP and Customers Only 23

INTERNAL – SAP and Customers Only 24

§ Auto Approval Stage for Auto Provisioning-

§ Workflow Configuration for Initiator

INTERNAL – SAP and Customers Only 25

§ Request Administrators can cancel and/or

INTERNAL – SAP and Customers Only 26

§ Select Existing Assignments to search for and

INTERNAL – SAP and Customers Only 27

• Manger field can be populated automatically if

• The following file types are allowed: Text files