Professional Documents
Culture Documents
GRC Access Control IAG Presentation
GRC Access Control IAG Presentation
CONFIDENTIAL
SAP GRC and Security Solutions
SAP GRC and Security solutions
Solution mapping to key themes
ü Manage risks, controls, ü Manage access for enterprise ü Manage cyber risk with greater ü Manage import and export
and regulatory requirements applications – cloud or on-premise alignment to information security compliance as well as free
in business operations ü Manage identities, authorized standards trade agreements in global
ü Screen third parties and detect information access, data use, ü Identify potential cyber threats supply chains
anomalies and fraud and sharing conditions and vulnerabilities in applications ü Optimize trade utilizing special
ü Provide independent assurance ü Eliminate excessive logins ü Secure files and data using customs procedures such as
of risk and compliance standards with single sign-on transportable policies and bonded warehouses, processing
encryption trade in China, and free trade
ü Mitigate access risk violations
zones in NA
and monitor financial impact ü Enable greater control with ü Screen third parties for improved
sensitive data masking compliance
and logging
ü SAP Process Control ü SAP Access Control ü SAP Enterprise Threat Detection ü SAP Global Trade Services
ü SAP Risk Management ü SAP Cloud Identity Access ü SAP Privacy Governance ü SAP S/4HANA for international
Governance trade
ü SAP Audit Management ü SAP Customer Data Cloud
ü SAP Single Sign-On ü SAP Watch List Screening
ü SAP Business Integrity Screening ü SAP Data Custodian
ü SAP Cloud Identity Services –
ü SAP Data Custodian, Key
Identity Authentication
Management Service (KMS)
ü SAP Identity Management
ü UI masking for SAP
ü SAP Cloud Identity Services –
ü UI logging for SAP
Identity Provisioning
ü SAP Code Vulnerability Analyzer
Privileged Access
Management
Access Analysis Achieve super-user access, log
Analyze access, refine user consolidation, and review with
assignments, manage controls Access automated log assessment
Governance
Access Request
Optimize access, workflow based assignment, and
INTERNAL – SAP and Customers Only processes 5
Access
SAP Cloud Identity Access Governance, access analysis Governance
Analyze access, refine user assignments, manage controls
Access Analysis
Dashboard Select users Refine user Optimize based Mitigate Audit Monitor
analytics to analyze assignments on business risks report controls
requirement
Key benefits
Field Comment
Weighting Factor for Risk Each risk is multiplied by the weighting factor entered here.
The default is 0.
Weighting Factor for Mitigated Risk Each mitigated risk is multiplied by the weighting factor
entered here. The total is subtracted from the total of the
other factors (Risks, Roles, Used Roles). The default is 0.
Weighting Factor for Role Each role is multiplied by the weighting factor entered here.
The default is 0.
Weighting Factor for Used Role Each used role is multiplied by the weighting factor entered
here. The default is 0.
Status Active or Inactive. Only one Risk Score Policy is active at
any time.
For Weighting factors - Negative numbers are allowed, but fractions (decimal points) are not allowed
INTERNAL – SAP and Customers Only 10
Access Analysis - Access Effectiveness
Access Effectiveness
The Access Effectiveness score in
the header is derived from the
percentage of access that is being
used.
For example, if 2 out of 7 roles are
being used, the Access Effectiveness
score is 29%.
Simple Refinement
The app proposes actions to refine the user's
access, such as removing access to a system.
All roles for the user are shown.
Access Request
Approve Provision
Analyze Simulate
o
it t er
Request
ubm rov Remediate Adjust as Audit
S pp risks needed workflow
a
Manager - Role Owner - Security Owner •The access request goes to the following roles for approval before it
is provisioned:manager
§ .The access request service •role owner
includes non-modifiable out-of- •security owner
Manager - Role Owner - Risk Owner - Security •The access request goes to the following roles for approval before it
the-box workflow templates as Owner is provisioned:manager
shown in the table •role owner
•risk Owner
§ Custom Workflow Template : •security owner
Note
With custom workflow you have Risk Owner stage is to be skipped if there are no risks for the access
the option of customizing your requested.
Manager - Security Owner •The access request goes to the following roles for approval before it
workflow templates, including is provisioned:manager
the stage sequences •security owner
Manager Only The access request goes only to the manager for approval before it is
§ You can now configure provisioned.
parameters for each stage Auto Path The access request goes to an automated approval process and
proceeds directly to provisioning without any additional manual
sequence including Risk approval steps..
Analysis Mandatory and
Remediation Mandatory and Security Only The access request goes only to the security owner for approval
before it is provisioned.
change path stage descriptions. Role Owner - Security •The access request goes to the following roles for approval before it
is provisioned:role owner
§ Once stages are approved, the •security owner
system initiates provisioning Role Owner - Manager •The access request goes to the following roles for approval before it
is provisioned:role owner
•manager
Role Owner Only The access request goes only to the role owner for approval before it
is provisioned.
Role Design
Reconcile Candidate
business roles
Refine:
Privileged Access
Management
Privileged access management (PAM) allows granting of elevated access to perform critical tasks, with activity tracking
and embedded machine learning capabilities to easily identify anomalies.
§ Create Privileged Access User ID (PAM ID) is created in the Maintain PAM App.
§ Use the Create Access Request app to request or extend privileged access that you need for performing
critical actions.
§ Open the Privileged Access Inbox app to view and approve the Privileged Access Request
§ The assigned Privileged Access user (PAM User) must log on to the designated system with their own
credentials and call the transaction SIAG_PAM_LAUNCH_PAD.( Need to assign RFC Access)
§ The Privileged Access Monitoring app logs all critical actions that users perform once privileged access
has been granted to them.
§ Sync this role to the IAG application using the Repository Sync job. This role
should be part of all the business roles that will be associated with the PAM ID.
Access
Certification
Create
Campaign Start Review Manage Update
Campaign Access Campaign Access
Review
§ Define campaign details , Select campaign data ,Select workflow template and Save, review, and submit the
campaign
§ Review the campaign . The default view is View by User, if you prefer to evaluate the campaigns by access,
select View by Access.
§ Campaign automatically closes after all review items are processed. Rejected access is removed.
§ Verify Campaign using the app Access Certification Audit Log. Use the Access Certification Audit Log to view the
audit-relevant actions taken on Access Certification campaigns.
§ Review your certification campaigns with Manage active campaign app, and act as needed. If authorized, you can
close an existing one, Reassign tasks to a different Reviewer, or Remind a current Reviewer of items to evaluate.
§ View by User
§ View by Access
Entity Description
§ Create Access Request API supports event-based Access Search Searches the accesses that can be requested
interface for creating access requests and provides
Lookup interface for specific entities that are required
Application Users Retrieves the list of Application Users for SAP Cloud
to create requests Identity Access Governance
§ https://api.sap.com/package/SAPCloudIdentityAcces Creates Access Request Creates a request for assignment creation or update
sGovernanceAccessRequestService/rest
Custom Field* Configures the list of custom fields in SAP Cloud Identity
Access Governance To configure field mapping for custom
fields so they can be used in Access Request API, refer to
Field Mappping
IAG Roadmap
Benefits Capabilities
No installation requirements other than a Access governance solution based on
Web browser; complement and extension SAP Business Technology Platform
of the existing SAP Access Control
application around access risk analysis Intuitive user interface design on SAP
Fiori user experience
Better user experience with personalized
information and graphical views Instant visibility into access issues
including access analysis, role design,
Improved application security and access request, access certification, and
compliance privilege access management
Emergency Access
Access Risk Analysis (ARA)
Management (EAM)
Find and remediate segregation
Monitor emergency access and
of duties and critical access
transaction usage
violations
Find and remediate SoD and critical access violations, analyze at the lowest
authorization level
Rule set
Risk n
Risk A Risk B
(unlimited number)
Actions and Actions and Actions and Actions and Actions and
permissions permissions permissions permissions permissions
SAP ERP SAP ERP SAP ERP Oracle PeopleSoft
Remediation options
Manage Access
Access request
Self-service through SAP Fiori Enable users to request the roles
apps they need more quickly and easily
Multi-stage, Multi-path
(MSMP)
Requestor GRC Access Control Role Owners GRC Access Control
§ The technology powering the
Role Owner workflows in Access Control allows
Submit Request Risk Analysis Provisioning
Approval multiple paths and multiple stages in
each workflow process;
If SoD conflicts exist § Workflows can be routed or even split
to parallel paths, assuming different
Remediation statuses in each;
Remediation Provisioning
Approval § Different workflows can exist for each
purpose in GRC;
§ Rules and advanced workflow logic
can be implemented in the BRF+ API,
with no coding effort required.
Risk Owners Internal Controls GRC Access Control
Access
Control
Maintain Roles
Key benefits
Role owner Role approver
Close loop between business and
technical owners with a collaborative
Security role governance process
Define Maintain Analyze Derive Request Generate
role authorizations access risk role approval roles
Comprehensive business-role
definition covers end-to-end
authorizations.
§ There are 2 types of Role Owners: Role Content Approver and Assignment Approver;
§ To be assigned on this page, the user must be listed as a Role Owner in Access Control Owners.
Access
User Access Review (UAR) Control
Certify that access assignments
are still warranted
Key benefits
§ Certify access assignments periodically for continued compliance
§ Lower costs and optimize efficiency for user and role lifecycles
§ Minimize audit time and audit-related costs
Prepare data
Generate reports Prepare data
§ Jobs are run to populate the UAR
tables
§ Data is checked for accuracy and
completeness
Reviewers take action User Access Generate Requests
Review
Generate Requests
Generate reports Prepare data
§ Job is run to take verified data and
create UAR requests.
Admin review
Generate reports Prepare data
§ Last sanity check for data accuracy;
§ Provides admins time to correct any
invalid requests.
Send Requests
Generate reports Prepare data
§ Job is run to send validated UAR
requests to appropriate reviewers via
email and GRC work inbox.
Generate reports
Generate reports Prepare data
§ UAR is finalized and audit reports are
generated to document activities.
Emergency Access
Management (EAM)
Monitor emergency access and
transaction usage
Access
Control
Restart server
No authorization
Firefighter ID
Centralized Firefighting
SAP ECC
SAP CRM
Decentralized Firefighting
SAP ECC
SAP CRM
Request Automated
Approval(s)
generated provisioning
Mitigation exception
Risk analysis
workflow as needed
Enterprise
applications
Public cloud
Middleware On premise SAP Other systems (SAP CRM,
SAP SuccessFactors
SAP Cloud Platform governance, risk, and SAP ERP, SAP Enterprise
Employee Central
Integration service compliance solutions Portal, third-party products)
Role: HR specialist
Entitlements calculated
based on position
Hire an employee
Identity updated with
Rehire an employee other systems’ attributes
Data converted to
Transfer or format for SAP
change position Access Control
Risk analysis and
Employee provisioned in
remediation for other
Terminate an employee appropriate target systems
systems
ON-PREMISE
Access Analysis
Role Design
SAP S/4
Access Request
Self-Services
Workflows Emergency Access Management
INTERNAL – SAP and Customers Only * For a detailed list of applications currently supported by Identity Provisioning, please refer to the online documentation 120
IAG Bridge
§ Run Enable SAP Access Control 12.0 (on-premise) to use SAP Cloud Identity Access Governance as a
bridge to facilitate creation of access requests, and performing risk analysis, for cloud applications.
§ Use the access control on-premise application to create access requests for your cloud application
§ The risk analysis, assignment of mitigation controls (if needed), and provisioning is handled by the SAP
Cloud Identity Access Governance.
Objectives
§ Deliver a working PoC for IAM strategy validation covering IAG, GRC AC, subject to scope agreement which could be
identified .
§ Hands-on implementation experience and support for your team. Alternatively, SAP can act as implementation partner where
you provide us with sufficient permissions to perform the PoC. We track all changes performed in the system for audit trail.
§ Provide documented knowledge-transfer for your team from the PoC implementation.
Deliverables
– Preparation: Scoping call with the customer to define precise scope and agenda for the service
– Target GRC and IAG architecture review for chosen PoC solution scenario and Scope definition (what’s in and out of scope
in PoC).
– We support your team or work directly on the chosen environment in collaboration with your team or partner.
– Testing and validation with sample business users, not just technical administrators.
– Comprehensive service report with visual and written record of target architecture per PoC scenario, configuration screens
captured from your Sandbox or Development systems per step and Issues & Recommendations with status on issue and
action plan provided by SAP for issue closure.
– Delivery follow-up.
© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.