Sap GRC Ac

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 94

SAP GRC Access Control

Instructor: Sodiq Odunbaku

www.conclaseacademy.com
SAP GRC ACCESS CONTROL
BUSINESS CASE
ABC Group, a Fortune 500 company sends a confidential and high-priority email to
Infotech Risks Security (IRSL Consulting), which is an IT consulting firm.
Apparently, they have been having several challenges in the last two years, ranging
from fraud, lack of visibility on risks, not being able to comply with compliance
regulations and lack of proper internal controls. But they have been managing it
internally in order to protect the company
ABC Group is one of the largest corporations in the US in terms of total revenue.
SAP GRC ACCESS CONTROL
COURSE OVERVIEW
 What is SAP GRC Access Control?
 Understanding the Scope of SAP GRC Access Control
 Why SAP GRC Access Control?
 Components of SAP GRC Access Control
 Overview of Access Risk Analysis
 Benefits of SAP Access Risk Analysis
 Understanding Rulesets, Access risks, and Functions
 Identifying SOD violation and critical actions/permissions
 Understanding Risk Mitigation and Remediation
 Access Request Management
 Business Role Management
 Emergency Access Management
SAP GRC ACCESS CONTROL
WHAT IS GRC?
GRC as an acronym denotes governance, risk,
and compliance — but the full story of GRC is
so much more than those three words.
“Every organizational business function and process is governed
in some way to meet objectives. Each of these objectives has
risks, GRC is the
Write Upashere…
well as controls that increase the likelihood of success
(or minimize the integrated
impact of failure). collection of
These are the fundamental concepts of GRC. ” - Forrester capabilities that
enable an
organization to
achieve
Principled Performance is an approach to business that helps Principled
organizations reliably achieve objectives, Performance
address uncertainty and act with integrity.
•Write
Organizations
Up here… have managed GRC, for a long time — in this way, GRC is nothing new.

• Forward-thinking organizations view GRC as an integrated collection of all capabilities necessary to


support Principled Performance.

• Organizations that understand and apply the principles of integrated GRC, in both processes and
technology, have a real competitive advantage. They improve their ability to make well-informed
strategic decisions and are better able to respond with agility and speed to threats and opportunities that
arise.
SAP GRC ACCESS CONTROL
RECENT BUSINESS TRENDS
SAP GRC ACCESS CONTROL
WHY GRC MATTERS TO THE
C-LEVEL
Fraud
Prevention Am I aware?
Will w B ran d
eb e th e ro t e c tion
next H P
eadlin C on
e? tinuo
ies
e s/penalt u s Im
Avoid fin Avoid
prov
e men
t
o st Surprises
Reduce Compliance C Improve
Performance
k e e p me e
a t will a nc
r is k s t h
b je c t ives v e r n
f y my o
Identi ee t in g te G o
m m ra
f r o
Data Quality A ccu Visib
ility
SAP GRC ACCESS CONTROL
WHERE IS “GRC” IN
PRINCIPLED
PERFORMANCE?
Governance is the act of externally directing, controlling and
evaluating an entity, process or resource

• Reliably achieve objectives

Risk Management is the act of managing processes and


resources to address risk while pursuing reward

• Addressing uncertainty

Compliance is the state of being able to prove fulfillment of a


requirement

• Acting with integrity


SAP GRC ACCESS CONTROL
TRANSFORMATIONAL
OPPORTUNITY
ABC GROUP

OLD NEW
• Proactive Actions &
Controls - proactively
incentivize desirable and
prevent undesirable
conditions or events.

• Detective Actions &


Controls - detect the actual
or potential occurrence of
desirable and undesirable
conditions and events.

• Responsive Actions &


Controls - provide
recognition for desirable
conduct and correct
undesirable conditions or
events.
SAP solutions forSAP solutions
Governance, forCompliance
Risk and Governance, Risk and Compliance

Simplify, gain insight, and strengthen

Security & Access Continous Monitoring Global Trade

SAP Access Violation


SAP Access Control Management by Greenlight SAP Process Control SAP Global Trade Services

SAP Risk Management SAP Technical Data


SAP Identity Management SAP Single Sign-On Export Compliance by
NextLabs

SAP Regulation Management


by Greenlight
SAP Dynamic Authorization SAP Electronic Invoicing for
Management by NextLabs Brazil

SAP Enterprise Threat Detection SAP Business Integrity SAP BPC


SAP Audit Management
Screening

HANA Apps

Any Device Any Application Cloud Big Data


QUESTIONS
?
You have the floor…
SAP GRC ACCESS CONTROL
WHAT IS SAP GRC ACCESS
CONTROL?
GRC-AC is an enterprise-wide software application that helps to manage and control user access in the
system and prevent fraud across enterprise while minimizing the time and cost of compliance.

GRC-AC is a perfect solution that enables you to make better business decisions by predicting and
virtualizing how certain risks might impact performance.

GRC-AC helps organizations to automatically detect, manage and prevent access risk violations and reduce
unauthorized access to company data and information.

GRC-AC handles key challenges by allowing business to manage access risk. It helps organizations to
prevent unauthorized access by defining segregation of duties(SoD), critical access and minimizing the time
and cost of access risk management.
SAP Access Control
Manage access risk

• Analyze Risk
• Monitor Privileges
• Find and remediate
segregation of duties • Monitor emergency
and critical access • Access access and transaction
violations usage
Governance

• Provision Users • Certify


• Find and remediate segregation Authorizations
of duties and critical access • Certify that access assignments
violations are still warranted

• Maintain Roles
• Define and maintain roles in business terms
Access
SAP Access Control Governance

Find and remediate segregation of duty (SoD) and critical access violations

• Analyze Risk

 Use a comprehensive, predefined rule set

 Perform cross-system analysis for enterprise applications in real time


or offline mode

 Take action to remediate and mitigate access risks

 Simulate changes to identify and prevent new risks


Access
SAP Access Control Governance

Automate access administration for enterprise applications

• Manage Access

 Self-service, automated access requests

 Workflow-driven approval process

 Embedded risk analysis simulations to “stay clean”

 Automated provisioning to enterprise applications


Access

SAP Access Control Governance

Define and maintain roles in business terms

• Maintain Roles

 Rely on a configurable methodology for role definition and


maintenance

 Define roles in business terms and align with business processes

 Analyze and optimize business roles


Access
SAP Access Control Governance

Certify access assignments are still warranted

• Certify
Authorizations

 Automate periodic user-access reviews

 Certify role content and assignment to users

 Automate review of mitigating control assignments


Access

SAP Access Control Governance

Monitor emergency privileges and transaction usage

• Monitor
Privileges

 Manage emergency access

 Review user and role transaction usage details

 Get proactive notification of conflicting or sensitive action usage

 Customize dashboards and reports


SAP GRC ACCESS CONTROL
WHY SAP ACCESS CONTROL?
Understand the scope of SAP GRC Access Control

- Understand Business Challenge

- Understand the solution to Business


Challenge
SAP GRC ACCESS CONTROL
BUSINESS CHALLENGE
Access and -
-
Lack of proper controls
Accidental and intentional activities due to excessive access privileges

Authorization Risks -
can impact performance and reputation.
Addressing regulatory mandates with manual activities and
fragmented processes increases cost and complexity.
- Complexity impacts access and authorization management, making it
• Caused by an Ineffective Fragmented Approach
inefficient.
- Risks are not identified and managed in time and no proper
remediation or mitigation is possible.
- Managers cannot own the responsibility for Segregation of Duties in
this fragmented model
SAP GRC ACCESS CONTROL
SOLUTION TO BUSINESS
CHALLENGE
- Overcome fragmented authorization management
Access and processes

Authorization - Effective and efficient cleanup of SoD conflicts and

Management excessive authorizations


- Prevent future violations via a risk-based approval
process for new authorizations within the organization
• Implementation of comprehensive risk-based access
- Business assumes ownership:
and authorization management
SAP GRC ACCESS CONTROL
COMPONENTS OF SAP GRC
ACCESS CONTROL
Access Risk
Analysis
• Risk identification, risk analysis, rule creation, control
creation and monitoring

Business Role
Management • Role definition and role management
Access
Control
Emergency Access
Management • User access control

Access Request
Management • End to end compliant provisioning
QUESTIONS
?
You have the floor…
SAP GRC ACCESS CONTROL
OVERVIEW OF ACCESS
RISK ANALYSIS
 A fully automated security audit and Segregation of Duties (SoD) analysis tool.

 Designed to identify, analyze, and resolve all SoD and audit issues related to regulatory compliance

 Includes an expandable starter set of rules

 Provides comprehensive risk management functionality:


 Risks can be identified and created in a system that can be correlated with functions

 Each function is associated with a business process

 Documentation of risk mitigation controls

 Each function can be associated with a business process

 The SoD rule set is used as the basis for all SoD analysis for the SAP Access Control components
Enables end-to-end automation

Identify and select risks to


Build and maintain rules Detect authorization risk
manage

Remediate and mitigate Test and report Prevent


ARA helps organizations to get clean by detecting
authorization risks, identify, analyze and control SOD
issues relating to the regulatory compliance in order to
optimize their business performance.

Value Drivers

• Analyze, manage, and minimize risk by


establishing and using a rule set .
• Correcting and mitigating conflicts for users and
roles.
• Lower cost of compliance and audit activities.
• Prevent possible fraud or errors.
• Provides detailed reports of access risks and
controls to improve communication with senior
management
SAP GRC ACCESS CONTROL
BUSINESS CASE CONT’D
Upon analyzing ABC Group’s landscape, we identified that authorizations are not
properly controlled, and duties are not segregated. Users exploit this vulnerability to
realize financials gains and manipulate data. For instance;
In Finance, a user should not have the authorizations to Enter Incoming
Invoices(FB60) and Post Outgoing Payment(F-53). This is a SoD violation and gives
room for fraud where the user can create a fictitious vendor and initiate payment for
the vendor.
Most organizations face these challenges due to lack of proper SoD. This may lead to
brand damage, loss of income and not being able to reliably achieve business
objectives.
SCENARIO 1
IDENTIFYING
AUTHORIZATION RISKS –
PURCHASE TO PAY PROCESS
Purchase to Pay Transactions

ARA Identified Risks:


● Authorization risks in the purchase-to-pay process
● Risks involved in unauthorized adjustments and approvals of
payroll

Authorization Risks in Purchase-to-Pay Identification:


A single user should not have below authorization in purchase-
to-pay process, that is:
● ME21N for creating a purchase order
● MIGO for posting goods receipt
● MIRO for posting an invoice
Let’s say, we have uncontrolled assignment of authorizations in purchase to pay processes at ABC Group. The
purchasing officer (user) might be able to perform the following steps and initiate a fraud:

Create a fraudulent vendor with


a private bank account ( XK01)

Execute the payment run Create a purchase order (ME21N) and enter an
(F110) invoice for the purchase order (MIRO)

Hide the missing goods receipt by maintaining a


Release the invoice, which has been GR/IR clearing account (MR11) and setting the
blocked because of quantity differences Delivery Complete flag (ME22N)
( MRBR)
SCENARIO 2
IDENTIFYING
AUTHORIZATION RISKS –
PAYROLL PROCESS
The payroll process includes all activities that are used to create a payroll run. The payroll process considers
all changes within the personnel administration process, like salary changes or the assignment of another tax
class.
As a result, the process will initiate the
following:

● Creation of salary statements

● Payments of salaries to the members of


personnel

● Posting of all relevant information to


financial accounting and controlling
The following payroll process need to be separated from each other:

Run payroll Run productive


Release payroll (HR)
simulation (HR) payroll

Prepare bank transfers using


Use the Payment Media workbench to create
preliminary program for data
a payment file for final bank transfer (FI)
medium exchange (FI)
If authorizations are not properly
controlled and duties are not
segregated, a user could exploit this
vulnerability to realize a financial
gain by performing one of the Print salary statements
following conflicting activities: to printers to which
Payroll User
unauthorized persons
have access

Authorization Risks

Modify payroll master Change employee HR


benefits (HRBEN0083), Modify time data (PA63) Enter false time data
data, such as salary
then process payroll and process payroll (PA03, (PA71) and perform
information (PA30), and
(PA03, PAUX) to improve PAUX), resulting in payroll maintenance
then process the payroll
their own financial fraudulent payments (PA03, PAUX)
(PA03, PAUX)
situation
SAP GRC ACCESS CONTROL
SEGREGATION OF DUTIES
AND CRITICAL ACTIONS
phases
SAP has developed a three-phase
approach to risk management. By
applying this method, it is possible to
implement a process for segregation of
duties (SoD) risk management.

Recognize Prevent

Analyze
SAP GRC ACCESS CONTROL
SOD RISK MANAGEMENT
PROCESS
RECOGNIZE ANALYZE PREVENT
SAP GRC ACCESS CONTROL
RULE BUILDING TERMS
SAP GRC ACCESS CONTROL
RULE BUILDING PROCESS
Rules include risks, functions, and business processes. SAP Access Control automatically generates the rules as
permutations of the different actions and permissions derived from the combined functions.

To build a Rule:
Functions include specific
actions commonly used for a
task, for example, Maintain
General Ledger Master Record or
Post Journal Entry.

Authorization to perform certain


combinations of functions results
in a SoD risk.
SAP GRC ACCESS CONTROL
RULE STRUCTURE
In Rule Structure

Actions and permissions combine to form functions. Functions


in certain combinations result in a risk. Risks are associated
with business processes and all the components come together to
form rules. Rules are collected in a rule set.
SAP GRC ACCESS CONTROL
ROLES & RESPONSIBILITIES
OF THE SAP ACCESS
CONTROL TEAM
Business Process Owners Senior Officers Security Administrators and Auditors and Regulators
Technical Consultants
Identify risks and approve Approve or reject Own the SAP GRC technology Perform risk assessment
risks for monitoring. risks between foundation on a regular basis
Approve remediation business tools and security process
involving user access areas

Design controls for Approve mitigating Design and maintain rules to Provide specific
mitigating conflicts. controls for selected identify risk requirements for audit
Communicate access risks conditions purposes
assignments or role Changes.

Perform proactive maintain focus on the Customize the SAP GRC Perform periodic testing
continuous compliance. identified risks and technology foundation roles to of rules and mitigating
how those risks enforce roles and responsibilities. controls.
affect the company Analyze and remediate SoD Act as liaison between
financially. conflicts at external auditors.
the role level
SAP GRC ACCESS CONTROL
SETTING UP ACCESS RISK
ANALYSIS
RULE SET ACCESS RISK FUNCTIONS

PERMISSIONS ACTIONS
Some users needs to be created and assigned the necessary SAP delivered roles so as to
automate and monitor the risk analysis process;
 Risk Owner: He is to create, approve risk and receive alerts incase of any
violations by users and can also carry out risk analysis.
 Control Monitor: This user is assigned to a mitigating control so as to monitor the
risk ID assigned to the control to ensure compliance.
 Control Approver: This user is assigned to a control so as to approve it when
created and he receives an alert if the control monitor does not carry out his function
by monitoring controls.
 Control Owner: This user creates a mitigating control and assign it to an approver
or monitor, when approved, he can then assign it to a risk ID.
QUESTIONS
?
You have the floor…
SAP GRC ACCESS CONTROL
OVERVIEW OF ACCESS
REQUEST MANAGEMENT
Access Request Management automates the access provisioning and approval process by linking the
request with workflows.
When a user (Requester) raises an access request, ACCESS REQUEST MANAGEMENT automatically
forwards the access request to designated managers and approvers within a pre-defined workflow.

This workflow is customized to reflect your company’s policies. Roles and permissions are automatically
logged to the enterprise directories when the access requests are approved for future reference and audit
purposes. ACCESS REQUEST MANAGEMENT TYPES ensures corporate accountability and
compliance with Sarbanes-Oxley (SOX) along with other laws and regulations.
With Access Request Management (ARM), via a workflow-based module, a user can request access. It follows a
predefined path when an access request is sent and allows for multiple approvals and security checks.

Since the ARM module is connected to the ARA module, in the context of an access risk analysis, the approver may
conduct compliance checks to detect potential risks before they even occur.

The workflow can be tailored to reflect the policies of a company. When the access requests are accepted for future
reference and audit purposes, functions and authorizations are automatically logged. Along with other laws and
regulations, ARM guarantees organizational transparency and compliance with SOX.
The request and its outcome are logged A Requester initiates a request using
and can serve as an Audit Trail for the access request page, which is pre-

6 1
security/monitoring/legal purposes. configured by the Administrator

Upon approval at all stages the Upon submission of the Access


request is automatically
provisioned using Auto
Provisioning.
5 2 Request, a workflow gets triggered
based on the selection/s in the
request

At each approval point (stage), An


approver receives a request, which
4 3
he/she can analyze/run risk These selections are linked with
analysis/mitigate and based on the conditions that are pre-defined by
findings can choose to the admin
approve/reject/hold a request
A user who makes a request for themselves or for someone else
REQUESTE
R
SAP_GRAC_ACCESS_REQUESTER

Someone who has got the authority to approve/deny that request


APPROVAL
SAP_GRAC_ACCESS_APPROVER

Someone who sets everything up; including Access Request pages,


workflows, conditions etc.
ADMINISTRATO
SAP_GRAC_ACCESS_REQUEST_ADMIN
R
Requester 100% Automated Eg Via email

NEW
REQUEST
EMPLOYEE / APPROVAL
GENERATED
EXISTING USER

AUTOMATED
RISK ANALYSIS
PROVISIONING

One-click preventive
100% Automated
simulation
QUESTIONS
?
You have the floor…
SAP GRC ACCESS CONTROL
OVERVIEW OF BUSINESS
ROLE MANAGEMENT
This is a central repository for roles of all connected systems. Most Companies lack collaboration between managers
and IT security, lack the ability to model compliant business roles and lack the process for role lifecycle management
in their business.

With Access control Business role management tool, companies can manage entire role creation process with
embedded compliance and business insights and model technical role to business roles according to their functions.
 BRM automates role definition and management of roles.  There is an integration point between Business Role Management,
Access Risk Analysis, and Access Request Management.
 Tracks the status of the role during maintenance.
 BRM serves as a central repository for roles from all connected
 Performing risk analysis at role design phase backend systems.
 Enable Firefighter roles for Firefighting  BRM enforces naming convention for roles.
 Flexible role building workflows, which includes preventative  Identify duplicate or nearly duplicate roles.
simulations
 Identify roles that may no longer be needed.
 Maintaining roles after they are generated to keep role information
current  It provides SAP Security Administrators, Role Designers, and Role
Owners with a simplified means of documenting and maintaining
 Enforces Segregation of duties from the ground up by starting with important role information.
clean role definitions

 Role Comparison to detect backend changes, which provides role


consistency, synchronization, and compliance
QUESTIONS
?
You have the floor…
SAP GRC ACCESS CONTROL
OVERVIEW OF
EMERGENCY ACCESS
MANAGEMENT
Most organizations face challenges of managing and monitoring super users due to their excessive authorizations and
the ability to cover up their trail.

Super users can be some one with excessive privilege outside his/ her own job function probably due to the absence of
another user.

The Emergency Access Management available in the SAP GRC Access Control V10.1, 12.0 solution, allows users to
complete tasks outside their normal day to day responsibility.

EAM component allows temporary access for users when assigned for solving a problem by giving broad - regulated
access which can be audited.
SAP GRC ACCESS CONTROL
KEY USERS &
TERMINOLOGIES IS
EMERGENCY ACCESS
MANAGEMENT
The following concepts are important to understand emergency access management:

 Firefighter: the user who requires emergency access


 Firefighter ID: the user ID with elevated privileges.
 Firefighting: the act of using a Firefighter ID to perform tasks in an emergency
 Owner: the user responsible for a Firefighter ID and the assignment of controllers
 and Firefighters
 Controller: the user who reviews and approves (if required) the log files generated
 from firefighting activities
Firefighter administrators prepares the system for use for firefighting. He or she does the following on the system:

 Maintain the firefighter owner and controller as access control owners


 Assigns the firefighter IDs to the firefighter owners
 Assigns the firefighter IDs to the firefighter controller
 Create the reason codes.
Emergency access management include these processes:

Request emergency access


Requests for emergency access must be tracked and approved through a formal, documented process. The request should include the
activities intended to be performed for audit purposes.
Perform activities
Once access is granted, the user can log in to perform the activities documented during the request process.
Review emergency access activities
You should review the intended and actual usage of emergency access in a formal, documented process. Exceptions between intended
and actual usage should be further investigated.
Perform periodic audit of usage and sign-off logs
A periodic audit of Firefighter ID usage and corresponding review logs should be implemented. The intent of the audit is to verify
that Firefighter activities are documented and reviewed, and that exceptions are investigated according to policy.
QUESTIONS
?
You have the floor…
THANK YOU!

www.conclaseacademy.com

You might also like