Sap GRC Ac
Sap GRC Ac
Sap GRC Ac
www.conclaseacademy.com
SAP GRC ACCESS CONTROL
BUSINESS CASE
ABC Group, a Fortune 500 company sends a confidential and high-priority email to
Infotech Risks Security (IRSL Consulting), which is an IT consulting firm.
Apparently, they have been having several challenges in the last two years, ranging
from fraud, lack of visibility on risks, not being able to comply with compliance
regulations and lack of proper internal controls. But they have been managing it
internally in order to protect the company
ABC Group is one of the largest corporations in the US in terms of total revenue.
SAP GRC ACCESS CONTROL
COURSE OVERVIEW
What is SAP GRC Access Control?
Understanding the Scope of SAP GRC Access Control
Why SAP GRC Access Control?
Components of SAP GRC Access Control
Overview of Access Risk Analysis
Benefits of SAP Access Risk Analysis
Understanding Rulesets, Access risks, and Functions
Identifying SOD violation and critical actions/permissions
Understanding Risk Mitigation and Remediation
Access Request Management
Business Role Management
Emergency Access Management
SAP GRC ACCESS CONTROL
WHAT IS GRC?
GRC as an acronym denotes governance, risk,
and compliance — but the full story of GRC is
so much more than those three words.
“Every organizational business function and process is governed
in some way to meet objectives. Each of these objectives has
risks, GRC is the
Write Upashere…
well as controls that increase the likelihood of success
(or minimize the integrated
impact of failure). collection of
These are the fundamental concepts of GRC. ” - Forrester capabilities that
enable an
organization to
achieve
Principled Performance is an approach to business that helps Principled
organizations reliably achieve objectives, Performance
address uncertainty and act with integrity.
•Write
Organizations
Up here… have managed GRC, for a long time — in this way, GRC is nothing new.
• Organizations that understand and apply the principles of integrated GRC, in both processes and
technology, have a real competitive advantage. They improve their ability to make well-informed
strategic decisions and are better able to respond with agility and speed to threats and opportunities that
arise.
SAP GRC ACCESS CONTROL
RECENT BUSINESS TRENDS
SAP GRC ACCESS CONTROL
WHY GRC MATTERS TO THE
C-LEVEL
Fraud
Prevention Am I aware?
Will w B ran d
eb e th e ro t e c tion
next H P
eadlin C on
e? tinuo
ies
e s/penalt u s Im
Avoid fin Avoid
prov
e men
t
o st Surprises
Reduce Compliance C Improve
Performance
k e e p me e
a t will a nc
r is k s t h
b je c t ives v e r n
f y my o
Identi ee t in g te G o
m m ra
f r o
Data Quality A ccu Visib
ility
SAP GRC ACCESS CONTROL
WHERE IS “GRC” IN
PRINCIPLED
PERFORMANCE?
Governance is the act of externally directing, controlling and
evaluating an entity, process or resource
• Addressing uncertainty
OLD NEW
• Proactive Actions &
Controls - proactively
incentivize desirable and
prevent undesirable
conditions or events.
HANA Apps
GRC-AC is a perfect solution that enables you to make better business decisions by predicting and
virtualizing how certain risks might impact performance.
GRC-AC helps organizations to automatically detect, manage and prevent access risk violations and reduce
unauthorized access to company data and information.
GRC-AC handles key challenges by allowing business to manage access risk. It helps organizations to
prevent unauthorized access by defining segregation of duties(SoD), critical access and minimizing the time
and cost of access risk management.
SAP Access Control
Manage access risk
• Analyze Risk
• Monitor Privileges
• Find and remediate
segregation of duties • Monitor emergency
and critical access • Access access and transaction
violations usage
Governance
• Maintain Roles
• Define and maintain roles in business terms
Access
SAP Access Control Governance
Find and remediate segregation of duty (SoD) and critical access violations
• Analyze Risk
• Manage Access
• Maintain Roles
• Certify
Authorizations
• Monitor
Privileges
Authorization Risks -
can impact performance and reputation.
Addressing regulatory mandates with manual activities and
fragmented processes increases cost and complexity.
- Complexity impacts access and authorization management, making it
• Caused by an Ineffective Fragmented Approach
inefficient.
- Risks are not identified and managed in time and no proper
remediation or mitigation is possible.
- Managers cannot own the responsibility for Segregation of Duties in
this fragmented model
SAP GRC ACCESS CONTROL
SOLUTION TO BUSINESS
CHALLENGE
- Overcome fragmented authorization management
Access and processes
Business Role
Management • Role definition and role management
Access
Control
Emergency Access
Management • User access control
Access Request
Management • End to end compliant provisioning
QUESTIONS
?
You have the floor…
SAP GRC ACCESS CONTROL
OVERVIEW OF ACCESS
RISK ANALYSIS
A fully automated security audit and Segregation of Duties (SoD) analysis tool.
Designed to identify, analyze, and resolve all SoD and audit issues related to regulatory compliance
The SoD rule set is used as the basis for all SoD analysis for the SAP Access Control components
Enables end-to-end automation
Value Drivers
Execute the payment run Create a purchase order (ME21N) and enter an
(F110) invoice for the purchase order (MIRO)
Authorization Risks
Recognize Prevent
Analyze
SAP GRC ACCESS CONTROL
SOD RISK MANAGEMENT
PROCESS
RECOGNIZE ANALYZE PREVENT
SAP GRC ACCESS CONTROL
RULE BUILDING TERMS
SAP GRC ACCESS CONTROL
RULE BUILDING PROCESS
Rules include risks, functions, and business processes. SAP Access Control automatically generates the rules as
permutations of the different actions and permissions derived from the combined functions.
To build a Rule:
Functions include specific
actions commonly used for a
task, for example, Maintain
General Ledger Master Record or
Post Journal Entry.
Design controls for Approve mitigating Design and maintain rules to Provide specific
mitigating conflicts. controls for selected identify risk requirements for audit
Communicate access risks conditions purposes
assignments or role Changes.
Perform proactive maintain focus on the Customize the SAP GRC Perform periodic testing
continuous compliance. identified risks and technology foundation roles to of rules and mitigating
how those risks enforce roles and responsibilities. controls.
affect the company Analyze and remediate SoD Act as liaison between
financially. conflicts at external auditors.
the role level
SAP GRC ACCESS CONTROL
SETTING UP ACCESS RISK
ANALYSIS
RULE SET ACCESS RISK FUNCTIONS
PERMISSIONS ACTIONS
Some users needs to be created and assigned the necessary SAP delivered roles so as to
automate and monitor the risk analysis process;
Risk Owner: He is to create, approve risk and receive alerts incase of any
violations by users and can also carry out risk analysis.
Control Monitor: This user is assigned to a mitigating control so as to monitor the
risk ID assigned to the control to ensure compliance.
Control Approver: This user is assigned to a control so as to approve it when
created and he receives an alert if the control monitor does not carry out his function
by monitoring controls.
Control Owner: This user creates a mitigating control and assign it to an approver
or monitor, when approved, he can then assign it to a risk ID.
QUESTIONS
?
You have the floor…
SAP GRC ACCESS CONTROL
OVERVIEW OF ACCESS
REQUEST MANAGEMENT
Access Request Management automates the access provisioning and approval process by linking the
request with workflows.
When a user (Requester) raises an access request, ACCESS REQUEST MANAGEMENT automatically
forwards the access request to designated managers and approvers within a pre-defined workflow.
This workflow is customized to reflect your company’s policies. Roles and permissions are automatically
logged to the enterprise directories when the access requests are approved for future reference and audit
purposes. ACCESS REQUEST MANAGEMENT TYPES ensures corporate accountability and
compliance with Sarbanes-Oxley (SOX) along with other laws and regulations.
With Access Request Management (ARM), via a workflow-based module, a user can request access. It follows a
predefined path when an access request is sent and allows for multiple approvals and security checks.
Since the ARM module is connected to the ARA module, in the context of an access risk analysis, the approver may
conduct compliance checks to detect potential risks before they even occur.
The workflow can be tailored to reflect the policies of a company. When the access requests are accepted for future
reference and audit purposes, functions and authorizations are automatically logged. Along with other laws and
regulations, ARM guarantees organizational transparency and compliance with SOX.
The request and its outcome are logged A Requester initiates a request using
and can serve as an Audit Trail for the access request page, which is pre-
6 1
security/monitoring/legal purposes. configured by the Administrator
NEW
REQUEST
EMPLOYEE / APPROVAL
GENERATED
EXISTING USER
AUTOMATED
RISK ANALYSIS
PROVISIONING
One-click preventive
100% Automated
simulation
QUESTIONS
?
You have the floor…
SAP GRC ACCESS CONTROL
OVERVIEW OF BUSINESS
ROLE MANAGEMENT
This is a central repository for roles of all connected systems. Most Companies lack collaboration between managers
and IT security, lack the ability to model compliant business roles and lack the process for role lifecycle management
in their business.
With Access control Business role management tool, companies can manage entire role creation process with
embedded compliance and business insights and model technical role to business roles according to their functions.
BRM automates role definition and management of roles. There is an integration point between Business Role Management,
Access Risk Analysis, and Access Request Management.
Tracks the status of the role during maintenance.
BRM serves as a central repository for roles from all connected
Performing risk analysis at role design phase backend systems.
Enable Firefighter roles for Firefighting BRM enforces naming convention for roles.
Flexible role building workflows, which includes preventative Identify duplicate or nearly duplicate roles.
simulations
Identify roles that may no longer be needed.
Maintaining roles after they are generated to keep role information
current It provides SAP Security Administrators, Role Designers, and Role
Owners with a simplified means of documenting and maintaining
Enforces Segregation of duties from the ground up by starting with important role information.
clean role definitions
Super users can be some one with excessive privilege outside his/ her own job function probably due to the absence of
another user.
The Emergency Access Management available in the SAP GRC Access Control V10.1, 12.0 solution, allows users to
complete tasks outside their normal day to day responsibility.
EAM component allows temporary access for users when assigned for solving a problem by giving broad - regulated
access which can be audited.
SAP GRC ACCESS CONTROL
KEY USERS &
TERMINOLOGIES IS
EMERGENCY ACCESS
MANAGEMENT
The following concepts are important to understand emergency access management:
www.conclaseacademy.com