grc components
TRANSCRIPT
GRC Components– Work module of GRCGRC
Compliant User Provisioning
Compliant User Provisioning (CUP) is a capability of SAP GRC Access Control. It provides compliant user
provisioning across enterprise systems. Included are access request self-service, approvals, compliance checks,
proactive resolution of access controls, and provisioning.
CUP also provides standard reports.
Both CUP and RAR capabilities introduce a configurable reporting data mart that enables customized reporting by
integrating your reporting tool of choice.
The data mart extracts the relevant data from the RAR and CUP and converts the data for reporting purposes
The data mart is nonhistorical
Data mart schema are published, which enables customers to integrate with any reporting tools.
CUP combines predefined roles and permissions with configurable workflow capabilities, thus automating and
expediting user provisioning throughout an employee’s lifecycle with the company.
CUP prevents violations of separations of duty (SoD) and helps to ensure corporate accountability and compliance
with Sarbanes-Oxley, and other laws and regulations.
Users can request system access using a context-based selection of role descriptions that are defined using the
Enterprise Role Management (ERM) functionality, another capability in the SAP BusinessObjects Access Control
application.
When a user requests access to a system, CUP automatically forwards the access requests to designated managers
and approvers within a predefined workflow that is customized for the enterprise. The CUP workflow engine
considers the functional responsibility of the requestor and the type of access request being made, and automatically
determines the appropriate routing for access approval.
CUP prevents access-approval delays by routing requests to back up approvers when primary approvers are
unavailable or have not responded.
CUP automates the following user provisioning activities:
Creating users
Changing users
Deleting users
Locking/Unlocking users
Resetting user passwords
Assigning roles to users
Removing and changing role validity for users
User access review
=======================================
Risk Analysis and Remediation
The Risk Analysis and Remediation (RAR) capability is a fully automated rules-based security audit and segregation
of duties (SoD) analysis tool used to identify, analyze, and resolve risk and audit issues that relate to regulatory
compliance.
Features
The Risk Analysis and Remediation capability:
Enables all key stakeholders to work in a collaborative manner to build ongoing SoD risk and audit compliance
at all levels. This compliance includes User, Role, Profile, and HR Object levels.
Empowers security administrators, business process owners and internal auditors to prepare their SAP
systems, and all other systems, for an audit.
Provides user friendly summary and drill-down reports, making the identification and resolution of Risks and
audit issues a painless process.
o RAR produces Risk Analytical Reports for selected users, user groups, roles, and profiles, allowing user
administrators to identify potential risk issues before assigning a new role to a user, group or profile.
o RAR produces reports on critical actions, critical permissions, critical roles, and profiles.
Introduces a configuable reporting data mart that enables customized reporting by integrating your reporting
tool of choice (for both RAR and CUP):
o The data mart extracts the relevant data from the RAR and CUP and converts the data for reporting
purposes
o The data mart is nonhistorical
o Data mart schema is published, which enables customers to integrate with any reporting tools.
Includes an expandable starter set of rules, and enables risks to be identified and created in the system so that
an administrator can correlate them with functions and associate each function to a business process. And
then, the Risk Analysis and Remediation capability generates the rules to offset your identified risks, thus
building on your rule set.
Provides comprehensive risk management functionality and powerful, easy to use, functionality to document
Risk Mitigation Controls.
o RAR enables you to perform a risk analysis to identify risks associated with a user, role, profile, or HR
object. If you cannot eliminate a risk, you can use the capability to define mitigation controls. You also
define monitors and approvers, assign them to specific controls, and create business units to help
categorize mitigating controls.
Uses custom tables to store SoD data. It also ensures there is no interference with existing security processes
and procedures.
=============================
Enterprise Role Management
Enterprise Role Management (ERM) is a capability of the GRC Access Control application. The other Access Control
capabilities interact with ERM.
Enterprise Role Management automates the definition and management of roles, allowing you to manage enterprise
roles with a single unified role repository. The roles can be documented, designed, analyzed for control violations,
approved, and then automatically generated.
This capability enables preferred practices to ensure that role definitions, development, testing, and maintenance are
consistent across the entire enterprise.
ERM provides SAP security administrators, role designers, and role owners with a simplified means of documenting
and maintaining important role information for better role management.
The features include:
Tracking progress during role implementation.
Monitoring the overall quality of the implementation.
Performing risk analysis at role design time.
Setting up a workflow for role approval.
Providing an audit trail for all role modifications.
Maintaining roles after they are generated to keep role information current.
=========================
Superuser Privilege Management
In emergencies or extraordinary situations, Superuser Privilege Management, a capability of SAP GRC Access
Control, enables users to perform activities outside their roles under Superuser-like privileges in a controlled,
auditable environment.
A temporary ID is assigned that grants the user privileged, yet regulated, access. This transfer of privileges from one
person or role to another is called firefighting. Such a firefighting event might occur, for example, if an employee is
injured and another employee has to perform the injured employee’s duties.
Superuser Privilege Management is an ABAP and Web-based capability that tracks, monitors, and logs the activities
that are performed by a Superuser with a privileged user ID. Superuser Privilege Management also automates
firefighting tasks such as defining firefighter IDs and assigning owners and controllers.
This capability is a back-end systems activity with limited interfacing to Compliant User Provisioning where related
reports may be generated. For reports and other information, see the Compliant User Provisioning topics in this
application help.