sap grc access control - approach document draft v04

8/10/2019 SAP GRC Access Control - Approach Document Draft v04

1/32

SAP GRC ACCESS CONTROL Approach Document

SAP BusinessOjects GRCAccess ControlApproach Document

2012

Padmanabha4/23/2012


2/32

SAP BO GRC Access Control

Page 2 of 32

TABLE OF CONTENTS

1 Introduct ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1 About SAP GRC Access Control ........................................................................................... 4

1.2 SAP GRC Access Control Modules and Features ............................................................... 5

1.3 Need for SAP GRC Access Control ....................................................................................... 6

2 SAP GRC Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3 SAP GRC Archi tectur e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.1 GRC Architecture Framework .............................................................................................. 10

3.2 Cross Enterprise Solution .................................................................................................... 11

4 GRC Applicat ion Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

SAP GRC Access Contro l Instal la t ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

5.1 GRC Landscape .................................................................................................................... 13

5.2 Support Pack Levels and Backend Compatibilities .......................................................... 13

5.3 Hardware Requirements ....................................................................................................... 14

6 Implementat ion Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

6.1 Implementation Phases: ....................................................................................................... 15

6.2 Risk Analysis & Remediation Overview ............................................................................ 16

6.3 Enterprise Role Management ............................................................................................... 18

6.4 Compliant User Provisioning Workflow Overview ......................................................... 20

6.5 Super User Privilege Management - Overview ................................................................. 21

6.6 Harmonization B/W all GRC products: ............................................................................... 23

6.7 GRC - Management Oversight and Internal Audit ............................................................ 23

6.8 Implementation Approach .................................................................................................... 24

6.9 GRC Integration Aspects ...................................................................................................... 24

7 SAP GRC Access Contro l Benefi ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

8 ASAP Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

9 Deliverables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31


3/32


Page 3 of 32

1 Introduction

Corporate Governance issues have dominated in the agendas of C-level executives at large

Corporates. With the acquisition and rapid integration of Virsa, in the area of SOD and Access

Control space, SAP has an evolved GRC offering that has been proven over many years of real-

world experience and industry- specific deployments. In addition, SAPs recent partnership with

Cisco attests to the companys dedication to providing comprehensive risk protection from the

network layer to the application layer. With the introduction of SAP GRC Repository, SAP GRC

Process Control and SAP GRC Risk Management, SAP GRC Global Trade Services (GTS), SAP

Environment, Health & Safety (EH&S) SAP clearly offers the most compelling, comprehensive

portfolio of GRC solutions available today. And, equally important, these applications are built on the

NetWeaver platform, making them among the first service oriented architecture (SOA)-based GRC

solutions.

The current scope of this document describes in brief, the Approach Note and Technical High Level

Approach of SAP GRC Access Control (AC5.3) Implementation. Based on the Industry Best

Practices and SAP Guidelines, GRC Access Control implementation shall be rolled-out to meet the

business needs and compliance requirements.


4/32


Page 4 of 32

1.1 About SAP GRC Access Control

SAP GRC Access Control is an enterprise application that provides end-to-end automation for

documenting, detecting, remediating, mitigating, and preventing access and authorization risk

enterprise wide, resulting in proper segregation of duties, lower costs, reduced risk, and better

business performance.

GRC Access Control Evolution Path

The Access Control application includes the following capabilities :

Risk Analysis and Remediation, which supports real-time compliance to detect, remove, and

prevent access and authorization risk by preventing security and control violations before

they occur.

Compliant User Provisioning, which automates provisioning, tests for SoD risks, and

streamlines approvals to the appropriate business approvers to unburden IT staff and

provide a complete history of user access.


5/32


Page 5 of 32

Enterprise Role Management, which standardizes and centralizes role creation and

maintenance.

Superuser Privilege Management, which enables users to perform emergency activitiesoutside their roles as a privileged user in a controlled and auditable environment.

SAP GRC solutions help companies comply with the Sarbanes-Oxley Act and other regulatory

mandates by enabling organizations to rapidly identify and remove authorization risks from IT

systems. Access Control allows preventive controls be embedded into business processes to

identify and prevent future SoD violations from being introduced without proper approval and

mitigation.

The SAP GRC Access Controls module provides the following functionality :

Analyze, detect, and provides means for remediating access and authorization controls inreal-time and with simulation

Monitor and track privileged user access controls

Provide compliant user and access provisioning

Define and document security access design

The SAP GRC Access Controls provides the Key Features and Benefits :

Automated SAP Security Audit and Segregation of Duties (SoD) Analysis product

Real-time risk assessment solution

Simulation and remediation

Mitigation Controls

Preventive as well as detective controls

Security and Audit - Summary and drill-down reports

Cross-enterprise analysis

1.2 SAP GRC Access Control Modules and Features

The specific modules of SAP GRC Access Control are:

Risk analysis and remediation (formerly Virsa Compliance Calibrator)

Compliant user provisioning (formerly Virsa Access Enforcer)

Enterprise role management (formerly Virsa Role Expert)

Super user privilege management (formerly Virsa FireFighter for SAP)


6/32


Page 6 of 32

High Level features of these individual components are:

Risk Analysis and Remediation (RAR)

Based on the rules set, RAR assess risk, enabling businesses to identify conflicts immediately, drill

down into root causes, and achieve resolutions swiftly. Helps in quick, effective and comprehensive

identification and elimination of existing access and authorization risks.

Superuser Privilege Management (SPM)

Enables users to perform activities outside their role under superuser-like privileges in a controlled,

auditable environment for emergency operations. It tracks, monitors, and logs every activity a

superuser performs with a privileged UserID. Web-based reporting provides business process

owners and auditors with detailed multi-system usage reports across their SAP software landscape. Activity logs track input down to the field value level and enable easy filtering, sorting, and

downloading of input information.

Enterprise Role Management (ERM)

Enforces SoD at the design time. Ensures centralized role design across applications. And also,

ensures standardization in role design, testing and maintenance.

Compliant User Provisioning (CUP)

Enables fully compliant user provisioning throughout the employee life cycle and prevents new SoD

violations. Businesses can automate provisioning, test for SoD issues, streamline approvals, and

reduce the workload for IT staff.

1.3 Need for SAP GRC Access Control

Compliance Issues

Negative Sarbanes-Oxley Audit Results

Segregation of Duties (Conflicts) / Excessive Access

Security Administration Process

Internal Controls Repository

Maintaining a clean environment

Program Development/ERP Upgrades

Escalating help desk costs

Change management

ITGC and Business cycles controls/responsibility Incomplete Global Risk Profile


7/32


Page 7 of 32

Hence, present laws in corporate governance demands high level of transparency and

accountabil ity in disclosure of companys financial statements.

To overcome these issues, the SAP GRC Access Control implemented would provide this GRC

Transparency:


8/32


Page 8 of 32

2 SAP GRC Overview

SAP GRC Access Control offers a robust solution for monitoring, testing, and enforcing access and

authorization controls that enable enterprises to quickly fulfill compliance and regulatory

requirements.

The following illustration provides an overview of all software components used by SAP GRC

Access Control including Risk Analysis and Remediation, Compliant User Provisioning, Enterprise

Role Management, and Superuser Privilege Management.


9/32


Page 9 of 32

3 SAP GRC Architecture

GRC Technical Architecture is as depicted:

Provides centralized cross-enterprise compliance visibility

Rule Architect analyses access to systems other than SAP

Leverages SAP Netweaver Application Server

Does not impact the production server

Features a single compliance dashboard

Role dependent views utilizing SAP User Management Engine (UME)

Login to SAP client is not required to access Risk Anaysis and Remediation


10/32


Page 10 of 32

3.1 GRC Architecture Framework

Central component of SAP GRC Access Control connects to multiple Enterprise Software Systems.

The adapter framework provides a common runtime environment for the risk analysis of differentERP systems. The real-time adapter (RTA) is the back-end counterpart that resides on the target


11/32


Page 11 of 32

systems. Together they provide real-time connectivity between SAP solutions for GRC and the

backend system providing real-time compliance around the clock to detect, remove, and prevent

control violations before they occur.

3.2 Cross Enterprise Solution


12/32


Page 12 of 32

4 GRC Application Landscape


13/32


Page 13 of 32

SAP GRC Access Control Installation

5.1 GRC Landscape

At the minimum, as per Industry Best Practice, SAP GRC Access Control has to be deployed as a

two system landscape with DEV/QA and PROD . SAP GRC AC has to be initially installed in

DEV/QA environment in SAP Netweaver (Web Application Server 700-SP10 or above,

with Java/J2EE stack, Java Runtime Environment JRE version 1.4.x is the software requirement on

Windows 2000/2000 advanced server/ 2003 Server (Standard/Enterprise/Web) or Linux/Unix based

servers. The other pre-installation checklists are: SAP database exists, User Management Engine

(UME) is installed and configured, and Memory settings for SAP 700 Web Application Server (WAS)

are configured.

GRC AC post installation configuration includes: Creating the Administrator Role, Assigning the

Administrator Role to the Administrator User, Choosing the Language Setting and Connecting the

Stand alone J2EE System to the Remote SAP Server.

This makes SAP GRC Access Control ready the configuration and implementation to begin with.

SAP GRC Access Controls Installation can be done by the in-house Web AS (Basis) team or as part

of GRC implementation.

SAP GRC Access Control components configurations are deployed at DEV/QA system . Even, a

Sandbox system can be deployed for pilot and implementation baseline across the enterprise wide

GRC functionalities. Based on these configurations, GRC AC configurations are replicated for

development, testing and QA in DEV /QA environment, and these configurations are transported

to PROD system environment in the Final Preparation phase.

5.2 Support Pack Levels and Backend Compatibilities

Pre-requisites of Access Control 5.3

NW 7.0 with SP 10 and higher SLD is required for Risk Analysis and Remediation

Supported RTA

Supported RTA R/3 versions are 4.6c, NW2004 or ECC 5.0, NW 7.0 or ECC 6.0 Optional BI 7.0 and EP 7.0


14/32


Page 14 of 32

This table indicates the minimum SP level required for the backend system (RTA) with the

corresponding SAP Notes numbers:

We can install RTA for latest Access Control AC10 on any SAP systems as long as it meets the pre-requisites for support packages corresponding to the SAP ABAP and BASIS Stacks as indicated in

the table: SAP_ABA and SAP_BASIS.

5.3 Hardware Requirements

Machine - Server based; Dual Processors = 2.4 3.2 GHz or faster

RAM = 16 GB; Hard Disk = 120 GB Minimum (240 GB Recommended)

Precise Sizing requirements are arrived in the implementation based on the volume of data.


15/32


Page 15 of 32

6 Implementation Methodology

As defined, the project methodology spread across Analysis, Design, Build, Test and deliver. In the

similar lines, SAP GRC AC has standard implementation methodology based on ASAP Methodology

spread across: Get clean, Stay clean and Stay in contro l for various components.

6.1 Implementation Phases:

Analysis and Remediation (Compliance Calibrator) implementation is typically broken down into

these distinct 6 phases:

Risk Recognition

Identify or approve conflicts and exceptions Classify risks as High, Medium, or Low Identify new risks and conditions that should be monitored

Rule Building and Validation

Establish technical rules to monitor risk Verify rules against test cases (Users/Roles)

Analysis

Run analytical reports Explore alternatives to eliminating Size cleanup efforts


16/32


Page 16 of 32

Modify Rules based on analysis

Remediation

Determine alternatives for eliminating risks Present Analysis and select corrective actions Document approval of corrective actions Modify / create Roles or User Assignment

Mitigation

Design alternative controls to mitigate risk Educate management on conflicts approval and monitoring Document a process for monitoring mitigation controls Implement controls

Continuous Compliance / Improvement

Communicate changes in roles and user assignment Simulate changes to roles and users Implement alerts to monitor for new selected risks and mitigating control testing

6.2 Risk Analysis & Remediation Overview

Risk Analysis & Remediation Segregation-of-Duties Management Process Overview

SAP security provides the opportunity to prevent an individual from executing combinations of

transactions without the involvement of another person in the process. SOD proactive management

involves identifying the ways to commit fraud or accidentally corrupt processes. This includes

monitoring security privileges granted to individuals so capabilities are known before they are

exploited.

However, there are circumstances which require the same person to be able to order and receive

materials, for example. In these cases, a detective control should be put in place to review that

persons access to detect fraud or unusual activities. The management process is designed to helpBusiness Process Owners (BPOs) recognize SOD risks and implement the necessary controls

(mitigating controls).

Security owns the SOD process and acts as a facilitator. The BPOs are responsible for managing

the risks and designing alternate controls when Segregation-of-Duties cannot be achieved. Once

the risks are defined, Business Process Analysts (BPAs) provide the technical knowledge to ensure

the appropriate transactions, related objects and field values are defined in Risk Analysis and

Remediation. Business Process Owners are also responsible for approving actions taken to rectify

SOD issues inherent in roles under their responsibility.


17/32


Page 17 of 32

RAR Implementation Approach: GRC Access Control Risk Analysis and Remediation is implemented as

defined in standard SOD Management process, carried across the phases from Risk Definition to remediation

and mitigation leading to SOD clean state.

In GRC Risk Analysis and Remediation, Security owns the SOD process and acts as a facilitator. The Business

Process Owners are responsible for managing the risks and designing alternate controls when Segregation-of-

Duties cannot be achieved. Once the risks are defined, Business Process Analysts provide the technical

knowledge to ensure the appropriate transactions and related objects and field values are defined. Business

Process Owner also own the responsibility for approving actions taken to rectify SOD issues inherent in roles

and mitigating users.

The audit department takes the ownership and responsibility for conducting audits to discover Segregation-of-

Duties issues and for testing mitigating controls implemented by business process owners. The SOD rule

keeper is responsible for controlling the rules in security and SAP Security administrator is segregated from the

duties of SOD and owns the Security administration activities.

The following diagram depicts the high level solution approach of Risk Analysis and Remediation:

Enhanced Access Risk Analysis (RAR v10):


18/32


Page 18 of 32

6.3 Enterprise Role Management

Enterprise Role Management is a Web based application that automates the creation and

management of Role Definitions. Role Expert enforces best practices to ensure that the Role

Definitions, development, testing and maintenance is consistent across the entire implementation,

resulting in lower ongoing maintenance and painless knowledge transfer.

Enterprise Role Management empowers SAP security administrators and Role Owners to document

important role information that can be of great value for better role management such as:

Tracking progress during role implementation.

Monitoring the overall quality of the implementation.

Performing risk analysis at role design time.

Setting up a workflow for role approval.

Providing an audit trail for all role modifications.

Maintaining roles after they are generated to keep role information current.

Enterprise Role Management has a rich set of reports to facilitate the overall role quality

management and provide valuable information to achieve precise role definitions and lower ongoing

role maintenance. Role Expert provides reports, which make the identification of risks surrounding

the segregation of duties a painless process, and ensures that you get the most out of the SAP

security system.

Enterprise Role Management Implementation Approach: Enterprise Role Management is implemented to

automate the creation and management of Roles. Enterprise Role Management is configured to ensure that the


19/32


Page 19 of 32

Role Definition, Development, Testing and Maintenance are carried out in a consistent manner across the

entire system landscape. With Enterprise Role Management tool, role maintenance is optimized and made

compliant to all regulatory requirements. Also, it makes role re-design and remediation easy. With optimal

utilization of the tool, role re-design and cleaning roles (get-clean) is achieved and on-going roles are

provisioned into the backend systems (stay-in-control).

The following diagram depicts the high level Role Automation in Enterprise Role Management:

Business Role Governance (ERM v10):


20/32


Page 20 of 32

6.4 Compliant User Provisioning Workflow Overview

Compliant User Provisioning workflows shall be configured to automatically trigger events such as new usercreation or a role change. The dynamic workflow provisions the actions directly into multiple Systems.

Compliant User Provisioning will be configured to facilitate business users to perform the provisioning activities

without any involvement of IT or application security personnel, in facilitating pro-active SOD analysis.

End to end automation that sequences can be automatically triggered based on events such as new

employee hire or a job change, then processed through dynamic workflow, and finally, provisioned

directly into multiple Systems. These steps can be performed by business users without anyinvolvement of IT or application security personnel.

The following diagram depicts the high level workflow of Compliant User Provisioning:


21/32


Page 21 of 32

Streamlined User Access Management (CUP v10):

6.5 Super User Privilege Management - Overview

Super User Privilege Management (Firefighter) will be configured to automate emergency change requests

such as access to SAP_ALL in the production system, to carry-out in a consistent, secure and compliant

manner. Automation will be enabled to cover all aspects of firefighting, from setting up of Firefight IDs, Users,

Owners and Approvers for those Firefighting IDs to automatic logons, owner notifications, activity logging and

related monitoring and administration activities.

The following diagram depicts the usage of emergency request for Super User Privilege Monitoring:


22/32


Page 22 of 32

Centrlized Emergency Access (SPM v10)


23/32


Page 23 of 32

6.6 Harmonization B/W all GRC products:

6.7 GRC - Management Oversight and Internal Audit

Management Oversight - At periodic intervals, managers need to exercise effective and

comprehensive management oversight, review, and reaffirmation of user access, etc.

SAP GRC Access Control enables management to take responsibility by running periodic access


24/32


25/32


Page 25 of 32

Access Risk Analysis (RAR):

User Access Management (CUP):


26/32


Page 26 of 32

Business Role Governance (ERM):

Centrlized Emergency Access (SPM)


27/32


Page 27 of 32


28/32


29/32


Page 29 of 32

Super-user privilege monitoring (Fire Fighter)

Efficient and effective super user privilege management, with tracking of all activity

Allows personnel to take responsibility for tasks outside their normal job function. Firefighterdescribes the ability to perform tasks in emergency situations.

Enables users to perform duties not included in the roles or profiles assigned to their userIDs. Firefighter provides this extended capability to users while creating an auditing layer tomonitor and record Firefighter usage.

Logging of all transactions executed during fire call usage.

Temporarily redefines the IDs of users when assigned with solving a problem, giving themprovisionally broad, but regulated access. There is complete visibility and transparency toeverything done during the period.


30/32


Page 30 of 32

8 ASAP Methodology

ASAP Methodology is SAPs proven implementation methodology spread over 5 phases in the

execution model of the GRC Implementation. Phase 0 base-lining prior to Initial Preparation or

Project Preparation phase is to Strategy the GRC Roadmap for its effective usage and Utilization. In

this phase, there is a pro-active involvement in the SAP systems are required in the Role Design,

SOD Analysis and Violations, Security Policies and Procedures re-established for the compliance

requirements and Controls Rationalization for best of the Assurances of SOX and other

Compliances.

The internal tool developed to address all kinds of SAP project execution aligned to the best

practices of CMMi level 5, ISO 9001/27001, ITIL and ISO27001 standards. Projects are managed,

monitored and tracked with the best of breed and industry standards using custom tool capabilities.


31/32


Page 31 of 32

9 Deliverables

High Level deliverables of a typical SAP GRC AC Implementation are:

Installation Installation of SAP GRC Access Control in DEV / QA and PROD server

Training Product overview training on SAP GRC Access Control (SAP GRC AC)

Risk Analysis

andRemediation

(compliance

Calibrator)

Initial configuration of GRC Access Control

Developing the Company specific rules in DEV / QA server (pilot with sample

rules)

Risk analysis and remediation for all standard business processes in DEV/QA

Validation workshop on configured rule sets with BPO / IA team & modifications

to them as per needs of Business

Super user

privilege

management

(Fire Fighter)

Initial configuration of Super user privilege management in SAP GRC Access

Control

Define workflows for Super user privilege management - user masters and

role management

Enterprise role

management

(Role

Expert)

Initial configuration of Enterprise role management in SAP GRC Access Control

Configuration of Roles creation / modification and backend integration with SAP

Systems

Define workflows for Enterprise Role Management

Upload current Company Roles into Enterprise role management

Compliant

user

provisioning

(Access

Enforcer)

Initial configuration of Compliant user provisioning in SAP GRC Access Control

Define workflows for User Provisioning

Configuration of Users creation / changes workflow and backend Integration with

SAP Systems

Upload User masters and role assignments into Compliant user provisioning


32/32


UAT User Acceptance Testing of SAP GRC Access Control

Reporting

Analyzing & reporting current user access status based on standard RAR

reports; CUP and ERM Reporting features

Super user privilege management reports for all log reviews and fire fighter

activities

Training

Training to the trainers on RAR Rule building & Reporting, Remediation,

Mitigation & Alerts

Performing & demonstrating remediation to identified non acceptable roles and

user violations

Performing & demonstrating setting up of the mitigation controls & alerts to

identified acceptable violations

Training to the trainers on End-users upon request and handholding support

Workflows and Administration of Compliant user provisioning

(CUP) and Enterprise role management (ERM)

Administration and Monitoring of Super user privilege management (SPM)

reports for log reviews and fire fighter activities monitoring

InstallationInstallation and re-configuration (export and re-connectivity to SAP systems) of

SAP GRC Access Control in PROD server

PROD

Preparation

Cutover Plan and Execution

Initial Configuration in PRD server of SAP GRC Access Control

Exporting / Uploading the configuration, company specific rules, roles, users intoSAP GRC Access Control in PRD server; Data Migration / Cutover and UAT

GO LIVE GO LIVE & Post Go-Live Support for 5-10 days

sap grc access control - approach document draft v04

Documents