sap grc access control - approach document draft v04
TRANSCRIPT
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
1/32
SAP GRC ACCESS CONTROL Approach Document
SAP BusinessOjects GRCAccess ControlApproach Document
2012
Padmanabha4/23/2012
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
2/32
SAP BO GRC Access Control
Page 2 of 32
TABLE OF CONTENTS
1 Introduct ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 About SAP GRC Access Control ........................................................................................... 4
1.2 SAP GRC Access Control Modules and Features ............................................................... 5
1.3 Need for SAP GRC Access Control ....................................................................................... 6
2 SAP GRC Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3 SAP GRC Archi tectur e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1 GRC Architecture Framework .............................................................................................. 10
3.2 Cross Enterprise Solution .................................................................................................... 11
4 GRC Applicat ion Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
SAP GRC Access Contro l Instal la t ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.1 GRC Landscape .................................................................................................................... 13
5.2 Support Pack Levels and Backend Compatibilities .......................................................... 13
5.3 Hardware Requirements ....................................................................................................... 14
6 Implementat ion Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.1 Implementation Phases: ....................................................................................................... 15
6.2 Risk Analysis & Remediation Overview ............................................................................ 16
6.3 Enterprise Role Management ............................................................................................... 18
6.4 Compliant User Provisioning Workflow Overview ......................................................... 20
6.5 Super User Privilege Management - Overview ................................................................. 21
6.6 Harmonization B/W all GRC products: ............................................................................... 23
6.7 GRC - Management Oversight and Internal Audit ............................................................ 23
6.8 Implementation Approach .................................................................................................... 24
6.9 GRC Integration Aspects ...................................................................................................... 24
7 SAP GRC Access Contro l Benefi ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
8 ASAP Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
9 Deliverables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
3/32
SAP BO GRC Access Control
Page 3 of 32
1 Introduction
Corporate Governance issues have dominated in the agendas of C-level executives at large
Corporates. With the acquisition and rapid integration of Virsa, in the area of SOD and Access
Control space, SAP has an evolved GRC offering that has been proven over many years of real-
world experience and industry- specific deployments. In addition, SAPs recent partnership with
Cisco attests to the companys dedication to providing comprehensive risk protection from the
network layer to the application layer. With the introduction of SAP GRC Repository, SAP GRC
Process Control and SAP GRC Risk Management, SAP GRC Global Trade Services (GTS), SAP
Environment, Health & Safety (EH&S) SAP clearly offers the most compelling, comprehensive
portfolio of GRC solutions available today. And, equally important, these applications are built on the
NetWeaver platform, making them among the first service oriented architecture (SOA)-based GRC
solutions.
The current scope of this document describes in brief, the Approach Note and Technical High Level
Approach of SAP GRC Access Control (AC5.3) Implementation. Based on the Industry Best
Practices and SAP Guidelines, GRC Access Control implementation shall be rolled-out to meet the
business needs and compliance requirements.
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
4/32
SAP BO GRC Access Control
Page 4 of 32
1.1 About SAP GRC Access Control
SAP GRC Access Control is an enterprise application that provides end-to-end automation for
documenting, detecting, remediating, mitigating, and preventing access and authorization risk
enterprise wide, resulting in proper segregation of duties, lower costs, reduced risk, and better
business performance.
GRC Access Control Evolution Path
The Access Control application includes the following capabilities :
Risk Analysis and Remediation, which supports real-time compliance to detect, remove, and
prevent access and authorization risk by preventing security and control violations before
they occur.
Compliant User Provisioning, which automates provisioning, tests for SoD risks, and
streamlines approvals to the appropriate business approvers to unburden IT staff and
provide a complete history of user access.
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
5/32
SAP BO GRC Access Control
Page 5 of 32
Enterprise Role Management, which standardizes and centralizes role creation and
maintenance.
Superuser Privilege Management, which enables users to perform emergency activitiesoutside their roles as a privileged user in a controlled and auditable environment.
SAP GRC solutions help companies comply with the Sarbanes-Oxley Act and other regulatory
mandates by enabling organizations to rapidly identify and remove authorization risks from IT
systems. Access Control allows preventive controls be embedded into business processes to
identify and prevent future SoD violations from being introduced without proper approval and
mitigation.
The SAP GRC Access Controls module provides the following functionality :
Analyze, detect, and provides means for remediating access and authorization controls inreal-time and with simulation
Monitor and track privileged user access controls
Provide compliant user and access provisioning
Define and document security access design
The SAP GRC Access Controls provides the Key Features and Benefits :
Automated SAP Security Audit and Segregation of Duties (SoD) Analysis product
Real-time risk assessment solution
Simulation and remediation
Mitigation Controls
Preventive as well as detective controls
Security and Audit - Summary and drill-down reports
Cross-enterprise analysis
1.2 SAP GRC Access Control Modules and Features
The specific modules of SAP GRC Access Control are:
Risk analysis and remediation (formerly Virsa Compliance Calibrator)
Compliant user provisioning (formerly Virsa Access Enforcer)
Enterprise role management (formerly Virsa Role Expert)
Super user privilege management (formerly Virsa FireFighter for SAP)
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
6/32
SAP BO GRC Access Control
Page 6 of 32
High Level features of these individual components are:
Risk Analysis and Remediation (RAR)
Based on the rules set, RAR assess risk, enabling businesses to identify conflicts immediately, drill
down into root causes, and achieve resolutions swiftly. Helps in quick, effective and comprehensive
identification and elimination of existing access and authorization risks.
Superuser Privilege Management (SPM)
Enables users to perform activities outside their role under superuser-like privileges in a controlled,
auditable environment for emergency operations. It tracks, monitors, and logs every activity a
superuser performs with a privileged UserID. Web-based reporting provides business process
owners and auditors with detailed multi-system usage reports across their SAP software landscape. Activity logs track input down to the field value level and enable easy filtering, sorting, and
downloading of input information.
Enterprise Role Management (ERM)
Enforces SoD at the design time. Ensures centralized role design across applications. And also,
ensures standardization in role design, testing and maintenance.
Compliant User Provisioning (CUP)
Enables fully compliant user provisioning throughout the employee life cycle and prevents new SoD
violations. Businesses can automate provisioning, test for SoD issues, streamline approvals, and
reduce the workload for IT staff.
1.3 Need for SAP GRC Access Control
Compliance Issues
Negative Sarbanes-Oxley Audit Results
Segregation of Duties (Conflicts) / Excessive Access
Security Administration Process
Internal Controls Repository
Maintaining a clean environment
Program Development/ERP Upgrades
Escalating help desk costs
Change management
ITGC and Business cycles controls/responsibility Incomplete Global Risk Profile
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
7/32
SAP BO GRC Access Control
Page 7 of 32
Hence, present laws in corporate governance demands high level of transparency and
accountabil ity in disclosure of companys financial statements.
To overcome these issues, the SAP GRC Access Control implemented would provide this GRC
Transparency:
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
8/32
SAP BO GRC Access Control
Page 8 of 32
2 SAP GRC Overview
SAP GRC Access Control offers a robust solution for monitoring, testing, and enforcing access and
authorization controls that enable enterprises to quickly fulfill compliance and regulatory
requirements.
The following illustration provides an overview of all software components used by SAP GRC
Access Control including Risk Analysis and Remediation, Compliant User Provisioning, Enterprise
Role Management, and Superuser Privilege Management.
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
9/32
SAP BO GRC Access Control
Page 9 of 32
3 SAP GRC Architecture
GRC Technical Architecture is as depicted:
Provides centralized cross-enterprise compliance visibility
Rule Architect analyses access to systems other than SAP
Leverages SAP Netweaver Application Server
Does not impact the production server
Features a single compliance dashboard
Role dependent views utilizing SAP User Management Engine (UME)
Login to SAP client is not required to access Risk Anaysis and Remediation
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
10/32
SAP BO GRC Access Control
Page 10 of 32
3.1 GRC Architecture Framework
Central component of SAP GRC Access Control connects to multiple Enterprise Software Systems.
The adapter framework provides a common runtime environment for the risk analysis of differentERP systems. The real-time adapter (RTA) is the back-end counterpart that resides on the target
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
11/32
SAP BO GRC Access Control
Page 11 of 32
systems. Together they provide real-time connectivity between SAP solutions for GRC and the
backend system providing real-time compliance around the clock to detect, remove, and prevent
control violations before they occur.
3.2 Cross Enterprise Solution
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
12/32
SAP BO GRC Access Control
Page 12 of 32
4 GRC Application Landscape
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
13/32
SAP BO GRC Access Control
Page 13 of 32
SAP GRC Access Control Installation
5.1 GRC Landscape
At the minimum, as per Industry Best Practice, SAP GRC Access Control has to be deployed as a
two system landscape with DEV/QA and PROD . SAP GRC AC has to be initially installed in
DEV/QA environment in SAP Netweaver (Web Application Server 700-SP10 or above,
with Java/J2EE stack, Java Runtime Environment JRE version 1.4.x is the software requirement on
Windows 2000/2000 advanced server/ 2003 Server (Standard/Enterprise/Web) or Linux/Unix based
servers. The other pre-installation checklists are: SAP database exists, User Management Engine
(UME) is installed and configured, and Memory settings for SAP 700 Web Application Server (WAS)
are configured.
GRC AC post installation configuration includes: Creating the Administrator Role, Assigning the
Administrator Role to the Administrator User, Choosing the Language Setting and Connecting the
Stand alone J2EE System to the Remote SAP Server.
This makes SAP GRC Access Control ready the configuration and implementation to begin with.
SAP GRC Access Controls Installation can be done by the in-house Web AS (Basis) team or as part
of GRC implementation.
SAP GRC Access Control components configurations are deployed at DEV/QA system . Even, a
Sandbox system can be deployed for pilot and implementation baseline across the enterprise wide
GRC functionalities. Based on these configurations, GRC AC configurations are replicated for
development, testing and QA in DEV /QA environment, and these configurations are transported
to PROD system environment in the Final Preparation phase.
5.2 Support Pack Levels and Backend Compatibilities
Pre-requisites of Access Control 5.3
NW 7.0 with SP 10 and higher SLD is required for Risk Analysis and Remediation
Supported RTA
Supported RTA R/3 versions are 4.6c, NW2004 or ECC 5.0, NW 7.0 or ECC 6.0 Optional BI 7.0 and EP 7.0
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
14/32
SAP BO GRC Access Control
Page 14 of 32
This table indicates the minimum SP level required for the backend system (RTA) with the
corresponding SAP Notes numbers:
We can install RTA for latest Access Control AC10 on any SAP systems as long as it meets the pre-requisites for support packages corresponding to the SAP ABAP and BASIS Stacks as indicated in
the table: SAP_ABA and SAP_BASIS.
5.3 Hardware Requirements
Machine - Server based; Dual Processors = 2.4 3.2 GHz or faster
RAM = 16 GB; Hard Disk = 120 GB Minimum (240 GB Recommended)
Precise Sizing requirements are arrived in the implementation based on the volume of data.
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
15/32
SAP BO GRC Access Control
Page 15 of 32
6 Implementation Methodology
As defined, the project methodology spread across Analysis, Design, Build, Test and deliver. In the
similar lines, SAP GRC AC has standard implementation methodology based on ASAP Methodology
spread across: Get clean, Stay clean and Stay in contro l for various components.
6.1 Implementation Phases:
Analysis and Remediation (Compliance Calibrator) implementation is typically broken down into
these distinct 6 phases:
Risk Recognition
Identify or approve conflicts and exceptions Classify risks as High, Medium, or Low Identify new risks and conditions that should be monitored
Rule Building and Validation
Establish technical rules to monitor risk Verify rules against test cases (Users/Roles)
Analysis
Run analytical reports Explore alternatives to eliminating Size cleanup efforts
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
16/32
SAP BO GRC Access Control
Page 16 of 32
Modify Rules based on analysis
Remediation
Determine alternatives for eliminating risks Present Analysis and select corrective actions Document approval of corrective actions Modify / create Roles or User Assignment
Mitigation
Design alternative controls to mitigate risk Educate management on conflicts approval and monitoring Document a process for monitoring mitigation controls Implement controls
Continuous Compliance / Improvement
Communicate changes in roles and user assignment Simulate changes to roles and users Implement alerts to monitor for new selected risks and mitigating control testing
6.2 Risk Analysis & Remediation Overview
Risk Analysis & Remediation Segregation-of-Duties Management Process Overview
SAP security provides the opportunity to prevent an individual from executing combinations of
transactions without the involvement of another person in the process. SOD proactive management
involves identifying the ways to commit fraud or accidentally corrupt processes. This includes
monitoring security privileges granted to individuals so capabilities are known before they are
exploited.
However, there are circumstances which require the same person to be able to order and receive
materials, for example. In these cases, a detective control should be put in place to review that
persons access to detect fraud or unusual activities. The management process is designed to helpBusiness Process Owners (BPOs) recognize SOD risks and implement the necessary controls
(mitigating controls).
Security owns the SOD process and acts as a facilitator. The BPOs are responsible for managing
the risks and designing alternate controls when Segregation-of-Duties cannot be achieved. Once
the risks are defined, Business Process Analysts (BPAs) provide the technical knowledge to ensure
the appropriate transactions, related objects and field values are defined in Risk Analysis and
Remediation. Business Process Owners are also responsible for approving actions taken to rectify
SOD issues inherent in roles under their responsibility.
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
17/32
SAP BO GRC Access Control
Page 17 of 32
RAR Implementation Approach: GRC Access Control Risk Analysis and Remediation is implemented as
defined in standard SOD Management process, carried across the phases from Risk Definition to remediation
and mitigation leading to SOD clean state.
In GRC Risk Analysis and Remediation, Security owns the SOD process and acts as a facilitator. The Business
Process Owners are responsible for managing the risks and designing alternate controls when Segregation-of-
Duties cannot be achieved. Once the risks are defined, Business Process Analysts provide the technical
knowledge to ensure the appropriate transactions and related objects and field values are defined. Business
Process Owner also own the responsibility for approving actions taken to rectify SOD issues inherent in roles
and mitigating users.
The audit department takes the ownership and responsibility for conducting audits to discover Segregation-of-
Duties issues and for testing mitigating controls implemented by business process owners. The SOD rule
keeper is responsible for controlling the rules in security and SAP Security administrator is segregated from the
duties of SOD and owns the Security administration activities.
The following diagram depicts the high level solution approach of Risk Analysis and Remediation:
Enhanced Access Risk Analysis (RAR v10):
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
18/32
SAP BO GRC Access Control
Page 18 of 32
6.3 Enterprise Role Management
Enterprise Role Management is a Web based application that automates the creation and
management of Role Definitions. Role Expert enforces best practices to ensure that the Role
Definitions, development, testing and maintenance is consistent across the entire implementation,
resulting in lower ongoing maintenance and painless knowledge transfer.
Enterprise Role Management empowers SAP security administrators and Role Owners to document
important role information that can be of great value for better role management such as:
Tracking progress during role implementation.
Monitoring the overall quality of the implementation.
Performing risk analysis at role design time.
Setting up a workflow for role approval.
Providing an audit trail for all role modifications.
Maintaining roles after they are generated to keep role information current.
Enterprise Role Management has a rich set of reports to facilitate the overall role quality
management and provide valuable information to achieve precise role definitions and lower ongoing
role maintenance. Role Expert provides reports, which make the identification of risks surrounding
the segregation of duties a painless process, and ensures that you get the most out of the SAP
security system.
Enterprise Role Management Implementation Approach: Enterprise Role Management is implemented to
automate the creation and management of Roles. Enterprise Role Management is configured to ensure that the
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
19/32
SAP BO GRC Access Control
Page 19 of 32
Role Definition, Development, Testing and Maintenance are carried out in a consistent manner across the
entire system landscape. With Enterprise Role Management tool, role maintenance is optimized and made
compliant to all regulatory requirements. Also, it makes role re-design and remediation easy. With optimal
utilization of the tool, role re-design and cleaning roles (get-clean) is achieved and on-going roles are
provisioned into the backend systems (stay-in-control).
The following diagram depicts the high level Role Automation in Enterprise Role Management:
Business Role Governance (ERM v10):
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
20/32
SAP BO GRC Access Control
Page 20 of 32
6.4 Compliant User Provisioning Workflow Overview
Compliant User Provisioning workflows shall be configured to automatically trigger events such as new usercreation or a role change. The dynamic workflow provisions the actions directly into multiple Systems.
Compliant User Provisioning will be configured to facilitate business users to perform the provisioning activities
without any involvement of IT or application security personnel, in facilitating pro-active SOD analysis.
End to end automation that sequences can be automatically triggered based on events such as new
employee hire or a job change, then processed through dynamic workflow, and finally, provisioned
directly into multiple Systems. These steps can be performed by business users without anyinvolvement of IT or application security personnel.
The following diagram depicts the high level workflow of Compliant User Provisioning:
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
21/32
SAP BO GRC Access Control
Page 21 of 32
Streamlined User Access Management (CUP v10):
6.5 Super User Privilege Management - Overview
Super User Privilege Management (Firefighter) will be configured to automate emergency change requests
such as access to SAP_ALL in the production system, to carry-out in a consistent, secure and compliant
manner. Automation will be enabled to cover all aspects of firefighting, from setting up of Firefight IDs, Users,
Owners and Approvers for those Firefighting IDs to automatic logons, owner notifications, activity logging and
related monitoring and administration activities.
The following diagram depicts the usage of emergency request for Super User Privilege Monitoring:
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
22/32
SAP BO GRC Access Control
Page 22 of 32
Centrlized Emergency Access (SPM v10)
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
23/32
SAP BO GRC Access Control
Page 23 of 32
6.6 Harmonization B/W all GRC products:
6.7 GRC - Management Oversight and Internal Audit
Management Oversight - At periodic intervals, managers need to exercise effective and
comprehensive management oversight, review, and reaffirmation of user access, etc.
SAP GRC Access Control enables management to take responsibility by running periodic access
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
24/32
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
25/32
SAP BO GRC Access Control
Page 25 of 32
Access Risk Analysis (RAR):
User Access Management (CUP):
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
26/32
SAP BO GRC Access Control
Page 26 of 32
Business Role Governance (ERM):
Centrlized Emergency Access (SPM)
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
27/32
SAP BO GRC Access Control
Page 27 of 32
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
28/32
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
29/32
SAP BO GRC Access Control
Page 29 of 32
Super-user privilege monitoring (Fire Fighter)
Efficient and effective super user privilege management, with tracking of all activity
Allows personnel to take responsibility for tasks outside their normal job function. Firefighterdescribes the ability to perform tasks in emergency situations.
Enables users to perform duties not included in the roles or profiles assigned to their userIDs. Firefighter provides this extended capability to users while creating an auditing layer tomonitor and record Firefighter usage.
Logging of all transactions executed during fire call usage.
Temporarily redefines the IDs of users when assigned with solving a problem, giving themprovisionally broad, but regulated access. There is complete visibility and transparency toeverything done during the period.
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
30/32
SAP BO GRC Access Control
Page 30 of 32
8 ASAP Methodology
ASAP Methodology is SAPs proven implementation methodology spread over 5 phases in the
execution model of the GRC Implementation. Phase 0 base-lining prior to Initial Preparation or
Project Preparation phase is to Strategy the GRC Roadmap for its effective usage and Utilization. In
this phase, there is a pro-active involvement in the SAP systems are required in the Role Design,
SOD Analysis and Violations, Security Policies and Procedures re-established for the compliance
requirements and Controls Rationalization for best of the Assurances of SOX and other
Compliances.
The internal tool developed to address all kinds of SAP project execution aligned to the best
practices of CMMi level 5, ISO 9001/27001, ITIL and ISO27001 standards. Projects are managed,
monitored and tracked with the best of breed and industry standards using custom tool capabilities.
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
31/32
SAP BO GRC Access Control
Page 31 of 32
9 Deliverables
High Level deliverables of a typical SAP GRC AC Implementation are:
Installation Installation of SAP GRC Access Control in DEV / QA and PROD server
Training Product overview training on SAP GRC Access Control (SAP GRC AC)
Risk Analysis
andRemediation
(compliance
Calibrator)
Initial configuration of GRC Access Control
Developing the Company specific rules in DEV / QA server (pilot with sample
rules)
Risk analysis and remediation for all standard business processes in DEV/QA
Validation workshop on configured rule sets with BPO / IA team & modifications
to them as per needs of Business
Super user
privilege
management
(Fire Fighter)
Initial configuration of Super user privilege management in SAP GRC Access
Control
Define workflows for Super user privilege management - user masters and
role management
Enterprise role
management
(Role
Expert)
Initial configuration of Enterprise role management in SAP GRC Access Control
Configuration of Roles creation / modification and backend integration with SAP
Systems
Define workflows for Enterprise Role Management
Upload current Company Roles into Enterprise role management
Compliant
user
provisioning
(Access
Enforcer)
Initial configuration of Compliant user provisioning in SAP GRC Access Control
Define workflows for User Provisioning
Configuration of Users creation / changes workflow and backend Integration with
SAP Systems
Upload User masters and role assignments into Compliant user provisioning
-
8/10/2019 SAP GRC Access Control - Approach Document Draft v04
32/32
SAP BO GRC Access Control
UAT User Acceptance Testing of SAP GRC Access Control
Reporting
Analyzing & reporting current user access status based on standard RAR
reports; CUP and ERM Reporting features
Super user privilege management reports for all log reviews and fire fighter
activities
Training
Training to the trainers on RAR Rule building & Reporting, Remediation,
Mitigation & Alerts
Performing & demonstrating remediation to identified non acceptable roles and
user violations
Performing & demonstrating setting up of the mitigation controls & alerts to
identified acceptable violations
Training to the trainers on End-users upon request and handholding support
Workflows and Administration of Compliant user provisioning
(CUP) and Enterprise role management (ERM)
Administration and Monitoring of Super user privilege management (SPM)
reports for log reviews and fire fighter activities monitoring
InstallationInstallation and re-configuration (export and re-connectivity to SAP systems) of
SAP GRC Access Control in PROD server
PROD
Preparation
Cutover Plan and Execution
Initial Configuration in PRD server of SAP GRC Access Control
Exporting / Uploading the configuration, company specific rules, roles, users intoSAP GRC Access Control in PRD server; Data Migration / Cutover and UAT
GO LIVE GO LIVE & Post Go-Live Support for 5-10 days