Professional Documents
Culture Documents
Welcome,Guest
Login
Register
Store
SearchtheCommunity
Products
Services&Support
AboutSCN
Downloads
Industries
Training&Education
Partnership
DeveloperCenter
LinesofBusiness
UniversityAlliances
Events&Webinars
Innovation
Governance,RiskandCompliance / / AccessRequest(ARQ)
SegregationofDutiesReview(SODReview)DescriptionandWorkflowConfiguration
AddedbyShailyKulshreshtha,lasteditedbyShailyKulshreshthaonNov28,2014
SegregationofDutiesReview(SODReview)
SegregationofDutiesReviewisaprocesswherethesystemchecksperiodicallyforanyriskandviolationsassociatedwithauserorfunctions.Thisfunctionalitycanbeusedduringtheinitialcleanupof
riskviolationsaswellasalongtermstrategytoreviewandaffirmpreviousMitigationassignments.
WhenSODreviewisperformed,itgeneratesrequestsautomatically,basedonorganizationsinternalpolicy.SODreviewprovidesWorkflowBasedreviewandapprovalprocess.
Purpose
ThisdocumentwillexplaincompetefunctionalityofSODreview.
SODReviewOverview
KeyfeatureofSOSReview:
DecentralizedreviewofSegregationofDutiesviolation.
WorkflowrequestforAccessReviewandapproval
ReaffirmationofMitigationControlassignment
AudittrailandReportforAudits
SODReviewProcess
ThereisabackgroundjobwhichgeneratesSODReviewrequest.
ThesystemsendsSODreviewnotificationtoreviewers.
Thereviewerreviewtherequestandperformthefollowingoption.
RejectRequestItems
MitigateRiskbyassigningMitigationControl.
RemoveAccessforitemsthatarecreatingviolations.
ThereisonemoreoptionalstepwherewecaninvolveAdminforAdminreviewbeforesendingrequesttoreviewers
SODReviewProcessExplanation
AdminReview.
ThereisanoptionforAdminReviewwhichprovidesadministratortovalidaterequestdataafterrequestaregenerated(bySODreviewjob)butbeforegeneratingWorkflowtask(butpriorSOD
ReviewupdateWorkflowjob).IfanyreviewerinformationismissionorneedtobemodifythenAdmincandosobeforegeneratingworkflow,orcanalsodeleterequestsifrequired
ReviewStage
WecanspecifywhetherReviewerstageisaddressedbyusersManagerorRoleOwner.
SecurityStage:WecanalsoincludeSecuritystageifrequired.
WorkflowStageConfigurations
AfterdecidingwhichstagetoincludeintheSODreviewworkflow,weneedtodeterminethespecificbehaviorforeachstagetoreflectthereviewprocess.Like
EmailNotification
Firstofallweneedtodeterminethecontentoftheemailnotificationtobesendtoapproverofeachstage.Recipientalsoneedstobedetermined.
Reminder
WecanalsosetEmailreminderinthiscase.Wecanspecifytheintervalofremindernotification.
Escalation
YoucanspecifyEscalationoneachstagebasedontimespentinaparticularstage.IfaReviewerdoesnotcompletehisreviewwithinthetimespecifiedinthedateparameterdefinedinconfiguration,
thentherequestwillbeescalated.TheAuditlogwillshowthisescalation.Wecanalsospecifywhetherescalationautomaticallyremovestheaccessthatisnotapprovedbyacertaindate.
RolesinSODReview
ThefollowingrolecanappearinSODReviewRequest
Administrator
AdministratorsperformSoDReviewspecificadministrativetaskssuchasperforminganAdminReviewbeforegeneratingaworkflowfortherequest
Reviewer
ReviewersareapproversattheReviewerstage.AReviewercanbeaUsersManagerortheRiskOwner
UsersManager
UsersManageristhedirectmanagerofaparticularuser,asdefinedintheUserDetailsDataSource.
RiskOwner
RiskOwneristheownerspecifiedinyourRiskAnalysisandRemediation(RAR)masterdata.
Coordinator
CoordinatorsareusersassignedtooneormoreReviewers.CoordinatorsmonitortheSoDReviewprocessandcoordinateactivitiestoensurethattheprocessiscompletedinatimelymanner
Prerequisites
ThefollowingjobsshouldbeexecutedinthebelowsequencebeforerunningSODreviewJobs.
RepositorysyncforUser,Role,Profile(SPRO>GRC>AccessControl>SynchronizationJobs>RepositorySync)
BatchRiskAnalysisJob(SPRO>GRC>AccessControl>AccessRiskAnalysis>BatchRiskanalysis>ExecuteBatchRiskAnalysis)
ActionUsageReport(SPRO>GRC>AccessControl>SynchronizationJobs>ActionUsageSync)
RoleUsageSync(SPRO>GRC>AccessControl>SynchronizationJobs>RoleUsageSync)
AlsomakesurethatRiskOwnersaremaintained.
ConfigurationSettings
ThissectionwillexplainsyouSODReviewConfigurationsettings
IMGConfiguration
BeforerunningSODreviewjobtherearesomeIMSsettingsthatneedstobedone
GotoIMG>GRC>AccessControl.>MaintainConfigurationSettings>
1. ForPARAMRiskAnalysis:SetParameter1027EnableOfflineRiskAnalysistoYES
2. ForPARAMSODReview:SetthebelowParameters
a. 2016RequestTypeforSOD:ChooseDefaultRequesttypeforSOD
b. 2017DefaultPriorityforSOD:ChooseDefaultPriorityforSOD
c. 2018WhoAreReviewers:ChooseRoleOwner/Managers
d. 2019AdminReviewrequiredbeforesendingtasktoReviewer:ChooseYES/No
e. 2020NumberofuniquelineitemsperSODrequest:Maximumvalueofthisparametercanbe9999.Beyond9999,therequestwillgetsplitandallitemswillbemovedtoanewrequest.
ThisparameterisintroducedinGRC10.0SP17(SAPNote#1994429)
f. 2021Isactualremovalofroleallowed:ChooseYes/No
ManagingCoordinators
GoToNWBC>AccessManagement>ComplianceCertificationReview>ManageCoordinators
Screenwillopen.Nowselectanylineitemtochangeorcreateanewone.
SpecifyingEscalations
GoToSPRO>GRC>AccessControl>UserProvisioning>MaintainServiceLevelAgreement
HereyoucancreateSLAforSODreviewprocess.YoucanspecifythisviatypeFixedbyDateorFixedbynumberofdaysandFormula.
GeneratingdataforRequest
ForgeneratingdataforSODreviewyouneedtoscheduleajobfromNWBC>AccessManagement>Scheduling>BackgroundScheduler
YoucangiveJobNameandselectGeneratedataforAccessRequestSODReviewandclickonnext.
AfterclickingonNextscreenyoucangivetheparametersforwhichyouwanttorunthisjob.
Now,onclickingNextandthenFinishthejobwillbescheduled
YoucancheckthisjobunderNWBC>AccessManagement>Scheduling>BackgroundJobs
RequestReview
ThisstepisonlyrequiredifyouhaveenabledAdminReviewoption.
TheadministratorreviewstherequeststoensurecompletenessandaccuracyoftherequestinformationpriortosendingtoReviewers.
GotoAccessManagement>ComplianceCertificationReview>RequestReview
OntheRequestReviewscreen,searchfortheSoDReviewrequestsbyselectingtheSoDRiskReviewWorkflowandthenreviewthedatatoconfirmtheReviewerandCoordinatorinformationis
accurate.
Onthisscreenyoucanenterinformationaboutthereviewertotherequestsifnotavailable.
AnAdministratorcanalsocanceltherequestifSoDReviewsarenotrequiredorifthereisincorrectdata.
UpdateWorkflowJob
ThisstepisonlyrequiredifyouhaveenabledAdminReviewandtheAdminReviewhasbeencompleted.
ExecutetheSoDReviewUpdateWorkflowJobtopushtheworkflowtaskstotheReviewers.
GotoAccessManagement>Scheduling>BackgroundScheduler.
ClickBackgroundscheduler.
TheScheduleAccessManagementScreenwillappear.
ChooseCreatetocreateanewrequestforUpdateWorkflow.
TheCreateSchedulescreenwillappear.
EnterScheduleName.
SelectScheduleActivityfromthedropdownlist.ForSoDRequests,selectUpdateWorkflowforSoDRequest.
ChooseFinish.
GotoRequestReview,andcheckthestatusoftherequestifithasbeencompleted.
Aftercompletingalloftheabovementionedsteps,therequestswillnowcometotheReviewersWorkInboxtoworkonit.
NowyoucanviewthatrequestintheWorkinbox.Onopeningtherequestitwilllookasbelow.
SinceYESwasselectedforActualremovalofRolesduringtheconfigurationprocess,theACTUALREMOVALpushbuttonappearsonthescreen.IfNOwasselected,thenthePROPOSEREMOVAL
pushbuttonappearsinstead.
ByselectingRiskandthenchoosingtheActualRemovalpushbutton,youcanremovetheactualroleassociatedwiththisRisk.BychoosingtheProposeRemovalpushbuttonyoucanonlyproposethe
removal,noactualremovalisdoneonanyroles.ChooseSubmittocompletetheReviewprocess.
WorkflowConfiguration
ToprocessSODreview,youneedtosettheworkflowsettingsfromMSMP.
ProcessID:SAP_GRAC_SOD_RISK_REVIEW
YoucanmaintainRuleatthe2ndstep.YoucanconfigureFunctionModulerules,BRFplusrules,ABAPclassbasedrules,andBRFplusflatrules.
Therulescanbeoneofthefollowingtypes:
InitiatorRule:Tocheckwhichpathyourrequestwilltake
RoutingRule:Todirectyourrequesttotakeadetour
AgentRule:Tocheckforagents(Reviewers)fortherequestinaparticularstage
NotificationRule:Usedfornotificationpurposesonly
Atthe3rdstepyoucandefineAgent
Thepossibleagenttypesare:
DirectlyMappedUsersAgroupofuserscreatedwithintheworkflowconfiguration
PFCGRolesAlluserswhohavespecifiedPFCGroleassignments
PFCGUserGroupAlluserswhoarepartofthespecifiedPFCGgroup
GRCAPIRulesAllusersreturnedbytheconfiguredruleforagents
Oncetheagentsaremaintained,choosetheNEXTpushbuttontomaintaintheVARIABLESANDTEMPLATES.
Inthisscreen,youcanmaintaincustomnotificationtemplatesaswellastheirvariablesandreminders.
Nextstepistomaintainpaths
SelectapathandchoosetheADDorMODIFYpushbuttonstodefinethepathstages.
IntheMaintainStagestable,choosetheMODIFYTASKSETTINGSbuttontochangethestagesettings.
IntheApprovalTypecolumn,selectAllApproversorAnyOneApproverfromthedropdownlist.Thisdeterminesifallapproversoranyoneapproverisrequiredtoapprovethestage.
IfyouchooseYesforEscalation,specifytheescalationsettingbyenteringtheidletimeinminutes.Idletimeistheamountoftimebywhich,ifthestageisnotapprovedorrejected,thetaskiseithersentto
thespecifiedagentortheworkflowmovestothenextstage.
ChoosetheNEXTpushbuttontogototheMaintainRouteMapppingscreen.Inthisstepyoucanmaintainroutemappingsbetweentheinitiatorrulesresultandtheactualpathfortheresult.
NowGenerateMSMPversion
CheckingSODReviewRequests
Afterarequestisgenerated,itissenttothereviewersWorkInboxandcanbeaccessedbyperformingthefollowingsteps:
YoucanalsosearchthisrequestunderSearchRequest>SelectProcessIDasSODRiskReviewWorkflow
ManagingRejection
ThelineitemsthatarerejectedbyanapprovercanbeaccessedandreworkedfromtheManagingRejectionsscreen.
GoToAccessManagement>ComplianceCertificationReviews>ManageRejections.
SelecttheProcessTypeandclickonSearch
Youcanfindtherejectionsonthisscreen.
RelatedDocuments
TherearemanymajorSODreviewfixesafterSP14GRC10.0
BelowaretheimportantSAPNoteregardingthis.
1994429UAM:RunningBatchRiskAnalysisismandatoryforSODReviewRequestcreation
2057848UAM:IncorrectvalueisdisplayedfortheVariableREQUESTER_NAMEintheSODNotifications
2058766Removalofreviewernotpossiblefromrequestreviewer
1888260UAM:IssueswithSODReviewrequest
1973155ProvidingtablesortingoptioninSODReviewrequestandmitigationsnotsavedonsavingSODrequest
Nolabels
ContactUs
Privacy
SAPHelpPortal
TermsofUse
LegalDisclosure
Copyright
FollowSCN