Scribd Logo
Upload

Welcome to Scribd!

  • SAP GRC Risk Analysis and Remediation Overview

    Uploaded by

    Shiva Kumar
    1K views38 pages
    zz

    Original Title

    Sap Grc Risk Analysis and Remediation

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    zz

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1K views38 pages

    SAP GRC Risk Analysis and Remediation Overview

    Uploaded by

    Shiva Kumar
    zz

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 38

    SAP GRC RISK ANALYSIS AND REMEDIATION

    Overview

    AGENDA
    Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab

    INTRODUCTION
    I like teaching and Im a Microsoft Certified Trainer

    You can view my transcript by going to:http://www.microsoft.com/learning/mcp/transcripts


    Transcript ID 685386 Access Code 20131370

    AGENDA
    Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab

    SAP GRC ACCESS CONTROL


    SAP GRC Access Control
    SAP GRC Access Control is a suite of capabilities that monitor, test, and enforce access and authorization controls across the enterprise. SAP GRC Access Control helps companies to comply with regulatory mandates such as Sarbanes-Oxley SAP GRC Access Control includes the following capabilities: Risk Analysis and Remediation (RAR) formerly Virsa Compliance Calibrator Compliant User Provisioning (CUP) formerly Virsa Access Enforcer Enterprise Role Management (ERM) formerly Virsa Role Expert Superuser Privilege Management (SPM) formerly Virsa Firefighter

    SAP GRC ACCESS CONTROL


    SAP GRC Access Control
    ECC Client ECC Client

    Client 150

    Client 220
    SYS TEST ECC

    DEV ECC

    GRC Components
    RAR

    CUP

    TEST2 OU
    SPM

    DEV GRC

    Configured for ECC

    System Test Portal


    BI Client BI Client

    Client 100

    Client 200

    DEV BW

    SYS TEST BW

    AGENDA
    Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab

    RISK ANALYSIS AND REMEDIATION


    Risk Analysis and Remediation (RAR)
    RAR is used to manage SoD in the organization RAR allows one to define Risk for SoDs, use control to mitigate risks, and use alert messages.

    RAR Application Menu


    Informer
    Contains various reports

    Rule Architect
    Defines rules for business process SoD

    Mitigation
    Monitors identified risks for users, roles and profiles

    Alert Monitor
    Provides an overview of Conflicting, Critical actions and Control Monitoring

    Configuration
    Contains configuration settings

    AGENDA
    Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab

    INFORMER
    Informer
    Includes the following types of reports:Management View Risk Analysis Audit Reports Security Reports

    INFORMER
    Management View
    Shows SoD information based on the information collected by the Management Report job in graphical overview as well as in detailed reports

    Risks Violation (Informer Management View Risk Violation)


    Provides overview of Risk violation for all SAP application

    INFORMER
    Management View User Analysis (Informer Management View User Analysis)
    Shows SoD violation for a specific user group in a specific system

    INFORMER
    Management View Comparisons (Informer Management View Comparisons)
    Shows the number of SoD violations per user or role per month or quarter in the interval

    INFORMER
    Management View Rule Library (Informer Management View Rule Library)
    Shows an overview of the SoD rules for which risks have been identified

    INFORMER
    Management View Control Library (Informer Management View Control Library)
    Shows how many Control for mitigation have been set up

    INFORMER
    Risk Analysis
    A Risk is defined as two or more actions or permissions that, when available to a single user, single role, or profile, create the possibility of error or irregularity. The Risk Analysis contains reports that identify Risks When a risk is found in a report, it can be resolved, or remediated, by either removing it or by applying a mitigating control. To identify the risks produced in the Risk Analysis reports, you need to know the combinations of actions and permissions that represent conflicts in your organization. The combinations are processed in the Rule Architect tab

    INFORMER
    Risk Analysis
    Contains report that can show user, role, or HR object that have access rights that causes for SoD to be violated To get a report of all the users in NAD that have SOD issue, click User Level and search by user group NA00_ALL Once you get the Report, you can Mitigate the risks from the report

    INFORMER
    Risk Analysis
    To get a report of all the users in NAD that have SOD issue, click User Level and search by user group NA00_ALL Once you get the Report, you can Mitigate the risks from the report The following report shows a high level risk due to transactions ME22N and MIGO To view the roles that have these transactions, click Display Detail Report button

    INFORMER
    Risk Analysis
    The summary report shows that ME22N from PO Processor role and MIGO from GR Processor are causing this SoD

    INFORMER
    Risk Analysis
    To mitigate this Risk, click the Risk Description On the Risk Resolution screen, select Mitigate Risk and click continue On the Risk Mitigation screen, specify the mitigation control and the Mitigation monitor and then click Save to apply the mitigation

    AGENDA
    Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab

    MITIGATION
    Mitigation
    Mitigation tab can be used to respond to SoD violations Mitigation controls are required when it is not possible to segregate duties within the business process The Mitigation tab contains the following key options Control Library Administrators Business Units Mitigation Controls Mitigation Monitors Mitigated users

    MITIGATION
    Control Library
    Provides an overview of the controls that have been established The upper part of the report shows the number of controls set up

    MITIGATION
    Administrators
    Administrator rights for managing controls must be configured before a mitigation can be applied An administrator creates mitigation controls and assigns the mitigation monitor and the manager, who can approve the mitigation You cannot delete an administrator who is assigned to a mitigating control, business unit, or other object.

    MITIGATION
    Business Unit
    All the controls in a business unit can be displayed by the business unit manager

    MITIGATION
    Mitigation Control
    Mitigation controls must be defined before they can be assigned to Users, Roles, or Profiles, to mitigate a Risk. To define a mitigation control, Mitigation Control ID, Business Unit and the Management Approver who will approve the mitigation control is required All risk IDs associated with a control can be mitigated with one control

    MITIGATION
    Creating a mitigation control
    To create a mitigating control: Navigate to Mitigation Mitigating Controls Create . The Create Mitigating Controls screen opens. In the Mitigating Control ID field, enter a unique alphanumeric identification for the mitigating control ID. In the Short Description field, enter a short description for the mitigating control. In the Business Unit dropdown list, select a business unit. The dropdown list displays all business units that you previously created with the Business Units screen. In the Management Approver field, select the appropriate approver.. The dropdown list displays the approvers that are associated with the business unit you entered in the preceding step. In the Associated Risks tab, choose the plus icon to add a risk ID to the mitigating control. In the Monitors tab, choose the plus icon to add monitors to the mitigating control. The dropdown list displays the monitors that are associated with the business unit.

    AGENDA
    Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab

    RULE ARCHITECT
    Overview
    Rule Architect provides a comprehensive combination of FUNCTIONS and associated rules for the SoDs Rule Architect can be used to define rules according to which SAP GRC Access Control identifies risks for SoD violations

    Rules
    Rule are established based on if-then principle If an employee has authorization to create a vendor master record and initiate payment of the vendor invoice then this is a high risk

    Risk
    A risk identifies functions that should be separated

    Function
    A function is a combination of activities. In SAP term, it is a collection of t-codes

    Activities
    SAP transaction codes

    RULE ARCHITECT
    Risk P059
    Function PR02 Maintain Purchase Order Function PR04 Approve Purchase Order

    ME 21 + Auth Object ME 21N + Auth Object ME 22 + Auth Object T-Code n + Auth Object

    ME 22N + Auth Object ME 28 + Auth Object ME 2N + Auth Object

    T-Code n + Auth Object

    Risk Rule P059001 Risk Rule P059002

    Risk Rule P05900n

    RULE ARCHITECT
    Risk Rule

    RULE ARCHITECT
    Business Processes
    In Risk Analysis and Remediation, business processes are attributes that you can use to categorize rules, functions, and risks When the default rules are installed, the installation process automatically creates a default set of business processes Business processes can be used to differentiate collections of objects. When a new risk is defined, a business process attribute for the risk is specified. This attribute creates an association between this risk and all other risks that share the same business process attribute

    RULE ARCHITECT
    Risk Management
    A risk identifies functions that should be separated

    Risk Type
    Segregation of Duties (SoD) risk
    A combination of two or more actions or permissions that, when assigned to a single employee, create a vulnerability

    Critical Action risk


    Certain actions are risky. Any employee who has permission to perform one of these actions automatically poses a risk. Defining a critical action risk ensures that any employee assigned this action is identified by the risk analysis process. You can define a critical action to include both the action and the corresponding permissions that allow the user to perform the critical action This risk can have only one function.

    Critical Permission risk


    Defining a critical permission risk ensures that risk analysis identifies any employee who has been assigned a potentially risky permission. You can use this feature if the permission has been enabled but has no actions. This risk can have only one function

    AGENDA
    Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab

    CONFIGURATION
    Configuration Overview
    Configuration is required: After a new installation of Risk Analysis and Remediation After an upgrade of Risk Analysis and Remediation To conduct routine administrative tasks Configuration can be used to: Specify default settings for users who perform risk analysis with the Informer tab Tune the system to optimize your usage and network environments Determine how data is used in Risk Analysis and Remediation reports Access the functions of the Configuration tab through its navigation menu.

    CONFIGURATION
    Options available under Risk Analysis on the Configuration tab
    Default Risk Level Exclude Locked Users Default User Type Exclude Expired Users

    Default Values:
    Default Report Type Default Rule Set Exclude Mitigated Risks

    Performance Tuning:
    Batch Size for User Synchronization RFC Time-out for Web Services / Threads Number of Web Services Worker Threads Consider Organizational Rules Number of Background Job Worker Threads Convert Users, Roles and Profiles to Upper Case

    Additional Config Options:


    Ignore Critical Roles and Profiles Enable Offline Risk Analysis Show Composite Role in User Analysis Use SoD Supplementary Table for Analysis

    Mitigating Controls:
    Risk Maintenance Mitigation Control Maintenance Mitigation

    36

    CONFIGURATION
    Default Values
    Default Report Type Default Risk Level Default User Type Exclude Locked Users Exclude Expired Users

    Connectors for Risk Analysis and Remediation


    Each client requires a separate JCo connection to be connected to RAR

    Logical Systems
    A logical system is two or more physical systems grouped together to allow you to maintain rules against one system grouping instead of each physical system. Logical systems reduce the time and system resources required to maintain rule sets by avoiding identical rule sets for multiple systems

    CONFIGURATION
    Background Jobs
    Background Jobs can be used to schedule synchronization with back-end systems, batch risk analyses, generation of management reports, and generation of alerts

    User/Role/Profile Synchronization
    This background job pulls the users data (user ids and user names), role and profile data (technical role/profile names) from the selected backend systems and stores them

    Batch Risk Analysis


    This job performs SOD risk analysis on the users/roles/profiles stored with the system. During the execution of batch risk analysis for users, the application selects one user from the database, fetches the actions/authorizations of the user from the backend system and performs risk analysis using the rules stored in Access Control. The resulting SOD violations are stored. Access Control then selects the next user and performs the steps above for the new user. The batch risk analysis job for roles and profiles also follow similar steps

    Management Report
    This job uses the results of batch risk analysis job to abstract the high level data to be presented in graphical formats in the informer tab

    You might also like