Professional Documents
Culture Documents
Overview
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
INTRODUCTION
I like teaching and Im a Microsoft Certified Trainer
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
Client 150
Client 220
SYS TEST ECC
DEV ECC
GRC Components
RAR
CUP
TEST2 OU
SPM
DEV GRC
Client 100
Client 200
DEV BW
SYS TEST BW
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
Rule Architect
Defines rules for business process SoD
Mitigation
Monitors identified risks for users, roles and profiles
Alert Monitor
Provides an overview of Conflicting, Critical actions and Control Monitoring
Configuration
Contains configuration settings
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
INFORMER
Informer
Includes the following types of reports:Management View Risk Analysis Audit Reports Security Reports
INFORMER
Management View
Shows SoD information based on the information collected by the Management Report job in graphical overview as well as in detailed reports
INFORMER
Management View User Analysis (Informer Management View User Analysis)
Shows SoD violation for a specific user group in a specific system
INFORMER
Management View Comparisons (Informer Management View Comparisons)
Shows the number of SoD violations per user or role per month or quarter in the interval
INFORMER
Management View Rule Library (Informer Management View Rule Library)
Shows an overview of the SoD rules for which risks have been identified
INFORMER
Management View Control Library (Informer Management View Control Library)
Shows how many Control for mitigation have been set up
INFORMER
Risk Analysis
A Risk is defined as two or more actions or permissions that, when available to a single user, single role, or profile, create the possibility of error or irregularity. The Risk Analysis contains reports that identify Risks When a risk is found in a report, it can be resolved, or remediated, by either removing it or by applying a mitigating control. To identify the risks produced in the Risk Analysis reports, you need to know the combinations of actions and permissions that represent conflicts in your organization. The combinations are processed in the Rule Architect tab
INFORMER
Risk Analysis
Contains report that can show user, role, or HR object that have access rights that causes for SoD to be violated To get a report of all the users in NAD that have SOD issue, click User Level and search by user group NA00_ALL Once you get the Report, you can Mitigate the risks from the report
INFORMER
Risk Analysis
To get a report of all the users in NAD that have SOD issue, click User Level and search by user group NA00_ALL Once you get the Report, you can Mitigate the risks from the report The following report shows a high level risk due to transactions ME22N and MIGO To view the roles that have these transactions, click Display Detail Report button
INFORMER
Risk Analysis
The summary report shows that ME22N from PO Processor role and MIGO from GR Processor are causing this SoD
INFORMER
Risk Analysis
To mitigate this Risk, click the Risk Description On the Risk Resolution screen, select Mitigate Risk and click continue On the Risk Mitigation screen, specify the mitigation control and the Mitigation monitor and then click Save to apply the mitigation
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
MITIGATION
Mitigation
Mitigation tab can be used to respond to SoD violations Mitigation controls are required when it is not possible to segregate duties within the business process The Mitigation tab contains the following key options Control Library Administrators Business Units Mitigation Controls Mitigation Monitors Mitigated users
MITIGATION
Control Library
Provides an overview of the controls that have been established The upper part of the report shows the number of controls set up
MITIGATION
Administrators
Administrator rights for managing controls must be configured before a mitigation can be applied An administrator creates mitigation controls and assigns the mitigation monitor and the manager, who can approve the mitigation You cannot delete an administrator who is assigned to a mitigating control, business unit, or other object.
MITIGATION
Business Unit
All the controls in a business unit can be displayed by the business unit manager
MITIGATION
Mitigation Control
Mitigation controls must be defined before they can be assigned to Users, Roles, or Profiles, to mitigate a Risk. To define a mitigation control, Mitigation Control ID, Business Unit and the Management Approver who will approve the mitigation control is required All risk IDs associated with a control can be mitigated with one control
MITIGATION
Creating a mitigation control
To create a mitigating control: Navigate to Mitigation Mitigating Controls Create . The Create Mitigating Controls screen opens. In the Mitigating Control ID field, enter a unique alphanumeric identification for the mitigating control ID. In the Short Description field, enter a short description for the mitigating control. In the Business Unit dropdown list, select a business unit. The dropdown list displays all business units that you previously created with the Business Units screen. In the Management Approver field, select the appropriate approver.. The dropdown list displays the approvers that are associated with the business unit you entered in the preceding step. In the Associated Risks tab, choose the plus icon to add a risk ID to the mitigating control. In the Monitors tab, choose the plus icon to add monitors to the mitigating control. The dropdown list displays the monitors that are associated with the business unit.
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
RULE ARCHITECT
Overview
Rule Architect provides a comprehensive combination of FUNCTIONS and associated rules for the SoDs Rule Architect can be used to define rules according to which SAP GRC Access Control identifies risks for SoD violations
Rules
Rule are established based on if-then principle If an employee has authorization to create a vendor master record and initiate payment of the vendor invoice then this is a high risk
Risk
A risk identifies functions that should be separated
Function
A function is a combination of activities. In SAP term, it is a collection of t-codes
Activities
SAP transaction codes
RULE ARCHITECT
Risk P059
Function PR02 Maintain Purchase Order Function PR04 Approve Purchase Order
ME 21 + Auth Object ME 21N + Auth Object ME 22 + Auth Object T-Code n + Auth Object
RULE ARCHITECT
Risk Rule
RULE ARCHITECT
Business Processes
In Risk Analysis and Remediation, business processes are attributes that you can use to categorize rules, functions, and risks When the default rules are installed, the installation process automatically creates a default set of business processes Business processes can be used to differentiate collections of objects. When a new risk is defined, a business process attribute for the risk is specified. This attribute creates an association between this risk and all other risks that share the same business process attribute
RULE ARCHITECT
Risk Management
A risk identifies functions that should be separated
Risk Type
Segregation of Duties (SoD) risk
A combination of two or more actions or permissions that, when assigned to a single employee, create a vulnerability
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
CONFIGURATION
Configuration Overview
Configuration is required: After a new installation of Risk Analysis and Remediation After an upgrade of Risk Analysis and Remediation To conduct routine administrative tasks Configuration can be used to: Specify default settings for users who perform risk analysis with the Informer tab Tune the system to optimize your usage and network environments Determine how data is used in Risk Analysis and Remediation reports Access the functions of the Configuration tab through its navigation menu.
CONFIGURATION
Options available under Risk Analysis on the Configuration tab
Default Risk Level Exclude Locked Users Default User Type Exclude Expired Users
Default Values:
Default Report Type Default Rule Set Exclude Mitigated Risks
Performance Tuning:
Batch Size for User Synchronization RFC Time-out for Web Services / Threads Number of Web Services Worker Threads Consider Organizational Rules Number of Background Job Worker Threads Convert Users, Roles and Profiles to Upper Case
Mitigating Controls:
Risk Maintenance Mitigation Control Maintenance Mitigation
36
CONFIGURATION
Default Values
Default Report Type Default Risk Level Default User Type Exclude Locked Users Exclude Expired Users
Logical Systems
A logical system is two or more physical systems grouped together to allow you to maintain rules against one system grouping instead of each physical system. Logical systems reduce the time and system resources required to maintain rule sets by avoiding identical rule sets for multiple systems
CONFIGURATION
Background Jobs
Background Jobs can be used to schedule synchronization with back-end systems, batch risk analyses, generation of management reports, and generation of alerts
User/Role/Profile Synchronization
This background job pulls the users data (user ids and user names), role and profile data (technical role/profile names) from the selected backend systems and stores them
Management Report
This job uses the results of batch risk analysis job to abstract the high level data to be presented in graphical formats in the informer tab