Process Automation and Cost Savings with

SAP GRC Access Control

the Tenneco case

Sigrid Conix

Tenneco

1

Chris Walravens

Expertum

SAPience.be TECHday ‘14

Agenda

SAPience.be TECHday ‘14 2

The Players

SAP GRC Access Control

HR Triggers

Role Request Process (PMU)

Periodic Review Automation

Benefits

Tenneco

SAPience.be TECHday ‘14 3

Tenneco

SAPience.be TECHday ‘14 4

SAPience.be TECHday ‘14 5

Expertum

History

• Founded in April 2006 by 2 ex-SAP BeLux employees

• Partnerships

Today

• Team of 50+ SAP Experts and Project Managers

Mission

• Exceed client expectations by providing top-quality expertise

• Provide our people a safe environment for personal and professional growth

Strenght

• Highly skilled & experienced SAP consultants in all SAP areas, combined with a

wide industry knowledge in several domains

SAPience.be TECHday’13 6

Expertum

SAPience.be TECHday’13 7

Knowledge Management

- Product & Service

Development

Agenda

SAPience.be TECHday ‘14 8

The Players

SAP GRC Access Control

HR Triggers

Role Request Process (PMU)

Periodic Review Automation

Benefits

SAP GRC Access Control

SAPience.be User Day ‘14 9

Already Implemented…

Analyze & Manage Risk functionality (Phase 1)

• Already used to monitor 4 productive backend systems

• Worldwide systems

• Dashboards used on a daily basis

• Merged 4 rulesets into one single ruleset, but still considering

the specifics of each system

Emergency Access Management

• Was already set up, but in a limited way

• Extended the implementation to full scope, meaning:

• Multiple FF-IDs per backend system

• Specific authorizations per FF-ID

SAPience.be TECHday ‘14 10

Agenda

SAPience.be TECHday ‘14 11

The Players

SAP GRC Access Control

HR Triggers

Role Request Process (PMU)

Periodic Review Automation

Benefits

HR Triggers

Automatic creation of user-Ids

• IT 0105 / 0001 is the trigger

• An ABAP on the backend system automatically creates:

• The user-ID using the correct naming convention

• The e-mail address with the correct naming

• Creation of an employee in the HRM system triggers the

creation of a user-ID on SAP GRC

• As from that moment the new user can start requesting

access to other backend systems

SAPience.be TECHday ‘14 12

HR Triggers

Automatic termination of user-Ids

• Delimiting IT 0105 / 0001 is the trigger

• The accesses are automatically revoked on all backend

systems

SAPience.be TECHday ‘14 13

HR Triggers

Position changes of employees

• Whenever an employee changes positions within HR a role

change request per system is triggered and sent to the user

• The current role assignments are automatically delimited to

30 days in the future

• The current role assignments are sent to the end user to:

• Keep / remove existing role assignments

• Add new roles for the new position

• Subsequent flow is identical to the regular PMU flow

SAPience.be TECHday ‘14 14

Agenda

SAPience.be TECHday ‘14 15

The Players

SAP GRC Access Control

HR Triggers

Role Request Process (PMU)

Periodic Review Automation

Benefits

Role Request Process (PMU)

Any user (worldwide) can request roles

• The end user is forced to run a risk analysis to create awareness

Supervisor approval

• Of the requester

• The risk analysis at this level is also mandatory

• The request can not be approved with open risks

• The supervisor needs to:

• Either remove risks

• Propose a mitigating control

SAPience.be TECHday ‘14 16

Role Request Process (PMU)

Data owner approval

• The role owners need to give their approval as well

Plant Controller approval

• When (new) risks occur

• The Plant Controller needs to approve the risk mitigation

SBU Controller approval

• Final approval of mitigations

SAPience.be TECHday ‘14 17

Role Request Process (PMU)

Mitigating control approval

• In case a new mitigating control is needed

• The request is routed towards the mitigating control

administrator

SAPience.be TECHday ‘14 18

Agenda

SAPience.be TECHday ‘14 19

The Players

SAP GRC Access Control

HR Triggers

Role Request Process (PMU)

Periodic Review Automation

Benefits

Periodic Review Automation

User Access Reviews

• Most common periodic review

• Data / role owners are requested to review the role

assignments

• In case the assignment needs to be revoked, the de-

provisioning is performed automatically

SAPience.be TECHday ‘14 20

Periodic Review Automation

Critical Access Reviews

• This type of review is risk based

• A specific ruleset with only critical access is used

• In case risks need to be removed, root cause analysis needs

to determine what roles to remove

SAPience.be TECHday ‘14 21

Periodic Review Automation

Mitigating Control Re-certification

• In this review the mitigations are reviewed

• To ensure that no invalid mitigations remain in the system

SAPience.be TECHday ‘14 22

Agenda

SAPience.be TECHday ‘14 23

The Players

SAP GRC Access Control

HR Triggers

Role Request Process (PMU)

Periodic Review Automation

Benefits

Benefits

Manual user administration and role provisioning is reduced to

an absolute minimum

Communication between HR department and Entitlement

team is automated in the system

The request and approval process is highly standardized and

automated

Risk awareness is created thoughout the company

SAPience.be TECHday ‘14 24

Thank you!

SAPience.be TECHday ‘14 25

Sigrid Conix Global IT Security / Risk Management Tenneco

+32 475 89 48 77 sconix@tenneco.com www.tenneco.com

Chris Walravens GRC Community Lead Expertum

+32 474 475 983 chris.walravens@expertum.net www.expertum.net