sap grc risk analysis and remediation
DESCRIPTION
zzTRANSCRIPT
SAP GRC RISK ANALYSIS AND REMEDIATION
Overview
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
AGENDA
INTRODUCTION I like teaching and I’m a Microsoft Certified Trainer
You can view my transcript by going to:-
http://www.microsoft.com/learning/mcp/transcripts• Transcript ID 685386• Access Code 20131370
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
SAP GRC Access Control
• SAP GRC Access Control is a suite of capabilities that monitor, test, and enforce access and authorization controls across the enterprise.
• SAP GRC Access Control helps companies to comply with regulatory mandates such as Sarbanes-Oxley
• SAP GRC Access Control includes the following capabilities:Risk Analysis and Remediation (RAR) formerly Virsa Compliance
CalibratorCompliant User Provisioning (CUP) formerly Virsa Access EnforcerEnterprise Role Management (ERM) formerly Virsa Role ExpertSuperuser Privilege Management (SPM) formerly Virsa Firefighter
SAP GRC ACCESS CONTROL
SAP GRC Access Control
DEV GRC
ECC Client
Client 150
BI Client
Client 100
ECC Client
Client 220
Configured for ECC
GRC Components
RAR
CUP
SPM
DEV BW
BI Client
Client 200
SYS TEST BW
System Test Portal
DEV ECC SYS TEST ECC
TEST2 OU
SAP GRC ACCESS CONTROL
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
RISK ANALYSIS AND REMEDIATION
Risk Analysis and Remediation (RAR)RAR is used to manage SoD in the organizationRAR allows one to define Risk for SoDs, use control to mitigate risks, and use alert messages.
RAR Application Menu
InformerContains various reports
Rule ArchitectDefines rules for business process SoD
Mitigation Monitors identified risks for users, roles and profiles
Alert MonitorProvides an overview of Conflicting, Critical actions and Control Monitoring
ConfigurationContains configuration settings
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
INFORMER Informer
Includes the following types of reports:-Management ViewRisk AnalysisAudit ReportsSecurity Reports
INFORMER Management View
Shows SoD information based on the information collected by the Management Report job in graphical overview as well as in detailed reports
Risks Violation (Informer Management View Risk Violation)Provides overview of Risk violation for all SAP application
Management ViewUser Analysis (Informer Management View User Analysis)
Shows SoD violation for a specific user group in a specific system
INFORMER
Management ViewComparisons (Informer Management View Comparisons)
Shows the number of SoD violations per user or role per month or quarter in the interval
INFORMER
Management ViewRule Library (Informer Management View Rule Library)
Shows an overview of the SoD rules for which risks have been identified
INFORMER
Management ViewControl Library (Informer Management View Control Library)
Shows how many Control for mitigation have been set up
INFORMER
Risk Analysis
• A Risk is defined as two or more actions or permissions that, when available to a single user, single role, or profile, create the possibility of error or irregularity.
• The Risk Analysis contains reports that identify Risks• When a risk is found in a report, it can be resolved, or remediated, by either
removing it or by applying a mitigating control.• To identify the risks produced in the Risk Analysis reports, you need to know
the combinations of actions and permissions that represent conflicts in your organization. The combinations are processed in the Rule Architect tab
INFORMER
Risk Analysis• Contains report that can show user, role, or HR object that have access
rights that causes for SoD to be violated• To get a report of all the users in NAD that have SOD issue, click User
Level and search by user group NA00_ALL• Once you get the
Report, you can Mitigate the risks from the report
INFORMER
Risk Analysis− To get a report of all the users in NAD that have SOD issue, click User Level
and search by user group NA00_ALL− Once you get the Report, you can Mitigate the risks from the report− The following report shows a high level risk due to transactions ME22N and
MIGO− To view the roles that have these transactions, click Display Detail Report
button
INFORMER
Risk AnalysisThe summary report shows that ME22N from PO Processor role and MIGO
from GR Processor are causing this SoD
INFORMER
Risk AnalysisTo mitigate this Risk, click the Risk DescriptionOn the Risk Resolution screen, select Mitigate Risk and click continueOn the Risk Mitigation screen, specify the mitigation control and the
Mitigation monitor and then click Save to apply the mitigation
INFORMER
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
MITIGATION Mitigation
• Mitigation tab can be used to respond to SoD violations• Mitigation controls are required when it is not possible to segregate duties
within the business process• The Mitigation tab contains the following key options
• Control Library• Administrators• Business Units• Mitigation Controls• Mitigation Monitors• Mitigated users
Control LibraryProvides an overview of the controls that have been establishedThe upper part of the report shows the number of controls set up
MITIGATION
MITIGATION Administrators
Administrator rights for managing controls must be configured before a mitigation can be applied
An administrator creates mitigation controls and assigns the mitigation monitor and the manager, who can approve the mitigation
You cannot delete an administrator who is assigned to a mitigating control, business unit, or other object.
MITIGATION Business Unit
All the controls in a business unit can be displayed by the business unit manager
MITIGATION Mitigation Control
Mitigation controls must be defined before they can be assigned to Users, Roles, or Profiles, to mitigate a Risk.
To define a mitigation control, Mitigation Control ID, Business Unit and the Management Approver who will approve the mitigation control is required
All risk IDs associated with a control can be mitigated with one control
MITIGATION Creating a mitigation control
To create a mitigating control:Navigate to Mitigation Mitigating Controls Create .The Create Mitigating Controls screen opens.In the Mitigating Control ID field, enter a unique alphanumeric identification for the
mitigating control ID.In the Short Description field, enter a short description for the mitigating control.In the Business Unit dropdown list, select a business unit. The dropdown list displays all
business units that you previously created with the Business Units screen.In the Management Approver field, select the appropriate approver.. The dropdown list
displays the approvers that are associated with the business unit you entered in the preceding step.
In the Associated Risks tab, choose the plus icon to add a risk ID to the mitigating control.
In the Monitors tab, choose the plus icon to add monitors to the mitigating control. The dropdown list displays the monitors that are associated with the business unit.
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
RULE ARCHITECT Overview
Rule Architect provides a comprehensive combination of FUNCTIONS and associated rules for the SoDs
Rule Architect can be used to define rules according to which SAP GRC Access Control identifies risks for SoD violations
RulesRule are established based on if-then principleIf an employee has authorization to create a vendor master record and initiate
payment of the vendor invoice then this is a high riskRisk
A risk identifies functions that should be separated Function
A function is a combination of activities. In SAP term, it is a collection of t-codesActivities
SAP transaction codes
RULE ARCHITECT
Risk P059
Function PR02Maintain Purchase Order
Function PR04Approve Purchase Order
ME 21+ Auth Object
ME 21N+ Auth Object
ME 22+ Auth Object
ME 22N+ Auth Object
ME 28+ Auth Object
ME 2N+ Auth Object
T-Code n+ Auth Object
T-Code n+ Auth Object
Risk Rule P059001
Risk Rule P059002
Risk Rule P05900n
RULE ARCHITECT Risk Rule
RULE ARCHITECT Business Processes
In Risk Analysis and Remediation, business processes are attributes that you can use to categorize rules, functions, and risks
When the default rules are installed, the installation process automatically creates a default set of business processes
Business processes can be used to differentiate collections of objects. When a new risk is defined, a business process attribute for the risk is specified. This attribute creates an association between this risk and all other risks that share the same business process attribute
RULE ARCHITECT Risk Management
A risk identifies functions that should be separated Risk Type
Segregation of Duties (SoD) riskA combination of two or more actions or permissions that, when assigned to a single
employee, create a vulnerabilityCritical Action risk
Certain actions are risky. Any employee who has permission to perform one of these actions automatically poses a risk. Defining a critical action risk ensures that any employee assigned this action is identified by the risk analysis process. You can define a critical action to include both the action and the corresponding permissions that allow the user to perform the critical action
This risk can have only one function.Critical Permission risk
Defining a critical permission risk ensures that risk analysis identifies any employee who has been assigned a potentially risky permission. You can use this feature if the permission has been enabled but has no actions.
This risk can have only one function
AGENDA
Introduction SAP GRC Access Control RAR Overview Informer tab Mitigation tab Rule Architect tab Configuration tab
CONFIGURATION Configuration Overview
Configuration is required: After a new installation of Risk Analysis and Remediation After an upgrade of Risk Analysis and RemediationTo conduct routine administrative tasks
Configuration can be used to:Specify default settings for users who perform risk analysis with the
Informer tab Tune the system to optimize your usage and network environmentsDetermine how data is used in Risk Analysis and Remediation reportsAccess the functions of the Configuration tab through its navigation menu.
36
• Options available under Risk Analysis on the Configuration tab
Default Report TypeDefault Rule SetExclude Mitigated Risks
Default Risk LevelExclude Locked Users
Default User TypeExclude Expired Users
Batch Size for UserSynchronizationRFC Time-out for Web Services / Threads
Number of Web Services Worker ThreadsConsider Organizational Rules
Number of Background Job Worker ThreadsConvert Users, Roles and Profiles to Upper Case
Ignore Critical Roles and ProfilesEnable Offline Risk Analysis
Show Composite Role in UserAnalysis
Use SoD Supplementary Table for Analysis
Risk Maintenance Mitigation Control Maintenance
Mitigation
Default Values:
Performance Tuning:
Additional Config Options:
Mitigating Controls:
CONFIGURATION
CONFIGURATION Default Values
Default Report TypeDefault Risk LevelDefault User TypeExclude Locked UsersExclude Expired Users
Connectors for Risk Analysis and RemediationEach client requires a separate JCo connection to be connected to RAR
Logical Systems A logical system is two or more physical systems grouped together to
allow you to maintain rules against one system grouping instead of each physical system. Logical systems reduce the time and system resources required to maintain rule sets by avoiding identical rule sets for multiple systems
CONFIGURATION Background Jobs
Background Jobs can be used to schedule synchronization with back-end systems, batch risk analyses, generation of management reports, and generation of alerts
User/Role/Profile Synchronization This background job pulls the users data (user ids and user names), role and profile data
(technical role/profile names) from the selected backend systems and stores them Batch Risk Analysis
This job performs SOD risk analysis on the users/roles/profiles stored with the system. During the execution of batch risk analysis for users, the application selects one user from the database, fetches the actions/authorizations of the user from the backend system and performs risk analysis using the rules stored in Access Control. The resulting SOD violations are stored. Access Control then selects the next user and performs the steps above for the new user. The batch risk analysis job for roles and profiles also follow similar steps
Management Report This job uses the results of batch risk analysis job to abstract the high level data to be
presented in graphical formats in the informer tab