Documente Academic
Documente Profesional
Documente Cultură
Padmanabha
4/23/2012
TABLE OF CONTENTS
1.2
1.3
S AP G RC O v e rv i ew ....................................................................................... 8
S AP G RC Ar c hit e ct u r e .................................................................................. 9
3.1
3.2
G RC Ap pl ic at ion L an ds ca pe ........................................................................ 12
5.1
5.2
5.3
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
AS AP M et ho dol og y ..................................................................................... 30
De liv er a b le s ............................................................................................... 31
Page 2 of 32
1 Introduction
Corporate Governance issues have dominated in the agendas of C-level executives at large
Corporates. With the acquisition and rapid integration of Virsa, in the area of SOD and Access
Control space, SAP has an evolved GRC offering that has been proven over many years of realworld experience and industry-specific deployments. In addition, SAPs recent partnership with
Cisco attests to the companys dedication to providing comprehensive risk protectionfrom the
network layer to the application layer. With the introduction of SAP GRC Repository, SAP GRC
Process Control and SAP GRC Risk Management, SAP GRC Global Trade Services (GTS), SAP
Environment, Health & Safety (EH&S) SAP clearly offers the most compelling, comprehensive
portfolio of GRC solutions available today. And, equally important, these applications are built on the
NetWeaver platform, making them among the first service oriented architecture (SOA)-based GRC
solutions.
The current scope of this document describes in brief, the Approach Note and Technical High Level
Approach of SAP GRC Access Control (AC5.3) Implementation. Based on the Industry Best
Practices and SAP Guidelines, GRC Access Control implementation shall be rolled-out to meet the
business needs and compliance requirements.
Page 3 of 32
1.1
SAP GRC Access Control is an enterprise application that provides end-to-end automation for
documenting, detecting, remediating, mitigating, and preventing access and authorization risk
enterprise wide, resulting in proper segregation of duties, lower costs, reduced risk, and better
business performance.
Risk Analysis and Remediation, which supports real-time compliance to detect, remove, and
prevent access and authorization risk by preventing security and control violations before
they occur.
Compliant User Provisioning, which automates provisioning, tests for SoD risks, and
streamlines approvals to the appropriate business approvers to unburden IT staff and
provide a complete history of user access.
Page 4 of 32
Enterprise Role Management, which standardizes and centralizes role creation and
maintenance.
SAP GRC solutions help companies comply with the Sarbanes-Oxley Act and other regulatory
mandates by enabling organizations to rapidly identify and remove authorization risks from IT
systems. Access Control allows preventive controls be embedded into business processes to
identify and prevent future SoD violations from being introduced without proper approval and
mitigation.
The SAP GRC Access Controls module provides the following functionality:
Analyze, detect, and provides means for remediating access and authorization controls in
real-time and with simulation
The SAP GRC Access Controls provides the Key Features and Benefits:
Automated SAP Security Audit and Segregation of Duties (SoD) Analysis product
Mitigation Controls
Cross-enterprise analysis
1.2
Page 5 of 32
1.3
Compliance Issues
Change management
Page 6 of 32
Hence, present laws in corporate governance demands high level of transparency and
accountability in disclosure of companys financial statements.
To overcome these issues, the SAP GRC Access Control implemented would provide this GRC
Transparency:
Page 7 of 32
Page 8 of 32
Login to SAP client is not required to access Risk Anaysis and Remediation
Page 9 of 32
3.1
Central component of SAP GRC Access Control connects to multiple Enterprise Software Systems.
The adapter framework provides a common runtime environment for the risk analysis of different
ERP systems. The real-time adapter (RTA) is the back-end counterpart that resides on the target
Page 10 of 32
systems. Together they provide real-time connectivity between SAP solutions for GRC and the
backend system providing real-time compliance around the clock to detect, remove, and prevent
control violations before they occur.
3.2
Page 11 of 32
Page 12 of 32
GRC Landscape
At the minimum, as per Industry Best Practice, SAP GRC Access Control has to be deployed as a
two system landscape with DEV/QA and PROD. SAP GRC AC has to be initially installed in
DEV/QA environment in SAP Netweaver (Web Application Server 700-SP10 or above,
with Java/J2EE stack, Java Runtime Environment JRE version 1.4.x is the software requirement on
Windows 2000/2000 advanced server/ 2003 Server (Standard/Enterprise/Web) or Linux/Unix based
servers. The other pre-installation checklists are: SAP database exists, User Management Engine
(UME) is installed and configured, and Memory settings for SAP 700 Web Application Server (WAS)
are configured.
GRC AC post installation configuration includes: Creating the Administrator Role, Assigning the
Administrator Role to the Administrator User, Choosing the Language Setting and Connecting the
Stand alone J2EE System to the Remote SAP Server.
This makes SAP GRC Access Control ready the configuration and implementation to begin with.
SAP GRC Access Controls Installation can be done by the in-house Web AS (Basis) team or as part
of GRC implementation.
SAP GRC Access Control components configurations are deployed at DEV/QA system. Even, a
Sandbox system can be deployed for pilot and implementation baseline across the enterprise wide
GRC functionalities. Based on these configurations, GRC AC configurations are replicated for
development, testing and QA in DEV /QA environment, and these configurations are transported
to PROD system environment in the Final Preparation phase.
5.2
Supported RTA
Supported RTA R/3 versions are 4.6c, NW2004 or ECC 5.0, NW 7.0 or ECC 6.0
Optional BI 7.0 and EP 7.0
Page 13 of 32
This table indicates the minimum SP level required for the backend system (RTA) with the
corresponding SAP Notes numbers:
We can install RTA for latest Access Control AC10 on any SAP systems as long as it meets the prerequisites for support packages corresponding to the SAP ABAP and BASIS Stacks as indicated in
the table: SAP_ABA and SAP_BASIS.
5.3
Hardware Requirements
Page 14 of 32
6 Implementation Methodology
As defined, the project methodology spread across Analysis, Design, Build, Test and deliver. In the
similar lines, SAP GRC AC has standard implementation methodology based on ASAP Methodology
spread across: Get clean, Stay clean and Stay in control for various components.
6.1
Implementation Phases:
Analysis and Remediation (Compliance Calibrator) implementation is typically broken down into
these distinct 6 phases:
Risk Recognition
Analysis
Page 15 of 32
Remediation
6.2
Mitigation
Page 16 of 32
RAR Implementation Approach: GRC Access Control Risk Analysis and Remediation is implemented as
defined in standard SOD Management process, carried across the phases from Risk Definition to remediation
and mitigation leading to SOD clean state.
In GRC Risk Analysis and Remediation, Security owns the SOD process and acts as a facilitator. The Business
Process Owners are responsible for managing the risks and designing alternate controls when Segregation-ofDuties cannot be achieved. Once the risks are defined, Business Process Analysts provide the technical
knowledge to ensure the appropriate transactions and related objects and field values are defined. Business
Process Owner also own the responsibility for approving actions taken to rectify SOD issues inherent in roles
and mitigating users.
The audit department takes the ownership and responsibility for conducting audits to discover Segregation-ofDuties issues and for testing mitigating controls implemented by business process owners. The SOD rule
keeper is responsible for controlling the rules in security and SAP Security administrator is segregated from the
duties of SOD and owns the Security administration activities.
The following diagram depicts the high level solution approach of Risk Analysis and Remediation:
Page 17 of 32
6.3
Enterprise Role Management is a Web based application that automates the creation and
management of Role Definitions. Role Expert enforces best practices to ensure that the Role
Definitions, development, testing and maintenance is consistent across the entire implementation,
resulting in lower ongoing maintenance and painless knowledge transfer.
Enterprise Role Management empowers SAP security administrators and Role Owners to document
important role information that can be of great value for better role management such as:
Maintaining roles after they are generated to keep role information current.
Enterprise Role Management has a rich set of reports to facilitate the overall role quality
management and provide valuable information to achieve precise role definitions and lower ongoing
role maintenance. Role Expert provides reports, which make the identification of risks surrounding
the segregation of duties a painless process, and ensures that you get the most out of the SAP
security system.
Enterprise Role Management Implementation Approach: Enterprise Role Management is implemented to
automate the creation and management of Roles. Enterprise Role Management is configured to ensure that the
Page 18 of 32
Role Definition, Development, Testing and Maintenance are carried out in a consistent manner across the
entire system landscape. With Enterprise Role Management tool, role maintenance is optimized and made
compliant to all regulatory requirements. Also, it makes role re-design and remediation easy. With optimal
utilization of the tool, role re-design and cleaning roles (get-clean) is achieved and on-going roles are
provisioned into the backend systems (stay-in-control).
The following diagram depicts the high level Role Automation in Enterprise Role Management:
Page 19 of 32
6.4
Compliant User Provisioning workflows shall be configured to automatically trigger events such as new user
creation or a role change. The dynamic workflow provisions the actions directly into multiple Systems.
Compliant User Provisioning will be configured to facilitate business users to perform the provisioning activities
without any involvement of IT or application security personnel, in facilitating pro-active SOD analysis.
End to end automation that sequences can be automatically triggered based on events such as new
employee hire or a job change, then processed through dynamic workflow, and finally, provisioned
directly into multiple Systems. These steps can be performed by business users without any
involvement of IT or application security personnel.
The following diagram depicts the high level workflow of Compliant User Provisioning:
Page 20 of 32
6.5
Super User Privilege Management (Firefighter) will be configured to automate emergency change requests
such as access to SAP_ALL in the production system, to carry-out in a consistent, secure and compliant
manner. Automation will be enabled to cover all aspects of firefighting, from setting up of Firefight IDs, Users,
Owners and Approvers for those Firefighting IDs to automatic logons, owner notifications, activity logging and
related monitoring and administration activities.
The following diagram depicts the usage of emergency request for Super User Privilege Monitoring:
Page 21 of 32
Page 22 of 32
6.6
6.7
Page 23 of 32
reviews. At a high level, management oversight should include a review of the following key areas:
Potential risks (i.e. find users having authorized access to conflicting business functions but
have not necessarily executed these transactions)
Actual risks (i.e. determine through transaction monitoring if users have actually run
transactions that constitute an access violation)
Internal Audit - Likewise auditors periodically need effective and comprehensive audit information
to verify that management follows policy. Typically, auditors will validate that all access has been
properly approved and that mitigations are effective.
SAP GRC Access Control supports both target audiences with an unprecedented level of ease,
effectiveness, and comprehensiveness.
6.8
Implementation Approach
A typical approach to Implement GRC is in a phased manner with the selective components and
focusing on regional implementations, selective functional modules pilot for risk analysis and
remediation. Implementation based out of a centralized location with core team participation from all
business units and locations are sought for centralized GRC tool implementation.
The typical activities spanned in the implementation/roll-outs across the regions are:
As per Industry Best Practice, it is advised to have End User trainings as Train the Trainer concept.
Core team trained at the implementation stage, can take end user trainings internally within the
Organization.
6.9
Page 24 of 32
Page 25 of 32
Page 26 of 32
Page 27 of 32
Proactive compliance Prevent SOD issues created by role development from ever making
it live in production.
Real time risk reduction Detailed analysis of SODs and automated monitoring gives data
owners, administrators and auditors transparency of risk levels.
Reduced compliance costs Through automation the analysis is complete and accurate
and keeps the environment continuously clean; this saves time tracking down issues
retrospectively.
User administration with integrated risk analysis and mitigation keeps the system clean
Provides simulation into the production system for risk analysis before changes are
provisioned
Flexible configuration of multiple workflow paths & workflow triggers based on request type
Integrated with enterprise portal, providing authentication from a wide range of sources,
including single-sign on, LDAP, SAP and non-SAP systems
Tracking progress during role implementation and monitoring overall quality of the
implementation.
Page 28 of 32
Efficient and effective super user privilege management, with tracking of all activity
Allows personnel to take responsibility for tasks outside their normal job function. Firefighter
describes the ability to perform tasks in emergency situations.
Enables users to perform duties not included in the roles or profiles assigned to their user
IDs. Firefighter provides this extended capability to users while creating an auditing layer to
monitor and record Firefighter usage.
Temporarily redefines the IDs of users when assigned with solving a problem, giving them
provisionally broad, but regulated access. There is complete visibility and transparency to
everything done during the period.
Page 29 of 32
8 ASAP Methodology
ASAP Methodology is SAPs proven implementation methodology spread over 5 phases in the
execution model of the GRC Implementation. Phase 0 base-lining prior to Initial Preparation or
Project Preparation phase is to Strategy the GRC Roadmap for its effective usage and Utilization. In
this phase, there is a pro-active involvement in the SAP systems are required in the Role Design,
SOD Analysis and Violations, Security Policies and Procedures re-established for the compliance
requirements and Controls Rationalization for best of the Assurances of SOX and other
Compliances.
The internal tool developed to address all kinds of SAP project execution aligned to the best
practices of CMMi level 5, ISO 9001/27001, ITIL and ISO27001 standards. Projects are managed,
monitored and tracked with the best of breed and industry standards using custom tool capabilities.
Page 30 of 32
9 Deliverables
High Level deliverables of a typical SAP GRC AC Implementation are:
Installation
Training
Product overview training on SAP GRC Access Control (SAP GRC AC)
Initial configuration of GRC Access Control
Risk
Analysis
and
Developing the Company specific rules in DEV / QA server (pilot with sample
rules)
Remediation
(compliance
Calibrator)
Risk analysis and remediation for all standard business processes in DEV/QA
Validation workshop on configured rule sets with BPO / IA team & modifications
to them as per needs of Business
Super
user
privilege
management
(Fire Fighter)
Enterprise role
management
Systems
(Role
Expert)
Compliant
user
provisioning
(Access
Enforcer)
Upload User masters and role assignments into Compliant user provisioning
Page 31 of 32
UAT
Reporting
Super user privilege management reports for all log reviews and fire fighter
activities
Training to the trainers on RAR Rule building & Reporting, Remediation,
Mitigation & Alerts
Performing & demonstrating remediation to identified non acceptable roles and
user violations
Performing & demonstrating setting up of the mitigation controls & alerts to
identified acceptable violations
Training
Training to the trainers on End-users upon request and handholding support
Workflows and Administration of Compliant user provisioning
(CUP) and Enterprise role management (ERM)
Administration and Monitoring of Super user privilege management (SPM)
reports for log reviews and fire fighter activities monitoring
Installation
PROD
Preparation
Exporting / Uploading the configuration, company specific rules, roles, users into
SAP GRC Access Control in PRD server; Data Migration / Cutover and UAT
GO LIVE
Page 32 of 32