COCA-COLA: Standardization and Optimization of SAP

Security Through the Use of SAP GRC Access Controls

Greg Capps – The Coca-Cola Company

Matthew Gantner - PwC

[

Real Experience. Real Advantage.

[

2

Learning Points

The existing environment: Where we were

The Coca-Cola Role Design: What we did

Integrating the new role design with GRC 10 Access Control:

To GRC 10 and beyond!

Real Experience. Real Advantage.

[

3

Return on Investment

How to identify actual transaction usage

Overview of different role concepts

GRC 10 Master Data Requirements and Configuration

Real Experience. Real Advantage.

[

4

Best Practices

Default Authorizations

Notify SAP

Test Transactions Stand Alone

Real Experience. Real Advantage.

[ The Existing Environment: Where we were

11 ABAP Landscapes (ECC (4-ERP, MDM, HR, Treasury), BW,

xAPPS, SRM, CRM, SCM, NFE, Sol Man, etc)

4 JAVA Landscapes (NWDI, Portal, MDM, etc)

50,000+ transactions assigned to roles

11,000+ roles

25,000+ users with multiple role assignments

5

Real Experience. Real Advantage.

[ Determining Scope for Role Design

Analysis of transactions used in production

Exported transactional usage from systems

Lesson Learned: Every transaction used is not in scope

Transactions executed few times by mistake

Users transitioned from old position to new position

Business Process Changes to use different transaction, but old

transactions never removed from existing roles

6

Real Experience. Real Advantage.

[ Role Design Decisions

Position Based Security

Shipping Clerk

A/P Processor

G/L Accountant

Business Process Based Security

Create/Maintain Vendor Master

Create/Maintain Inventory

Derived roles versus Organizational roles

7

Real Experience. Real Advantage.

[ The Business Decision

Activity based process roles : What Roles

Organizational authorization roles : Where Roles

8

Real Experience. Real Advantage.

[ How do you change 25000 users with limited risk?

Use Statistical data to identify transactions used

Test all transactions individually

Utilize business users to validate testing

Map users to new roles using statistical data

Coordinate with managers to review users assignments

9

Real Experience. Real Advantage.

[ GRC 10

10

Real Experience. Real Advantage.

[

11

Real Experience. Real Advantage.

[

12

Real Experience. Real Advantage.

[

13

Real Experience. Real Advantage.

[

14

Real Experience. Real Advantage.

[

15

Real Experience. Real Advantage.

[

16

Real Experience. Real Advantage.

[

17

Real Experience. Real Advantage.

[

18

Real Experience. Real Advantage.

[

19

Real Experience. Real Advantage.

[

20

Real Experience. Real Advantage.

[

21

Real Experience. Real Advantage.

[

22

Real Experience. Real Advantage.

[

23

Real Experience. Real Advantage.

[

24

Key Learnings

Testing every transaction individually to limit risk

Real Experience. Real Advantage.

[

25

[

] Thank you for participating.

SESSION CODE:

INSERT SESSION CODE

Please remember to complete and return your

evaluation form following this session.

For ongoing education on this area of focus, visit the

Year-Round Community page at www.asug.com/yrc