Download - GRC 10 AC
AC 10.0 Enhanced Access Risk Analysis
Customer Solution Adoption
June 2011
Version 2.0
Purpose of this document
This document describes the major enhancements to the access risk
analysis capability of GRC, including end user customization and
personalization. It covers how to navigate through the different reports, and
also about new functionality such as new bulk maintenance, automation,
audit trail, and mitigation options.
© 2011 SAP AG. All rights reserved. 3
Agenda
Introduction
Rule Set Maintenance
New Risk Analysis Framework
System Specific Mitigation
Mass Mitigation
Approval Process for Functions
Additional Audit Trail Tracking
Introduction• Enhanced Access Risk Analysis Overview
© 2011 SAP AG. All rights reserved. 5
Enhanced Access Risk Analysis Overview
Enhances the leading access analysis engine
with an intuitive interface that supports end
user customization and personalization. New
bulk maintenance, automation, audit trail, and
mitigation options enable a faster and more
efficient path to compliance.
More efficient, flexible access
risk analysis options and
improved ability to analyze
results
Faster deployments and
easier data maintenance over
time.
Reduce broad application of
controls
Ability to repurpose workflows
including routing and
escalation logic, by utilizing
the standardized workflow
engine
New interface allows targeted
risk analysis as well as
importing, editing, and reusing
analysis criteria
New ability to customize and
personalize access risk results
Enables Business Role and
CUA composite role risk
analysis
New ability to mitigate by
system and by access rule ID
New support for mass
mitigation, including
assignment and maintenance
with bulk updates
New function maintenance
workflow
Enhanced Audit Trail
Solution Enhancements Key Benefits
Rule Set Maintenance• Overview
• Maintaining Rules
• User Interface Elements
© 2011 SAP AG. All rights reserved. 7
Rule Set Maintenance Overview
Rule Set Maintenance:
• Consistent user experience throughout the
application
• Ability to filter and sort reports listing rule sets,
functions and risks
• Ability to hide and rearrange columns listing rule
sets, functions and risks
© 2011 SAP AG. All rights reserved. 8
Maintaining RulesRule Setup
Navigate to Access Rule Maintenance for creation and maintenance of rules
© 2011 SAP AG. All rights reserved. 9
Maintaining RulesFunction
Select Function to create or
maintain the function with actions
and permissions
Change History tab available
© 2011 SAP AG. All rights reserved. 10
Maintaining Rules Function Mass Maintenance
Streamlined user interface with step by step process
© 2011 SAP AG. All rights reserved. 11
Maintaining Rules Risk
Select Access Risk to create or maintain the risk
Change History available
© 2011 SAP AG. All rights reserved. 12
Maintaining Rules Generate Rules
The Generate Rules button in the Function and Risk menu bar is available to
update the rules in either Foreground or Background
© 2011 SAP AG. All rights reserved. 13
User Interface ElementsFiltering
The query result set can be filtered
© 2011 SAP AG. All rights reserved. 14
User Interface Elements Sorting
The column can be sorted in ascending or descending order by clicking the column
name
© 2011 SAP AG. All rights reserved. 15
User Interface Elements Hide and Rearrange Columns
Columns can be hidden and the sequence can be changed
© 2011 SAP AG. All rights reserved. 16
User Interface Elements Rearrange Columns
The Sorting, Calculation, Filter, Display, and Print Settings can be maintained and
saved as user specific view
© 2011 SAP AG. All rights reserved. 17
User Interface Elements User Query and Personalization
Streamlined user interface with step by
step process to define a new query
User Personalization available to define
the default view
© 2011 SAP AG. All rights reserved. 18
User Interface Elements User Help
A quick user help or field help can be displayed with the right button of the
computer mouse
New Risk Analysis
Framework• Overview and Benefits
• Conditions
• Multiple Risk Analysis Types
• Multiple Selections and File Upload
• Report Options
© 2011 SAP AG. All rights reserved. 20
Risk Analysis Framework Overview and Benefits
New risk analysis framework includes:
• Different conditions can be configured and combined
• Multiple risk analysis reports can be run at the same time
• Multiple selections can be imported from a file
• Drill-downs available across the reports
• Columns in the report can be hidden and rearranged
• Reports provide transaction execution data
• Crystal and PDF reports available
• The reports can be sorted by any column
The new risk analysis framework provides the following benefits:
• Provides a consistent interface with other GRC modules
• Faster report processing by including only the information required by the users
• It saves time to the users by allowing them to import report variables from files
© 2011 SAP AG. All rights reserved. 21
Risk Analysis Framework Conditions
Conditions can be added and removed as required.
Multiple operators are provided depending on the condition.
© 2011 SAP AG. All rights reserved. 22
Risk Analysis FrameworkMultiple Risk Analysis Types
When executing a risk analysis it is now possible to perform multiple risk analysis
types at the same time
© 2011 SAP AG. All rights reserved. 23
Risk Analysis Framework Multiple Selections and File Upload
When a condition is switched to multiple selections a new window can be launched.
This not only will allow multiple selections but also upload values from a text file.
© 2011 SAP AG. All rights reserved. 24
Risk Analysis Framework Large Reports: Result Sets
When the reports are too large they are split in different “Result Sets”, this allows
exporting them in multiple files preventing file size restrictions and providing better
memory management.
© 2011 SAP AG. All rights reserved. 25
Risk Analysis FrameworkReport Settings
Filter and Settings to customize and search the Result Set. Customize the columns
the user wants to see and also sorting controls available
© 2011 SAP AG. All rights reserved. 26
Risk Analysis FrameworkNew Columns: Last Executed On and Execution Count
You can now see in the risk analysis results how many times and when the
transaction was last executed
© 2011 SAP AG. All rights reserved. 27
Risk Analysis Framework Drill-down on Reports
In the access risk analysis reports it is now possible to drill down on the User IDs and
Access Risk IDs.
© 2011 SAP AG. All rights reserved. 28
Risk Analysis FrameworkDrill-down on Risk Definitions
It is possible to drilldown on functions and user ID who modified a risk
© 2011 SAP AG. All rights reserved. 29
Risk Analysis Framework Crystal Reports
Reports can be now shown as Crystal Reports. No additional software is required on
the server, but the clients require to install the Crystal Report Adapter.
© 2011 SAP AG. All rights reserved. 30
Risk Analysis Framework Export to PDF
Users can create a PDF version of the reports by clicking on the Print Version button.
This functionality requires an Adobe Document Services instance in the GRC
landscape.
System Specific Mitigation
• Overview and benefits
• Assigning a Mitigating Control
• Listing mitigating controls
© 2011 SAP AG. All rights reserved. 32
System Specific MitigationOverview and Benefits
System Specific Mitigation
• Allows assigning a mitigating control to
specific systems
• Multiple systems can be chosen while
assigning a mitigating control
Benefits of this feature include:
• Less complexity while defining risks and
assigning mitigating controls due to an
easy interface for assigning controls to
multiple systems.
• More flexibility as of which risks are
mitigated on specific systems
© 2011 SAP AG. All rights reserved. 33
Assigning a Mitigating ControlUser
When assigning a mitigating control to a user it is possible to select multiple systems
© 2011 SAP AG. All rights reserved. 34
Assigning a Mitigating ControlRole
This also applies for all other types of mitigations, as shown here on the Mitigated
Roles screen.
© 2011 SAP AG. All rights reserved. 35
Listing Mitigating ControlsReporting
The System column will show on which systems the respective mitigating control has
been assigned.
Mass Mitigation
• Overview and Benefits
• Assigning a Mitigating Control to Multiple Risks
© 2011 SAP AG. All rights reserved. 37
Mass MitigationOverview and Benefits
Mass Mitigation:
• While viewing an access risk analysis report, multiple
risks can now be mitigated at once
Benefits of this feature include:
• Speed up the mitigation process by assigning multiple
mitigations in a single step
• Improve mitigating control quality; less steps to
mitigate multiple risks means less potential errors
introduced by the user.
© 2011 SAP AG. All rights reserved. 38
Assigning Mitigating ControlsMultiple Risk Selection
• Every access risk analysis report
provides a button for mitigating
risks; simply select multiple entries
and click the Mitigate Risk button
• A single mitigating control can be
assigned to all selected risks.
© 2011 SAP AG. All rights reserved. 39
Assigning Mitigating ControlsControl Parameters
After clicking Mitigate Risk, any control assigned to the risk id will be auto-populated.
The control can be replaced by clicking in the Control ID field and searching available
controls or creating a new control with the Create Control button
© 2011 SAP AG. All rights reserved. 40
Assigning Mitigating ControlsValidity Periods
You can update the status and validity periods for multiple control assignments by
selecting one or many rows and selecting the Status or Validity Period buttons. (mass
update to validity period shown)
© 2011 SAP AG. All rights reserved. 41
Assigning Mitigating ControlsSystem and Rule ID Selection
Mitigation can be done at the access rule ID level or system level. Enter * to mitigate
across all systems and all rule ID’s.
Select a row and click View Details to see additional details about the assigned Control
(long, short description, assigned risks, monitor, and so on)
Approval Process for
Functions• Overview
• Configuration Setup
• Workflow
© 2011 SAP AG. All rights reserved. 43
Approval Process for Functions Overview
New feature in Access Control 10.0
Functions are the building blocks of
risks in manage and analyze access
risk
Any changes in functions will have a
direct effect on the access rule set
Changes in functions need to be
tracked and audited
© 2011 SAP AG. All rights reserved. 44
Configuration SetupLaunching IMG Task
Addition of New Functions or Changes to Existing Functions for the Rule Architect
can have their own Approval Process
Workflow for Function Maintenance is enabled as part of the Access Control
Configuration parameters.
Execute transaction SPRO SAP
Reference IMG Governance
Risk and Compliance Access
Control Maintain Configuration
Settings
© 2011 SAP AG. All rights reserved. 45
Configuration SetupAdding configuration parameters
Click New Entries
Enter Configuration
Parameter Group – 5 Workflow
Parameter ID – 1064 Function Maintenance
Parameter Value – YES
Click Save
© 2011 SAP AG. All rights reserved. 46
WorkflowSubmitting Changes
When configuration for workflow is active, the button to complete the maintenance
will specify SUBMIT instead of SAVE
To access Functions: From NWBC or Portal Rule Setup Workbox Access
Rule Maintenance Functions
© 2011 SAP AG. All rights reserved. 47
WorkflowWorkflow Inbox
Upon Submission a workflow will be delivered to the workflow approver for approval
or rejection
If configured, the user will receive an Email notifying that a new work item has
arrived in their workbox.
© 2011 SAP AG. All rights reserved. 48
WorkflowApproval / Rejection Decision
The workflow approver can then approve or reject each item in the Workflow
Inbox.
© 2011 SAP AG. All rights reserved. 49
WorkflowConfiguration
Workflow is configured in SAP Reference IMG
Transaction SPRO SAP Reference IMG Governance Risk and Compliance Access
Control Workflow for Access Control Maintain MSMP Workflows
Terminology – MSMP is abbreviation for Multi-State, Multi-Path Workflow
© 2011 SAP AG. All rights reserved. 50
WorkflowProcess ID
Function Maintenance workflow is delivered in the Business Configuration (BC) Set
The first step is Process Global Settings
Additional Audit Trail
Tracking• Overview
• Benefits
• Configuration
• Viewing the Audit Trail
© 2011 SAP AG. All rights reserved. 52
Audit Trail Overview
All changes related to access rules can be
tracked. The following components can have an
audit trail:
Function
Risk
Org Rule
Supplementary Rule
Critical Role
Critical Profile
Rule set
A new configuration parameter has been included
for maintaining the components to be tracked
© 2011 SAP AG. All rights reserved. 53
Audit Trail Benefits
Quick access to the history of changes of the access rules. Administrators and
power users can easily track who changed the different components of an access
rule. This is useful when finding problems related to inconsistent rules.
Comprehensive information about the changes to access rules including not only
who made the change and when that change was made, but also information such
as the old and new values.
Higher visibility of changes, as the application is able to log information about every
type of change to the rules, including changes to functions, rule sets, critical access
rules and additional access rules. Auditors can have a detailed view of all changes in
a single location.
© 2011 SAP AG. All rights reserved. 54
ConfigurationLaunching IMG Task
Components to be tracked are configured using IMG under Maintain Configuration
Settings
© 2011 SAP AG. All rights reserved. 55
ConfigurationAdding Configuration Parameters
A new parameter is available: Change Log
A list of all available components is shown. This parameter can be configured for each
required component.
© 2011 SAP AG. All rights reserved. 56
Viewing the Audit TrailChange History
Each access rule component (please refer to the Overview) has a Change History
tab; if the respective configuration entry was set in IMG a complete audit trail will be
shown.
The report will show the old and new values, who applied these changes, and the
time of the operation.
© 2011 SAP AG. All rights reserved. 57
Viewing the Audit TrailExporting the Change History
The report can be exported in Excel for further processing. Also, a printer-friendly
version can be shown by clicking the respective button
© 2011 SAP AG. All rights reserved. 58
Viewing the Audit TrailChange Log Report
A change log report is available in the reports & analytics workcenter that provides
reporting of all audit trail enabled AC objects.
Thank You!
Contact information:
Luis Bustamante
Customer Solution Adoption (GRC)
© 2011 SAP AG. All rights reserved. 60
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
© 2011 SAP AG. All rights reserved
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.