grc 10 ac

AC 10.0 Enhanced Access Risk Analysis

Customer Solution Adoption

June 2011

Version 2.0

Purpose of this document

This document describes the major enhancements to the access risk

analysis capability of GRC, including end user customization and

personalization. It covers how to navigate through the different reports, and

also about new functionality such as new bulk maintenance, automation,

audit trail, and mitigation options.

© 2011 SAP AG. All rights reserved. 3

Agenda

Introduction

Rule Set Maintenance

New Risk Analysis Framework

System Specific Mitigation

Mass Mitigation

Approval Process for Functions

Additional Audit Trail Tracking

Introduction• Enhanced Access Risk Analysis Overview


Enhanced Access Risk Analysis Overview

Enhances the leading access analysis engine

with an intuitive interface that supports end

user customization and personalization. New

bulk maintenance, automation, audit trail, and

mitigation options enable a faster and more

efficient path to compliance.

More efficient, flexible access

risk analysis options and

improved ability to analyze

results

Faster deployments and

easier data maintenance over

time.

Reduce broad application of

controls

Ability to repurpose workflows

including routing and

escalation logic, by utilizing

the standardized workflow

engine

New interface allows targeted

risk analysis as well as

importing, editing, and reusing

analysis criteria

New ability to customize and

personalize access risk results

Enables Business Role and

CUA composite role risk

analysis

New ability to mitigate by

system and by access rule ID

New support for mass

mitigation, including

assignment and maintenance

with bulk updates

New function maintenance

workflow

Enhanced Audit Trail

Solution Enhancements Key Benefits

Rule Set Maintenance• Overview

• Maintaining Rules

• User Interface Elements


Rule Set Maintenance Overview

Rule Set Maintenance:

• Consistent user experience throughout the

application

• Ability to filter and sort reports listing rule sets,

functions and risks

• Ability to hide and rearrange columns listing rule

sets, functions and risks


Maintaining RulesRule Setup

Navigate to Access Rule Maintenance for creation and maintenance of rules


Maintaining RulesFunction

Select Function to create or

maintain the function with actions

and permissions

Change History tab available


Maintaining Rules Function Mass Maintenance

Streamlined user interface with step by step process


Maintaining Rules Risk

Select Access Risk to create or maintain the risk

Change History available


Maintaining Rules Generate Rules

The Generate Rules button in the Function and Risk menu bar is available to

update the rules in either Foreground or Background


User Interface ElementsFiltering

The query result set can be filtered


User Interface Elements Sorting

The column can be sorted in ascending or descending order by clicking the column

name


User Interface Elements Hide and Rearrange Columns

Columns can be hidden and the sequence can be changed


User Interface Elements Rearrange Columns

The Sorting, Calculation, Filter, Display, and Print Settings can be maintained and

saved as user specific view


User Interface Elements User Query and Personalization

Streamlined user interface with step by

step process to define a new query

User Personalization available to define

the default view


User Interface Elements User Help

A quick user help or field help can be displayed with the right button of the

computer mouse

New Risk Analysis

Framework• Overview and Benefits

• Conditions

• Multiple Risk Analysis Types

• Multiple Selections and File Upload

• Report Options


Risk Analysis Framework Overview and Benefits

New risk analysis framework includes:

• Different conditions can be configured and combined

• Multiple risk analysis reports can be run at the same time

• Multiple selections can be imported from a file

• Drill-downs available across the reports

• Columns in the report can be hidden and rearranged

• Reports provide transaction execution data

• Crystal and PDF reports available

• The reports can be sorted by any column

The new risk analysis framework provides the following benefits:

• Provides a consistent interface with other GRC modules

• Faster report processing by including only the information required by the users

• It saves time to the users by allowing them to import report variables from files


Risk Analysis Framework Conditions

Conditions can be added and removed as required.

Multiple operators are provided depending on the condition.


Risk Analysis FrameworkMultiple Risk Analysis Types

When executing a risk analysis it is now possible to perform multiple risk analysis

types at the same time


Risk Analysis Framework Multiple Selections and File Upload

When a condition is switched to multiple selections a new window can be launched.

This not only will allow multiple selections but also upload values from a text file.


Risk Analysis Framework Large Reports: Result Sets

When the reports are too large they are split in different “Result Sets”, this allows

exporting them in multiple files preventing file size restrictions and providing better

memory management.


Risk Analysis FrameworkReport Settings

Filter and Settings to customize and search the Result Set. Customize the columns

the user wants to see and also sorting controls available


Risk Analysis FrameworkNew Columns: Last Executed On and Execution Count

You can now see in the risk analysis results how many times and when the

transaction was last executed


Risk Analysis Framework Drill-down on Reports

In the access risk analysis reports it is now possible to drill down on the User IDs and

Access Risk IDs.


Risk Analysis FrameworkDrill-down on Risk Definitions

It is possible to drilldown on functions and user ID who modified a risk


Risk Analysis Framework Crystal Reports

Reports can be now shown as Crystal Reports. No additional software is required on

the server, but the clients require to install the Crystal Report Adapter.


Risk Analysis Framework Export to PDF

Users can create a PDF version of the reports by clicking on the Print Version button.

This functionality requires an Adobe Document Services instance in the GRC

landscape.


• Overview and benefits

• Assigning a Mitigating Control

• Listing mitigating controls


System Specific MitigationOverview and Benefits


• Allows assigning a mitigating control to

specific systems

• Multiple systems can be chosen while

assigning a mitigating control

Benefits of this feature include:

• Less complexity while defining risks and

assigning mitigating controls due to an

easy interface for assigning controls to

multiple systems.

• More flexibility as of which risks are

mitigated on specific systems


Assigning a Mitigating ControlUser

When assigning a mitigating control to a user it is possible to select multiple systems


Assigning a Mitigating ControlRole

This also applies for all other types of mitigations, as shown here on the Mitigated

Roles screen.


Listing Mitigating ControlsReporting

The System column will show on which systems the respective mitigating control has

been assigned.

Mass Mitigation

• Overview and Benefits

• Assigning a Mitigating Control to Multiple Risks


Mass MitigationOverview and Benefits

Mass Mitigation:

• While viewing an access risk analysis report, multiple

risks can now be mitigated at once

Benefits of this feature include:

• Speed up the mitigation process by assigning multiple

mitigations in a single step

• Improve mitigating control quality; less steps to

mitigate multiple risks means less potential errors

introduced by the user.


Assigning Mitigating ControlsMultiple Risk Selection

• Every access risk analysis report

provides a button for mitigating

risks; simply select multiple entries

and click the Mitigate Risk button

• A single mitigating control can be

assigned to all selected risks.


Assigning Mitigating ControlsControl Parameters

After clicking Mitigate Risk, any control assigned to the risk id will be auto-populated.

The control can be replaced by clicking in the Control ID field and searching available

controls or creating a new control with the Create Control button


Assigning Mitigating ControlsValidity Periods

You can update the status and validity periods for multiple control assignments by

selecting one or many rows and selecting the Status or Validity Period buttons. (mass

update to validity period shown)


Assigning Mitigating ControlsSystem and Rule ID Selection

Mitigation can be done at the access rule ID level or system level. Enter * to mitigate

across all systems and all rule ID’s.

Select a row and click View Details to see additional details about the assigned Control

(long, short description, assigned risks, monitor, and so on)

Approval Process for

Functions• Overview

• Configuration Setup

• Workflow


Approval Process for Functions Overview

New feature in Access Control 10.0

Functions are the building blocks of

risks in manage and analyze access

risk

Any changes in functions will have a

direct effect on the access rule set

Changes in functions need to be

tracked and audited


Configuration SetupLaunching IMG Task

Addition of New Functions or Changes to Existing Functions for the Rule Architect

can have their own Approval Process

Workflow for Function Maintenance is enabled as part of the Access Control

Configuration parameters.

Execute transaction SPRO SAP

Reference IMG Governance

Risk and Compliance Access

Control Maintain Configuration

Settings


Configuration SetupAdding configuration parameters

Click New Entries

Enter Configuration

Parameter Group – 5 Workflow

Parameter ID – 1064 Function Maintenance

Parameter Value – YES

Click Save


WorkflowSubmitting Changes

When configuration for workflow is active, the button to complete the maintenance

will specify SUBMIT instead of SAVE

To access Functions: From NWBC or Portal Rule Setup Workbox Access

Rule Maintenance Functions


WorkflowWorkflow Inbox

Upon Submission a workflow will be delivered to the workflow approver for approval

or rejection

If configured, the user will receive an Email notifying that a new work item has

arrived in their workbox.


WorkflowApproval / Rejection Decision

The workflow approver can then approve or reject each item in the Workflow

Inbox.


WorkflowConfiguration

Workflow is configured in SAP Reference IMG

Transaction SPRO SAP Reference IMG Governance Risk and Compliance Access

Control Workflow for Access Control Maintain MSMP Workflows

Terminology – MSMP is abbreviation for Multi-State, Multi-Path Workflow


WorkflowProcess ID

Function Maintenance workflow is delivered in the Business Configuration (BC) Set

The first step is Process Global Settings

Additional Audit Trail

Tracking• Overview

• Benefits

• Configuration

• Viewing the Audit Trail


Audit Trail Overview

All changes related to access rules can be

tracked. The following components can have an

audit trail:

Function

Risk

Org Rule

Supplementary Rule

Critical Role

Critical Profile

Rule set

A new configuration parameter has been included

for maintaining the components to be tracked


Audit Trail Benefits

Quick access to the history of changes of the access rules. Administrators and

power users can easily track who changed the different components of an access

rule. This is useful when finding problems related to inconsistent rules.

Comprehensive information about the changes to access rules including not only

who made the change and when that change was made, but also information such

as the old and new values.

Higher visibility of changes, as the application is able to log information about every

type of change to the rules, including changes to functions, rule sets, critical access

rules and additional access rules. Auditors can have a detailed view of all changes in

a single location.


ConfigurationLaunching IMG Task

Components to be tracked are configured using IMG under Maintain Configuration

Settings


ConfigurationAdding Configuration Parameters

A new parameter is available: Change Log

A list of all available components is shown. This parameter can be configured for each

required component.


Viewing the Audit TrailChange History

Each access rule component (please refer to the Overview) has a Change History

tab; if the respective configuration entry was set in IMG a complete audit trail will be

shown.

The report will show the old and new values, who applied these changes, and the

time of the operation.


Viewing the Audit TrailExporting the Change History

The report can be exported in Excel for further processing. Also, a printer-friendly

version can be shown by clicking the respective button


Viewing the Audit TrailChange Log Report

A change log report is available in the reports & analytics workcenter that provides

reporting of all audit trail enabled AC objects.

Thank You!

Contact information:

Luis Bustamante

Customer Solution Adoption (GRC)

[email protected]

mailto:[email protected]


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

© 2011 SAP AG. All rights reserved

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

grc 10 ac

Technology

sap ag

rules risk

targeted risk analysis

rules user interface

maintenance of rules

access risk results

access rule maintenance

new bulk maintenance