grc nordic sap user management · concepts (hana, abap, cloud, …) are required and need to be...
TRANSCRIPT
GRC Nordic SAP User Management webinar
SAP Authorisationmanagement
Security and Risk Management
SAP AuthorisationSupport and Access
Management
License Management
SAP User Management
Team today
Jarkko Hauta-aho Christa Schönberg Mikko Syrjänen
How to prepare for SAP S4 project User management
How to prepare for S4:Impacted SAP Authorization Concept components
We have divided the impacted areas into seven blocks
Today we are not discussing the actual S4 change
S4 will bring in a major amount of changes to every customers IT Landscape
There are many blocks in every customers authorization concept that need a review but not all blocks that we have listed may be relevant for you
Take home from this presentation what you feel is applicable for your specific scenario!
User interface
Users
Roles
Authorization Concept
Access Risks & Compliance
Licensing
Provisioning
The major decisions impacting the security area
User interface
Users
Roles
Authorization Concept
Access Risks & Compliance
Licensing
Provisioning
• System Conversion or New Implementation
01.Strategy chosen in the overall S/4 update:
• Are you updating everything in one go or do you go first for just Finance and then later other areas ? How do you run concurrently old and new system and resp roles ? Cloud ?
02.Scope of the S4 implementation
• Are you in good shape?
• Do you have other needs that you need to improve? Access risks, provisioning, licensing…
03.Maturity and Status of user management
• Availability of experts
• Budget
04.Resources / skills
Simplification makes Security more complex
The skillset required in the future is required to be even more wide. In a way, parallel authorization concepts (HANA, ABAP, Cloud, …) are required and need to be fitted to work well together.
SAP delivers S/4 to simplify processes and enhance the systems. For Security this simplification brings in more complexity due to the introduction of different and new system types.
YOUR S/4 PROJECT• Is this a new implementation or migration ?
• How much new processes and ways of working are introduced ?
• Will the whole system be moved to S/4 or only parts (eg only Finance) ?
• How do you run S/4 in parallel with the old system from a security perspective? How will you move to the full S/4 system in the end?
YOUR CURRENT SETUP•Do you implement GRC now as part of S/4 or
did you run it earlier ?
•What state is your roles in technically / from business perspective ?
•Do you have a proper authorization concept ?
The plan for Security is impacted by different things
What does this simplification
mean in practice for us?
On-premise systems partly replaced with Cloud systems
HANA database access concept must be deployed
Old Transactions have been removed - > do not exist.
New transactions have been introduced => many old ones may have been combined to one transactions.
New authorization objects have been introduced.
Table structures have been changed – old tables have been removed, new have been introduced.
Segregation of Duty ruleset must be re-evaluated, unnecessary things must be removed and relevant things added.
105/4/2020
What activities do you need to do, what resources do you need, will you need to involve your auditors at some point, are the controls you have changing. Try to scope your project correctly. Refer to the areas impacted on next slide.
Redesign of roles or just mapping of old functions to new functions?
Build your changes and new roles. Update the GRC system to enable integration to the backend.
Testing of the end to end process must include the role testing as well.
Deployment may need changing user for role assignments if processes change a lot. Very traditional deployment as such. Running the new ruleset against the new roles / users.
Plan your Security activities to the overall project plan
Cutover/DeploymentTestingBuild/MigrateDesign PhasePlan/Prepare
S/4 impact on User Interface
User interface
Users
Roles
Authorization Concept
Access Risks & Compliance
Licensing
Provisioning
Fiori provides a new interface for using the system
An alternative to SAP GUI
Can be run over different devices eg mobile, web browser, …. Etc
Very effective for some groups of user –SAP GUI or Business Client can still be kept as a parallel way for accessing the system
S/4 impact on User
User interface
Users
Roles
Authorization Concept
Access Risks & Compliance
Licensing
Provisioning
User management concept for all system types; cloud, HANA,…
Use of user management systems; CUA, SAP CloudPlatform Identity and Authentication, etc
If you run a concurrent S/4 and non S/4 system implementation, then evaluate how to manage that from a user perspective
xxx
User interface
Users
Roles
Authorization Concept
Access Risks & Compliance
Licensing
Provisioning
Roles will need new transactions and new authorization objects
Old authorization objects and transactions should be removed and the behavior of the current non-mandatory fields change
If you have utilized direct object insertion to profiles and not entering the objects via profiles then the upgrade processing is harder
Your roles should be maintained according to SAP Best practices (SAP Note 2465353 -SU25 2d: Exchange of obsolete transactions in role menu)
S/4 impact on Roles
User interface
Users
Roles
Authorization Concept
Access Risks & Compliance
Licensing
Provisioning
S/4 impact on Roles
Source, SAP training material
• Use SU25 to upgrade your roles when on S4
• Follow the standard notes to process, fix and adjust activities correctly
• List of adjustments will show up• Note, talk to project experts in
case completely new functionality is being deployed –SU25 might not be sufficient alone
S/4 impact on Authorization Concept
User interface
Users
Roles
Authorization Concept
Access Risks & Compliance
Licensing
Provisioning
The concept should lay the foundation on how you work with the security setup
What authorization concept do you deploy for Fioris or for HANA systems? How do you provision users to these systems? Users will need more cross system access, how will you manage that?
User interface
Users
Roles
Authorization Concept
Access Risks & Compliance
Licensing
Provisioning
Access risks must be updated with relevant information on new transaction codes and authorization objects; ie S4 ruleset
The not relevant content must be removed
The GRC Nordic SoD customers using our service portal will automatically get the new ruleset into use
Table names will change and also structures: are you checking anything from the tables for control purposes
S/4 impact on Access Risks and Compliance
User interface
Users
Roles
Authorization Concept
Access Risks & Compliance
Licensing
Provisioning
SAP S/4 brings in a new license price It is of uttermost importance to have right amount of users correctly classified amount of users is a direct cost impact
S/4 impact on Licensing
User interface
Users
Roles
Authorization Concept
Access Risks & Compliance
Licensing
Provisioning
If you get new system types how will you manage the access provisioning to those
How will cross system access provisioning be provisioned
S/4 impact on Provisioning
19
What are the most important preparatory steps that will save you money and time later on
User interface
Users
Roles
Authorization Concept
Access Risks & Compliance
Licensing
Provisioning
Update access risks to contain new systems and new transactions and objects
Clean the users
Licensing updates to system measurement and clean user base
Clean the roles and ensure objects correctly maintained
Make sure your provisioning system handles the new systems
Remove all unnecessary users and roles
Update concept to include new system types
GRC Nordic tapahtumat2020
Tapahtuma Ajankohta
› Webinaari: Laajojen käyttöoikeuksien hallinta ja valvonta Webinaari: 18.5, 20.5
› Webinaari: Miten valmistautua tarkastukseen käyttövaltuushallinnan osalta Webinaari: 14.9, 16.9
› SAP käyttövaltuushallinta päivä 24.9 (Helsinki)
› Webinaari: Deep dive to SAP Security around authorisations Webinaari: 19.10, 21.10
› Webinaari: SAP autorisointikonsepti Webinaari: 16.11, 18.11