EARA.pdf

7/27/2019 EARA.pdf

http://slidepdf.com/reader/full/earapdf 1/60

AC 10.0 Enhanced Access Risk Analysis

Customer Solution AdoptionJune 2011

Version 2.0

7/27/2019 EARA.pdf


Purpose of this document

This document describes the major enhancements to the access riskanalysis capability of GRC, including end user customization andpersonalization. It covers how to navigate through the different reports, andalso about new functionality such as new bulk maintenance, automation,audit trail, and mitigation options.

7/27/2019 EARA.pdf


© 2011 SAP AG. All rights reserved. 3

Agenda

Introduction

Rule Set Maintenance

New Risk Analysis Framework

System Specific MitigationMass Mitigation

Approval Process for Functions

Additional Audit Trail Tracking

7/27/2019 EARA.pdf


Introduction• Enhanced Access Risk Analysis Overview

7/27/2019 EARA.pdf



Enhanced Access Risk Analysis Overview

Enhances the leading access analysis enginewith an intuitive interface that supports enduser customization and personalization. Newbulk maintenance, automation, audit trail, andmitigation options enable a faster and moreefficient path to compliance.

More efficient, flexible accessrisk analysis options andimproved ability to analyzeresults

Faster deployments andeasier data maintenance over time.

Reduce broad application of controls

Ability to repurpose workflowsincluding routing andescalation logic, by utilizingthe standardized workflowengine

New interface allows targetedrisk analysis as well asimporting, editing, and reusinganalysis criteria

New ability to customize and

personalize access risk results

Enables Business Role andCUA composite role riskanalysis

New ability to mitigate bysystem and by access rule ID

New support for massmitigation, includingassignment and maintenancewith bulk updates

New function maintenanceworkflow

Enhanced Audit Trail

Solution Enhancements Key Benefits

7/27/2019 EARA.pdf


Rule Set Maintenance• Overview• Maintaining Rules• User Interface Elements

7/27/2019 EARA.pdf

http://slidepdf.com/reader/full/earapdf 7/60© 2011 SAP AG. All rights reserved. 7

Rule Set MaintenanceOverview

Rule Set Maintenance:• Consistent user experience throughout the

application• Ability to filter and sort reports listing rule sets,

functions and risks

• Ability to hide and rearrange columns listing rulesets, functions and risks

7/27/2019 EARA.pdf


Maintaining RulesRule Setup

Navigate to Access Rule Maintenance for creation and maintenance of rules

7/27/2019 EARA.pdf


Maintaining RulesFunction

Select Function to create or maintain the function with actionsand permissionsChange History tab available

7/27/2019 EARA.pdf


Maintaining RulesFunction Mass Maintenance

Streamlined user interface with step by step process

7/27/2019 EARA.pdf


Maintaining RulesRisk

Select Access Risk to create or maintain the riskChange History available

7/27/2019 EARA.pdf


Maintaining RulesGenerate Rules

The Generate Rules button in the Function and Ris k menu bar is available toupdate the rules in either Foreground or Background

7/27/2019 EARA.pdf


7/27/2019 EARA.pdf


User Interface ElementsSorting

The column can be sorted in ascending or descending order by clicking the columnname

7/27/2019 EARA.pdf


User Interface ElementsHide and Rearrange Columns

Columns can be hidden and the sequence can be changed

7/27/2019 EARA.pdf


User Interface ElementsRearrange Columns

The Sorting, Calculation, Filter, Display, and Print Settings can be maintained andsaved as user specific view

7/27/2019 EARA.pdf


User Interface ElementsUser Query and Personalization

Streamlined user interface with step bystep process to define a new queryUser Personalization available to definethe default view

7/27/2019 EARA.pdf



User Interface ElementsUser Help

A quick user help or field help can be displayed with the right button of thecomputer mouse

7/27/2019 EARA.pdf


7/27/2019 EARA.pdf


7/27/2019 EARA.pdf



Risk Analysis FrameworkConditions

Conditions can be added and removed as required.Multiple operators are provided depending on the condition.

7/27/2019 EARA.pdf



Risk Analysis FrameworkMultiple Risk Analysis Types

When executing a risk analysis it is now possible to perform multiple risk analysistypes at the same time

7/27/2019 EARA.pdf



Risk Analysis FrameworkMultiple Selections and File Upload

When a condition is switched to multiple selections a new window can be launched.This not only will allow multiple selections but also upload values from a text file.

7/27/2019 EARA.pdf



Risk Analysis FrameworkLarge Reports: Result Sets

When the reports are too large they are split in different “Result Sets”, this allowsexporting them in multiple files preventing file size restrictions and providing better memory management.

7/27/2019 EARA.pdf



Risk Analysis FrameworkReport Settings

Filter and Settings to customize and search the Result Set. Customize the columnsthe user wants to see and also sorting controls available

7/27/2019 EARA.pdf



Risk Analysis FrameworkNew Columns: Last Executed On and Execution Count

You can now see in the risk analysis results how many times and when thetransaction was last executed

7/27/2019 EARA.pdf



Risk Analysis FrameworkDrill-down on Reports

In the access risk analysis reports it is now possible to drill down on the User IDs and Access Risk IDs.

7/27/2019 EARA.pdf



Risk Analysis FrameworkDrill-down on Risk Definitions

It is possible to drilldown on functions and user ID who modified a risk

7/27/2019 EARA.pdf



Risk Analysis FrameworkCrystal Reports

Reports can be now shown as Crystal Reports. No additional software is required onthe server, but the clients require to install the Crystal Report Adapter.

7/27/2019 EARA.pdf



Risk Analysis FrameworkExport to PDF

Users can create a PDF version of the reports by clicking on the Print Version button.This functionality requires an Adobe Document Services instance in the GRClandscape.

7/27/2019 EARA.pdf


System Specific Mitigation• Overview and benefits• Assigning a Mitigating Control• Listing mitigating controls

7/27/2019 EARA.pdf



System Specific MitigationOverview and Benefits

System Specific Mitigation• Allows assigning a mitigating control to

specific systems• Multiple systems can be chosen while

assigning a mitigating control

Benefits of this feature include:• Less complexity while defining risks and

assigning mitigating controls due to aneasy interface for assigning controls tomultiple systems.

• More flexibility as of which risks aremitigated on specific systems

7/27/2019 EARA.pdf


7/27/2019 EARA.pdf



Assigning a Mitigating ControlRole

This also applies for all other types of mitigations, as shown here on the MitigatedRoles screen.

7/27/2019 EARA.pdf


7/27/2019 EARA.pdf


7/27/2019 EARA.pdf



Mass MitigationOverview and Benefits

Mass Mitigation:• While viewing an access risk analysis report, multiple

risks can now be mitigated at once

Benefits of this feature include:• Speed up the mitigation process by assigning multiple

mitigations in a single step• Improve mitigating control quality; less steps to

mitigate multiple risks means less potential errorsintroduced by the user.

7/27/2019 EARA.pdf



Assigning Mitigating ControlsMultiple Risk Selection

• Every access risk analysis reportprovides a button for mitigatingrisks; simply select multiple entriesand click the Mitigate Risk button

• A single mitigating control can beassigned to all selected risks.

7/27/2019 EARA.pdf



Assigning Mitigating ControlsControl Parameters

After clicking Mitigate Risk , any control assigned to the risk id will be auto-populated.The control can be replaced by clicking in the Control ID field and searching availablecontrols or creating a new control with the Create Control button

7/27/2019 EARA.pdf



Assigning Mitigating ControlsValidity Periods

You can update the status and validity periods for multiple control assignments byselecting one or many rows and selecting the Status or Validity Period buttons. (massupdate to validity period shown)

7/27/2019 EARA.pdf



Assigning Mitigating ControlsSystem and Rule ID Selection

Mitigation can be done at the access rule ID level or system level. Enter * to mitigateacross all systems and all rule ID’s.Select a row and click View Details to see additional details about the assigned Control(long, short description, assigned risks, monitor, and so on)

7/27/2019 EARA.pdf


Approval Process for Functions• Overview• Configuration Setup• Workflow

7/27/2019 EARA.pdf



Approval Process for FunctionsOverview

New feature in Access Control 10.0Functions are the building blocks of risks in manage and analyze accessrisk

Any changes in functions will have adirect effect on the access rule setChanges in functions need to betracked and audited

7/27/2019 EARA.pdf



Configuration SetupLaunching IMG Task

Addition of New Functions or Changes to Existing Functions for the Rule Architectcan have their own Approval ProcessWorkflow for Function Maintenance is enabled as part of the Access ControlConfiguration parameters.

Execute transaction SPRO SAPReference IMG GovernanceRisk and Compliance AccessControl Maintain ConfigurationSettings

7/27/2019 EARA.pdf



Configuration Setup Adding configuration parameters

Click New Entries

Enter ConfigurationParameter Group – 5 WorkflowParameter ID – 1064 Function MaintenanceParameter Value – YESClick Save

7/27/2019 EARA.pdf


7/27/2019 EARA.pdf



WorkflowWorkflow Inbox

Upon Submission a workflow will be delivered to the workflow approver for approval

or rejectionIf configured, the user will receive an Email notifying that a new work item has

arrived in their workbox.

7/27/2019 EARA.pdf



Workflow Approval / Rejection Decision

The workflow approver can then approve or reject each item in the WorkflowInbox.

7/27/2019 EARA.pdf


7/27/2019 EARA.pdf



WorkflowProcess ID

Function Maintenance workflow is delivered in the Business Configuration (BC) SetThe first step is Process Global Settings

7/27/2019 EARA.pdf


Additional Audit TrailTracking• Overview• Benefits• Configuration

• Viewing the Audit Trail

7/27/2019 EARA.pdf



Audit TrailOverview

All changes related to access rules can betracked. The following components can have anaudit trail:

Function

RiskOrg RuleSupplementary RuleCritical RoleCritical ProfileRule set

A new configuration parameter has been includedfor maintaining the components to be tracked

7/27/2019 EARA.pdf


7/27/2019 EARA.pdf



ConfigurationLaunching IMG Task

Components to be tracked are configured using IMG under Maintain ConfigurationSettings

7/27/2019 EARA.pdf



Configuration Adding Configuration Parameters

A new parameter is available: Change Log

A list of all available components is shown. This parameter can be configured for eachrequired component.

7/27/2019 EARA.pdf



Viewing the Audit TrailChange History

Each access rule component (please refer to the Overview) has a Change Historytab; if the respective configuration entry was set in IMG a complete audit trail will beshown.

The report will show the old and new values, who applied these changes, and thetime of the operation.

7/27/2019 EARA.pdf



Viewing the Audit TrailExporting the Change History

The report can be exported in Excel for further processing. Also, a printer-friendlyversion can be shown by clicking the respective button

7/27/2019 EARA.pdf



Viewing the Audit TrailChange Log Report

A change log report is available in the reports & analytics workcenter that providesreporting of all audit trail enabled AC objects.

7/27/2019 EARA.pdf


Thank You!

Contact information:

Luis BustamanteCustomer Solution Adoption (GRC)[email protected]

mailto:[email protected]

mailto:[email protected]

7/27/2019 EARA.pdf


No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP AG. The information contained herein may bechanged without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of MicrosoftCorporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer,z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP,

RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registeredtrademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostSc ript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, Wi nFrame, VideoFrame, and MultiWin aretrademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3 C®, WorldWide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

© 2011 SAP AG. All rights reserved

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, CrystalDecisions, Web Intelligence, Xcelsius, and other Business Objects products and servicesmentioned herein as well as their respective logos are trademarks or registered trademarksof Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybaseproducts and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respectivecompanies. Data contained in this document serves informational purposes only. Nationalproduct specifications may vary.

The information in this document is proprietary to SAP. No part of this document may bereproduced, copied, or transmitted in any form or for any purpose without the express prior

written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or anyother agreement with SAP. This document contains only intended strategies, developments,and functionalities of the SAP® product and is not intended to be binding upon SAP to anyparticular course of business, product strategy, and/or development. Please note that thisdocument is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does notwarrant the accuracy or completeness of the information, text, graphics, links, or other itemscontained within this material. This document is provided without a warranty of any kind,either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct,special, indirect, or consequential damages that may result from the use of these materials.This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has nocontrol over the information that you may access through the use of hot links contained inthese materials and does not endorse your use of third-party Web pages nor provide anywarranty whatsoever relating to third-party Web pages.

Documents

EARA.pdf