7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 1/60
AC 10.0 Enhanced Access Risk Analysis
Customer Solution AdoptionJune 2011
Version 2.0
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 2/60
Purpose of this document
This document describes the major enhancements to the access riskanalysis capability of GRC, including end user customization andpersonalization. It covers how to navigate through the different reports, andalso about new functionality such as new bulk maintenance, automation,audit trail, and mitigation options.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 3/60
© 2011 SAP AG. All rights reserved. 3
Agenda
Introduction
Rule Set Maintenance
New Risk Analysis Framework
System Specific MitigationMass Mitigation
Approval Process for Functions
Additional Audit Trail Tracking
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 4/60
Introduction• Enhanced Access Risk Analysis Overview
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 5/60
© 2011 SAP AG. All rights reserved. 5
Enhanced Access Risk Analysis Overview
Enhances the leading access analysis enginewith an intuitive interface that supports enduser customization and personalization. Newbulk maintenance, automation, audit trail, andmitigation options enable a faster and moreefficient path to compliance.
More efficient, flexible accessrisk analysis options andimproved ability to analyzeresults
Faster deployments andeasier data maintenance over time.
Reduce broad application of controls
Ability to repurpose workflowsincluding routing andescalation logic, by utilizingthe standardized workflowengine
New interface allows targetedrisk analysis as well asimporting, editing, and reusinganalysis criteria
New ability to customize and
personalize access risk results
Enables Business Role andCUA composite role riskanalysis
New ability to mitigate bysystem and by access rule ID
New support for massmitigation, includingassignment and maintenancewith bulk updates
New function maintenanceworkflow
Enhanced Audit Trail
Solution Enhancements Key Benefits
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 6/60
Rule Set Maintenance• Overview• Maintaining Rules• User Interface Elements
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 7/60© 2011 SAP AG. All rights reserved. 7
Rule Set MaintenanceOverview
Rule Set Maintenance:• Consistent user experience throughout the
application• Ability to filter and sort reports listing rule sets,
functions and risks
• Ability to hide and rearrange columns listing rulesets, functions and risks
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 8/60© 2011 SAP AG. All rights reserved. 8
Maintaining RulesRule Setup
Navigate to Access Rule Maintenance for creation and maintenance of rules
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 9/60© 2011 SAP AG. All rights reserved. 9
Maintaining RulesFunction
Select Function to create or maintain the function with actionsand permissionsChange History tab available
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 10/60© 2011 SAP AG. All rights reserved. 10
Maintaining RulesFunction Mass Maintenance
Streamlined user interface with step by step process
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 11/60© 2011 SAP AG. All rights reserved. 11
Maintaining RulesRisk
Select Access Risk to create or maintain the riskChange History available
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 12/60© 2011 SAP AG. All rights reserved. 12
Maintaining RulesGenerate Rules
The Generate Rules button in the Function and Ris k menu bar is available toupdate the rules in either Foreground or Background
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 13/60
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 14/60© 2011 SAP AG. All rights reserved. 14
User Interface ElementsSorting
The column can be sorted in ascending or descending order by clicking the columnname
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 15/60© 2011 SAP AG. All rights reserved. 15
User Interface ElementsHide and Rearrange Columns
Columns can be hidden and the sequence can be changed
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 16/60© 2011 SAP AG. All rights reserved. 16
User Interface ElementsRearrange Columns
The Sorting, Calculation, Filter, Display, and Print Settings can be maintained andsaved as user specific view
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 17/60© 2011 SAP AG. All rights reserved. 17
User Interface ElementsUser Query and Personalization
Streamlined user interface with step bystep process to define a new queryUser Personalization available to definethe default view
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 18/60
© 2011 SAP AG. All rights reserved. 18
User Interface ElementsUser Help
A quick user help or field help can be displayed with the right button of thecomputer mouse
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 19/60
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 20/60
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 21/60
© 2011 SAP AG. All rights reserved. 21
Risk Analysis FrameworkConditions
Conditions can be added and removed as required.Multiple operators are provided depending on the condition.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 22/60
© 2011 SAP AG. All rights reserved. 22
Risk Analysis FrameworkMultiple Risk Analysis Types
When executing a risk analysis it is now possible to perform multiple risk analysistypes at the same time
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 23/60
© 2011 SAP AG. All rights reserved. 23
Risk Analysis FrameworkMultiple Selections and File Upload
When a condition is switched to multiple selections a new window can be launched.This not only will allow multiple selections but also upload values from a text file.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 24/60
© 2011 SAP AG. All rights reserved. 24
Risk Analysis FrameworkLarge Reports: Result Sets
When the reports are too large they are split in different “Result Sets”, this allowsexporting them in multiple files preventing file size restrictions and providing better memory management.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 25/60
© 2011 SAP AG. All rights reserved. 25
Risk Analysis FrameworkReport Settings
Filter and Settings to customize and search the Result Set. Customize the columnsthe user wants to see and also sorting controls available
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 26/60
© 2011 SAP AG. All rights reserved. 26
Risk Analysis FrameworkNew Columns: Last Executed On and Execution Count
You can now see in the risk analysis results how many times and when thetransaction was last executed
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 27/60
© 2011 SAP AG. All rights reserved. 27
Risk Analysis FrameworkDrill-down on Reports
In the access risk analysis reports it is now possible to drill down on the User IDs and Access Risk IDs.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 28/60
© 2011 SAP AG. All rights reserved. 28
Risk Analysis FrameworkDrill-down on Risk Definitions
It is possible to drilldown on functions and user ID who modified a risk
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 29/60
© 2011 SAP AG. All rights reserved. 29
Risk Analysis FrameworkCrystal Reports
Reports can be now shown as Crystal Reports. No additional software is required onthe server, but the clients require to install the Crystal Report Adapter.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 30/60
© 2011 SAP AG. All rights reserved. 30
Risk Analysis FrameworkExport to PDF
Users can create a PDF version of the reports by clicking on the Print Version button.This functionality requires an Adobe Document Services instance in the GRClandscape.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 31/60
System Specific Mitigation• Overview and benefits• Assigning a Mitigating Control• Listing mitigating controls
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 32/60
© 2011 SAP AG. All rights reserved. 32
System Specific MitigationOverview and Benefits
System Specific Mitigation• Allows assigning a mitigating control to
specific systems• Multiple systems can be chosen while
assigning a mitigating control
Benefits of this feature include:• Less complexity while defining risks and
assigning mitigating controls due to aneasy interface for assigning controls tomultiple systems.
• More flexibility as of which risks aremitigated on specific systems
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 33/60
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 34/60
© 2011 SAP AG. All rights reserved. 34
Assigning a Mitigating ControlRole
This also applies for all other types of mitigations, as shown here on the MitigatedRoles screen.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 35/60
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 36/60
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 37/60
© 2011 SAP AG. All rights reserved. 37
Mass MitigationOverview and Benefits
Mass Mitigation:• While viewing an access risk analysis report, multiple
risks can now be mitigated at once
Benefits of this feature include:• Speed up the mitigation process by assigning multiple
mitigations in a single step• Improve mitigating control quality; less steps to
mitigate multiple risks means less potential errorsintroduced by the user.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 38/60
© 2011 SAP AG. All rights reserved. 38
Assigning Mitigating ControlsMultiple Risk Selection
• Every access risk analysis reportprovides a button for mitigatingrisks; simply select multiple entriesand click the Mitigate Risk button
• A single mitigating control can beassigned to all selected risks.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 39/60
© 2011 SAP AG. All rights reserved. 39
Assigning Mitigating ControlsControl Parameters
After clicking Mitigate Risk , any control assigned to the risk id will be auto-populated.The control can be replaced by clicking in the Control ID field and searching availablecontrols or creating a new control with the Create Control button
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 40/60
© 2011 SAP AG. All rights reserved. 40
Assigning Mitigating ControlsValidity Periods
You can update the status and validity periods for multiple control assignments byselecting one or many rows and selecting the Status or Validity Period buttons. (massupdate to validity period shown)
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 41/60
© 2011 SAP AG. All rights reserved. 41
Assigning Mitigating ControlsSystem and Rule ID Selection
Mitigation can be done at the access rule ID level or system level. Enter * to mitigateacross all systems and all rule ID’s.Select a row and click View Details to see additional details about the assigned Control(long, short description, assigned risks, monitor, and so on)
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 42/60
Approval Process for Functions• Overview• Configuration Setup• Workflow
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 43/60
© 2011 SAP AG. All rights reserved. 43
Approval Process for FunctionsOverview
New feature in Access Control 10.0Functions are the building blocks of risks in manage and analyze accessrisk
Any changes in functions will have adirect effect on the access rule setChanges in functions need to betracked and audited
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 44/60
© 2011 SAP AG. All rights reserved. 44
Configuration SetupLaunching IMG Task
Addition of New Functions or Changes to Existing Functions for the Rule Architectcan have their own Approval ProcessWorkflow for Function Maintenance is enabled as part of the Access ControlConfiguration parameters.
Execute transaction SPRO SAPReference IMG GovernanceRisk and Compliance AccessControl Maintain ConfigurationSettings
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 45/60
© 2011 SAP AG. All rights reserved. 45
Configuration Setup Adding configuration parameters
Click New Entries
Enter ConfigurationParameter Group – 5 WorkflowParameter ID – 1064 Function MaintenanceParameter Value – YESClick Save
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 46/60
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 47/60
© 2011 SAP AG. All rights reserved. 47
WorkflowWorkflow Inbox
Upon Submission a workflow will be delivered to the workflow approver for approval
or rejectionIf configured, the user will receive an Email notifying that a new work item has
arrived in their workbox.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 48/60
© 2011 SAP AG. All rights reserved. 48
Workflow Approval / Rejection Decision
The workflow approver can then approve or reject each item in the WorkflowInbox.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 49/60
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 50/60
© 2011 SAP AG. All rights reserved. 50
WorkflowProcess ID
Function Maintenance workflow is delivered in the Business Configuration (BC) SetThe first step is Process Global Settings
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 51/60
Additional Audit TrailTracking• Overview• Benefits• Configuration
• Viewing the Audit Trail
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 52/60
© 2011 SAP AG. All rights reserved. 52
Audit TrailOverview
All changes related to access rules can betracked. The following components can have anaudit trail:
Function
RiskOrg RuleSupplementary RuleCritical RoleCritical ProfileRule set
A new configuration parameter has been includedfor maintaining the components to be tracked
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 53/60
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 54/60
© 2011 SAP AG. All rights reserved. 54
ConfigurationLaunching IMG Task
Components to be tracked are configured using IMG under Maintain ConfigurationSettings
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 55/60
© 2011 SAP AG. All rights reserved. 55
Configuration Adding Configuration Parameters
A new parameter is available: Change Log
A list of all available components is shown. This parameter can be configured for eachrequired component.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 56/60
© 2011 SAP AG. All rights reserved. 56
Viewing the Audit TrailChange History
Each access rule component (please refer to the Overview) has a Change Historytab; if the respective configuration entry was set in IMG a complete audit trail will beshown.
The report will show the old and new values, who applied these changes, and thetime of the operation.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 57/60
© 2011 SAP AG. All rights reserved. 57
Viewing the Audit TrailExporting the Change History
The report can be exported in Excel for further processing. Also, a printer-friendlyversion can be shown by clicking the respective button
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 58/60
© 2011 SAP AG. All rights reserved. 58
Viewing the Audit TrailChange Log Report
A change log report is available in the reports & analytics workcenter that providesreporting of all audit trail enabled AC objects.
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 59/60
Thank You!
Contact information:
Luis BustamanteCustomer Solution Adoption (GRC)[email protected]
7/27/2019 EARA.pdf
http://slidepdf.com/reader/full/earapdf 60/60
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP AG. The information contained herein may bechanged without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of MicrosoftCorporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer,z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP,
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registeredtrademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostSc ript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, Wi nFrame, VideoFrame, and MultiWin aretrademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3 C®, WorldWide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
© 2011 SAP AG. All rights reserved
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, CrystalDecisions, Web Intelligence, Xcelsius, and other Business Objects products and servicesmentioned herein as well as their respective logos are trademarks or registered trademarksof Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybaseproducts and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respectivecompanies. Data contained in this document serves informational purposes only. Nationalproduct specifications may vary.
The information in this document is proprietary to SAP. No part of this document may bereproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or anyother agreement with SAP. This document contains only intended strategies, developments,and functionalities of the SAP® product and is not intended to be binding upon SAP to anyparticular course of business, product strategy, and/or development. Please note that thisdocument is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does notwarrant the accuracy or completeness of the information, text, graphics, links, or other itemscontained within this material. This document is provided without a warranty of any kind,either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct,special, indirect, or consequential damages that may result from the use of these materials.This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has nocontrol over the information that you may access through the use of hot links contained inthese materials and does not endorse your use of third-party Web pages nor provide anywarranty whatsoever relating to third-party Web pages.
Recommended