Loading documents preview...
2012
SAP BusinessOjects GRC Access Control Approach Document
SAP GRC ACCESS CONTROL Approach Document
Padmanabha 4/23/2012
SAP BO GRC Access Control
TABLE OF CONTENTS
1
Int rodu ct ion ................................................................................................. 3 1.1
About SAP GRC Access Control ........................................................................................... 4
1.2
SAP GRC Access Control Modules and Features ............................................................... 5
1.3
Need for SAP GRC Access Control ....................................................................................... 6
2
S AP G RC O v e rv i ew ....................................................................................... 8
3
S AP G RC Ar c hit e ct u r e .................................................................................. 9 3.1
GRC Architecture Framework .............................................................................................. 10
3.2
Cross Enterprise Solution .................................................................................................... 11
4
G RC Ap pl ic at ion L an ds ca pe ........................................................................ 12
5
S AP G RC Ac c e ss C o nt ro l In sta ll at ion ......................................................... 13
6
5.1
GRC Landscape .................................................................................................................... 13
5.2
Support Pack Levels and Backend Compatibilities .......................................................... 13
5.3
Hardware Requirements ....................................................................................................... 14
Imp le me nt a t io n M et h odolo g y ...................................................................... 15 6.1
Implementation Phases: ....................................................................................................... 15
6.2
Risk Analysis & Remediation Overview ............................................................................ 16
6.3
Enterprise Role Management............................................................................................... 18
6.4
Compliant User Provisioning – Workflow Overview ......................................................... 20
6.5
Super User Privilege Management - Overview ................................................................. 21
6.6
Harmonization B/W all GRC products: ............................................................................... 23
6.7
GRC - Management Oversight and Internal Audit ............................................................ 23
6.8
Implementation Approach .................................................................................................... 24
6.9
GRC Integration Aspects ...................................................................................................... 24
7
S AP G RC Ac c e ss C o nt ro l B ene fit s .............................................................. 28
8
AS AP M et ho dol og y ..................................................................................... 30
9
De liv er a b le s ............................................................................................... 31
Page 2 of 32
SAP BO GRC Access Control
1 Introduction Corporate Governance issues have dominated in the agendas of C-level executives at large Corporates. With the acquisition and rapid integration of Virsa, in the area of SOD and Access Control space, SAP has an evolved GRC offering that has been proven over many years of realworld experience and industry-specific deployments. In addition, SAP’s recent partnership with Cisco attests to the company’s dedication to providing comprehensive risk protection—from the network layer to the application layer. With the introduction of SAP GRC Repository, SAP GRC Process Control and SAP GRC Risk Management, SAP GRC Global Trade Services (GTS), SAP Environment, Health & Safety (EH&S) SAP clearly offers the most compelling, comprehensive portfolio of GRC solutions available today. And, equally important, these applications are built on the NetWeaver platform, making them among the first service oriented architecture (SOA)-based GRC solutions.
The current scope of this document describes in brief, the Approach Note and Technical High Level Approach of SAP GRC Access Control (AC5.3) Implementation. Based on the Industry Best Practices and SAP Guidelines, GRC Access Control implementation shall be rolled-out to meet the business needs and compliance requirements.
Page 3 of 32
SAP BO GRC Access Control
1.1
About SAP GRC Access Control
SAP GRC Access Control is an enterprise application that provides end-to-end automation for documenting, detecting, remediating, mitigating, and preventing access and authorization risk enterprise wide, resulting in proper segregation of duties, lower costs, reduced risk, and better business performance.
GRC Access Control Evolution Path
The Access Control application includes the following capabilities:
Risk Analysis and Remediation, which supports real-time compliance to detect, remove, and prevent access and authorization risk by preventing security and control violations before they occur.
Compliant User Provisioning, which automates provisioning, tests for SoD risks, and streamlines approvals to the appropriate business approvers to unburden IT staff and provide a complete history of user access.
Page 4 of 32
SAP BO GRC Access Control
Enterprise Role Management, which standardizes and centralizes role creation and maintenance.
Superuser Privilege Management, which enables users to perform emergency activities outside their roles as a ―privileged user‖ in a controlled and auditable environment.
SAP GRC solutions help companies comply with the Sarbanes-Oxley Act and other regulatory mandates by enabling organizations to rapidly identify and remove authorization risks from IT systems. Access Control allows preventive controls be embedded into business processes to identify and prevent future SoD violations from being introduced without proper approval and mitigation.
The SAP GRC Access Controls module provides the following functionality:
Analyze, detect, and provides means for remediating access and authorization controls in real-time and with simulation
Monitor and track privileged user access controls
Provide compliant user and access provisioning
Define and document security access design
The SAP GRC Access Controls provides the Key Features and Benefits:
Automated SAP Security Audit and Segregation of Duties (SoD) Analysis product
Real-time risk assessment solution
Simulation and remediation
Mitigation Controls
Preventive as well as detective controls
Security and Audit - Summary and drill-down reports
Cross-enterprise analysis
1.2
SAP GRC Access Control Modules and Features
The specific modules of SAP GRC Access Control are:
Risk analysis and remediation (formerly ―Virsa Compliance Calibrator‖)
Compliant user provisioning (formerly ―Virsa Access Enforcer‖)
Enterprise role management (formerly ―Virsa Role Expert‖)
Super user privilege management (formerly ―Virsa FireFighter for SAP‖)
Page 5 of 32
SAP BO GRC Access Control
High Level features of these individual components are: Risk Analysis and Remediation (RAR) Based on the rules set, RAR assess risk, enabling businesses to identify conflicts immediately, drill down into root causes, and achieve resolutions swiftly. Helps in quick, effective and comprehensive identification and elimination of existing access and authorization risks.
Superuser Privilege Management (SPM) Enables users to perform activities outside their role under superuser-like privileges in a controlled, auditable environment for emergency operations. It tracks, monitors, and logs every activity a superuser performs with a privileged UserID. Web-based reporting provides business process owners and auditors with detailed multi-system usage reports across their SAP software landscape. Activity logs track input down to the field value level and enable easy filtering, sorting, and downloading of input information.
Enterprise Role Management (ERM) Enforces SoD at the design time. Ensures centralized role design across applications. And also, ensures standardization in role design, testing and maintenance.
Compliant User Provisioning (CUP) Enables fully compliant user provisioning throughout the employee life cycle and prevents new SoD violations. Businesses can automate provisioning, test for SoD issues, streamline approvals, and reduce the workload for IT staff.
1.3
Need for SAP GRC Access Control
Compliance Issues
Negative Sarbanes-Oxley Audit Results
Segregation of Duties (Conflicts) / Excessive Access
Security Administration Process
Internal Controls Repository
Maintaining a clean environment
Program Development/ERP Upgrades
Escalating help desk costs
Change management
ITGC and Business cycles controls/responsibility
Incomplete Global Risk Profile
Page 6 of 32
SAP BO GRC Access Control
Hence, present laws in corporate governance demands high level of transparency and accountability in disclosure of company’s financial statements.
To overcome these issues, the SAP GRC Access Control implemented would provide this GRC Transparency:
Page 7 of 32
SAP BO GRC Access Control
2 SAP GRC Overview SAP GRC Access Control offers a robust solution for monitoring, testing, and enforcing access and authorization controls that enable enterprises to quickly fulfill compliance and regulatory requirements. The following illustration provides an overview of all software components used by SAP GRC Access Control including Risk Analysis and Remediation, Compliant User Provisioning, Enterprise Role Management, and Superuser Privilege Management.
Page 8 of 32
SAP BO GRC Access Control
3 SAP GRC Architecture GRC Technical Architecture is as depicted:
Provides centralized cross-enterprise compliance visibility
Rule Architect analyses access to systems other than SAP
Leverages SAP Netweaver Application Server
Does not impact the production server
Features a single compliance dashboard
Role dependent views utilizing SAP User Management Engine (UME)
Login to SAP client is not required to access Risk Anaysis and Remediation
Page 9 of 32
SAP BO GRC Access Control
3.1
GRC Architecture Framework
Central component of SAP GRC Access Control connects to multiple Enterprise Software Systems. The adapter framework provides a common runtime environment for the risk analysis of different ERP systems. The real-time adapter (RTA) is the back-end counterpart that resides on the target
Page 10 of 32
SAP BO GRC Access Control
systems. Together they provide real-time connectivity between SAP solutions for GRC and the backend system providing real-time compliance around the clock to detect, remove, and prevent control violations before they occur.
3.2
Cross Enterprise Solution
Page 11 of 32
SAP BO GRC Access Control
4 GRC Application Landscape
Page 12 of 32
SAP BO GRC Access Control
5 SAP GRC Access Control Installation 5.1
GRC Landscape
At the minimum, as per Industry Best Practice, SAP GRC Access Control has to be deployed as a two system landscape with DEV/QA and PROD. SAP GRC AC has to be initially installed in DEV/QA environment in SAP Netweaver (Web Application Server 700-SP10 or above, with Java/J2EE stack, Java Runtime Environment JRE version 1.4.x is the software requirement on Windows 2000/2000 advanced server/ 2003 Server (Standard/Enterprise/Web) or Linux/Unix based servers. The other pre-installation checklists are: SAP database exists, User Management Engine (UME) is installed and configured, and Memory settings for SAP 700 Web Application Server (WAS) are configured. GRC AC post installation configuration includes: Creating the Administrator Role, Assigning the Administrator Role to the Administrator User, Choosing the Language Setting and Connecting the Stand alone J2EE System to the Remote SAP Server. This makes SAP GRC Access Control ready the configuration and implementation to begin with. SAP GRC Access Controls Installation can be done by the in-house Web AS (Basis) team or as part of GRC implementation. SAP GRC Access Control components’ configurations are deployed at DEV/QA system. Even, a Sandbox system can be deployed for pilot and implementation baseline across the enterprise wide GRC functionalities. Based on these configurations, GRC AC configurations are replicated for development, testing and QA in DEV /QA environment, and these configurations are transported to PROD system environment in the Final Preparation phase.
5.2
Support Pack Levels and Backend Compatibilities Pre-requisites of Access Control 5.3
NW 7.0 with SP 10 and higher SLD is required for Risk Analysis and Remediation
Supported RTA
Supported RTA R/3 versions are 4.6c, NW2004 or ECC 5.0, NW 7.0 or ECC 6.0 Optional BI 7.0 and EP 7.0
Page 13 of 32
SAP BO GRC Access Control
This table indicates the minimum SP level required for the backend system (RTA) with the corresponding SAP Notes numbers:
We can install RTA for latest Access Control AC10 on any SAP systems as long as it meets the prerequisites for support packages corresponding to the SAP ABAP and BASIS Stacks as indicated in the table: SAP_ABA and SAP_BASIS.
5.3
Hardware Requirements
Machine - Server based; Dual Processors = 2.4–3.2 GHz or faster RAM = 16 GB; Hard Disk = 120 GB Minimum (240 GB Recommended) Precise Sizing requirements are arrived in the implementation based on the volume of data.
Page 14 of 32
SAP BO GRC Access Control
6 Implementation Methodology As defined, the project methodology spread across Analysis, Design, Build, Test and deliver. In the similar lines, SAP GRC AC has standard implementation methodology based on ASAP Methodology spread across: Get clean, Stay clean and Stay in control for various components.
6.1
Implementation Phases:
Analysis and Remediation (Compliance Calibrator) implementation is typically broken down into these distinct 6 phases:
Risk Recognition
Rule Building and Validation
Identify or approve conflicts and exceptions Classify risks as High, Medium, or Low Identify new risks and conditions that should be monitored
Establish technical rules to monitor risk Verify rules against test cases (Users/Roles)
Analysis
Run analytical reports Explore alternatives to eliminating Size cleanup efforts
Page 15 of 32
SAP BO GRC Access Control
Remediation
Design alternative controls to mitigate risk Educate management on conflicts approval and monitoring Document a process for monitoring mitigation controls Implement controls
Continuous Compliance / Improvement
6.2
Determine alternatives for eliminating risks Present Analysis and select corrective actions Document approval of corrective actions Modify / create Roles or User Assignment
Mitigation
Modify Rules based on analysis
Communicate changes in roles and user assignment Simulate changes to roles and users Implement alerts to monitor for new selected risks and mitigating control testing
Risk Analysis & Remediation Overview
Risk Analysis & Remediation – Segregation-of-Duties Management Process Overview SAP security provides the opportunity to prevent an individual from executing combinations of transactions without the involvement of another person in the process. SOD proactive management involves identifying the ways to commit fraud or accidentally corrupt processes. This includes monitoring security privileges granted to individuals so capabilities are known before they are exploited. However, there are circumstances which require the same person to be able to order and receive materials, for example. In these cases, a detective control should be put in place to review that person’s access to detect fraud or unusual activities. The management process is designed to help Business Process Owners (BPOs) recognize SOD risks and implement the necessary controls (mitigating controls). Security owns the SOD process and acts as a facilitator. The BPOs are responsible for managing the risks and designing alternate controls when Segregation-of-Duties cannot be achieved. Once the risks are defined, Business Process Analysts (BPAs) provide the technical knowledge to ensure the appropriate transactions, related objects and field values are defined in Risk Analysis and Remediation. Business Process Owners are also responsible for approving actions taken to rectify SOD issues inherent in roles under their responsibility.
Page 16 of 32
SAP BO GRC Access Control
RAR Implementation Approach: GRC Access Control Risk Analysis and Remediation is implemented as defined in standard SOD Management process, carried across the phases from Risk Definition to remediation and mitigation leading to SOD clean state. In GRC Risk Analysis and Remediation, Security owns the SOD process and acts as a facilitator. The Business Process Owners are responsible for managing the risks and designing alternate controls when Segregation-ofDuties cannot be achieved. Once the risks are defined, Business Process Analysts provide the technical knowledge to ensure the appropriate transactions and related objects and field values are defined. Business Process Owner also own the responsibility for approving actions taken to rectify SOD issues inherent in roles and mitigating users. The audit department takes the ownership and responsibility for conducting audits to discover Segregation-ofDuties issues and for testing mitigating controls implemented by business process owners. The SOD rule keeper is responsible for controlling the rules in security and SAP Security administrator is segregated from the duties of SOD and owns the Security administration activities. The following diagram depicts the high level solution approach of Risk Analysis and Remediation:
Enhanced Access Risk Analysis (RAR v10):
Page 17 of 32
SAP BO GRC Access Control
6.3
Enterprise Role Management
Enterprise Role Management is a Web based application that automates the creation and management of Role Definitions. Role Expert enforces best practices to ensure that the Role Definitions, development, testing and maintenance is consistent across the entire implementation, resulting in lower ongoing maintenance and painless knowledge transfer. Enterprise Role Management empowers SAP security administrators and Role Owners to document important role information that can be of great value for better role management such as:
Tracking progress during role implementation.
Monitoring the overall quality of the implementation.
Performing risk analysis at role design time.
Setting up a workflow for role approval.
Providing an audit trail for all role modifications.
Maintaining roles after they are generated to keep role information current.
Enterprise Role Management has a rich set of reports to facilitate the overall role quality management and provide valuable information to achieve precise role definitions and lower ongoing role maintenance. Role Expert provides reports, which make the identification of risks surrounding the segregation of duties a painless process, and ensures that you get the most out of the SAP security system. Enterprise Role Management Implementation Approach: Enterprise Role Management is implemented to automate the creation and management of Roles. Enterprise Role Management is configured to ensure that the
Page 18 of 32
SAP BO GRC Access Control
Role Definition, Development, Testing and Maintenance are carried out in a consistent manner across the entire system landscape. With Enterprise Role Management tool, role maintenance is optimized and made compliant to all regulatory requirements. Also, it makes role re-design and remediation easy. With optimal utilization of the tool, role re-design and cleaning roles (get-clean) is achieved and on-going roles are provisioned into the backend systems (stay-in-control). The following diagram depicts the high level Role Automation in Enterprise Role Management:
Business Role Governance (ERM v10):
Page 19 of 32
SAP BO GRC Access Control
6.4
Compliant User Provisioning – Workflow Overview
Compliant User Provisioning workflows shall be configured to automatically trigger events such as new user creation or a role change. The dynamic workflow provisions the actions directly into multiple Systems. Compliant User Provisioning will be configured to facilitate business users to perform the provisioning activities without any involvement of IT or application security personnel, in facilitating pro-active SOD analysis.
End to end automation that sequences can be automatically triggered based on events such as new employee hire or a job change, then processed through dynamic workflow, and finally, provisioned directly into multiple Systems. These steps can be performed by business users without any involvement of IT or application security personnel. The following diagram depicts the high level workflow of Compliant User Provisioning:
Page 20 of 32
SAP BO GRC Access Control
Streamlined User Access Management (CUP v10):
6.5
Super User Privilege Management - Overview
Super User Privilege Management (Firefighter) will be configured to automate emergency change requests such as access to SAP_ALL in the production system, to carry-out in a consistent, secure and compliant manner. Automation will be enabled to cover all aspects of firefighting, from setting up of Firefight IDs, Users, Owners and Approvers for those Firefighting IDs to automatic logons, owner notifications, activity logging and related monitoring and administration activities. The following diagram depicts the usage of emergency request for Super User Privilege Monitoring:
Page 21 of 32
SAP BO GRC Access Control
Centrlized Emergency Access (SPM v10)
Page 22 of 32
SAP BO GRC Access Control
6.6
Harmonization B/W all GRC products:
6.7
GRC - Management Oversight and Internal Audit
Management Oversight - At periodic intervals, managers need to exercise effective and comprehensive management oversight, review, and reaffirmation of user access, etc. SAP GRC Access Control enables management to take responsibility by running periodic access
Page 23 of 32
SAP BO GRC Access Control
reviews. At a high level, management oversight should include a review of the following key areas: •
All user provisioning and all emergency superuser access
•
Potential risks (i.e. find users having authorized access to conflicting business functions but have not necessarily executed these transactions)
•
Actual risks (i.e. determine through transaction monitoring if users have actually run transactions that constitute an access violation)
•
Access policy (i.e. review and fine-tune the rules library)
Internal Audit - Likewise auditors periodically need effective and comprehensive audit information to verify that management follows policy. Typically, auditors will validate that all access has been properly approved and that mitigations are effective. SAP GRC Access Control supports both target audiences with an unprecedented level of ease, effectiveness, and comprehensiveness.
6.8
Implementation Approach
A typical approach to Implement GRC is in a phased manner with the selective components and focusing on regional implementations, selective functional modules pilot for risk analysis and remediation. Implementation based out of a centralized location with core team participation from all business units and locations are sought for centralized GRC tool implementation. The typical activities spanned in the implementation/roll-outs across the regions are:
Rollout Design, Technical Implementation, and Piloting
Rule Customization and Mitigating Controls
Analysis Remediation and End User Trainings
As per Industry Best Practice, it is advised to have End User trainings as Train the Trainer concept. Core team trained at the implementation stage, can take end user trainings internally within the Organization.
6.9
GRC Integration Aspects
Harmonization B/W all GRC products:
Page 24 of 32
SAP BO GRC Access Control
Access Risk Analysis (RAR):
User Access Management (CUP):
Page 25 of 32
SAP BO GRC Access Control
Business Role Governance (ERM):
Centrlized Emergency Access (SPM)
Page 26 of 32
SAP BO GRC Access Control
Page 27 of 32
SAP BO GRC Access Control
7 SAP GRC Access Control Benefits Risk analysis and remediation (Compliance calibrator)
Proactive compliance – Prevent SOD issues created by role development from ever making it live in production.
Real time risk reduction – Detailed analysis of SOD’s and automated monitoring gives data owners, administrators and auditors transparency of risk levels.
Reduced compliance costs – Through automation the analysis is complete and accurate and keeps the environment continuously clean; this saves time tracking down issues retrospectively.
Compliant User Provisioning (Access Enforcer)
User administration with integrated risk analysis and mitigation keeps the system clean
Provides simulation into the production system for risk analysis before changes are provisioned
Provides comprehensive audit trail.
Flexible configuration of multiple workflow paths & workflow triggers based on request type
Ensures corporate accountability and compliance with Sarbanes-Oxley
Automatically provision users and roles in multiple SAP systems
Automated email notification to appropriate parties
Provides numerous reports in analytical as well as chart views
Integrated with enterprise portal, providing authentication from a wide range of sources, including single-sign on, LDAP, SAP and non-SAP systems
Enterprise Role Management (Role Expert)
Tracking progress during role implementation and monitoring overall quality of the implementation.
Performing risk analysis at role design time.
Support workflow for role approval.
Providing an audit trail for all role modifications.
Maintaining roles after they are generated to keep role information
Page 28 of 32
SAP BO GRC Access Control
Super-user privilege monitoring (Fire Fighter)
Efficient and effective super user privilege management, with tracking of all activity
Allows personnel to take responsibility for tasks outside their normal job function. Firefighter describes the ability to perform tasks in emergency situations.
Enables users to perform duties not included in the roles or profiles assigned to their user IDs. Firefighter provides this extended capability to users while creating an auditing layer to monitor and record Firefighter usage.
Logging of all transactions executed during fire call usage.
Temporarily redefines the IDs of users when assigned with solving a problem, giving them provisionally broad, but regulated access. There is complete visibility and transparency to everything done during the period.
Page 29 of 32
SAP BO GRC Access Control
8 ASAP Methodology ASAP Methodology is SAP’s proven implementation methodology spread over 5 phases in the execution model of the GRC Implementation. Phase 0 base-lining prior to Initial Preparation or Project Preparation phase is to Strategy the GRC Roadmap for its effective usage and Utilization. In this phase, there is a pro-active involvement in the SAP systems are required in the Role Design, SOD Analysis and Violations, Security Policies and Procedures re-established for the compliance requirements and Controls Rationalization for best of the Assurances of SOX and other Compliances.
The internal tool developed to address all kinds of SAP project execution aligned to the best practices of CMMi level 5, ISO 9001/27001, ITIL and ISO27001 standards. Projects are managed, monitored and tracked with the best of breed and industry standards using custom tool capabilities.
Page 30 of 32
SAP BO GRC Access Control
9 Deliverables High Level deliverables of a typical SAP GRC AC Implementation are:
Installation
Installation of SAP GRC Access Control in DEV / QA and PROD server
Training
Product overview training on SAP GRC Access Control (SAP GRC AC) Initial configuration of GRC Access Control
Risk
Analysis
and
Developing the Company specific rules in DEV / QA server (pilot with sample rules)
Remediation (compliance Calibrator)
Risk analysis and remediation for all standard business processes in DEV/QA Validation workshop on configured rule sets with BPO / IA team & modifications to them as per needs of Business
Super
user
privilege management (Fire Fighter)
Initial configuration of Super user privilege management in SAP GRC Access Control Define workflows for Super user privilege management - user masters and role management Initial configuration of Enterprise role management in SAP GRC Access Control
Enterprise role
Configuration of Roles creation / modification and backend integration with SAP
management
Systems
(Role Expert)
Define workflows for Enterprise Role Management Upload current Company Roles into Enterprise role management Initial configuration of Compliant user provisioning in SAP GRC Access Control
Compliant user provisioning (Access
Define workflows for User Provisioning Configuration of Users creation / changes workflow and backend Integration with SAP Systems
Enforcer) Upload User masters and role assignments into Compliant user provisioning
Page 31 of 32
SAP BO GRC Access Control
UAT
User Acceptance Testing of SAP GRC Access Control Analyzing & reporting current user access status based on standard RAR reports; CUP and ERM Reporting features
Reporting Super user privilege management reports for all log reviews and fire fighter activities Training to the trainers on RAR Rule building & Reporting, Remediation, Mitigation & Alerts Performing & demonstrating remediation to identified non acceptable roles and user violations Performing & demonstrating setting up of the mitigation controls & alerts to identified acceptable violations Training Training to the trainers on End-users upon request and handholding support Workflows and Administration of Compliant user provisioning (CUP) and Enterprise role management (ERM) Administration and Monitoring of Super user privilege management (SPM) reports for log reviews and fire fighter activities’ monitoring
Installation
Installation and re-configuration (export and re-connectivity to SAP systems) of SAP GRC Access Control in PROD server Cutover Plan and Execution
PROD
Initial Configuration in PRD server of SAP GRC Access Control
Preparation Exporting / Uploading the configuration, company specific rules, roles, users into SAP GRC Access Control in PRD server; Data Migration / Cutover and UAT GO LIVE
GO LIVE & Post Go-Live Support for 5-10 days
Page 32 of 32