SAP GRC Implementation Process

 SAP GRC Implementation process

Top-down approach, where it starts by defining security requirements up front during the blueprint phase.

1. Define SOD policies and Ruleset design

The first step is to work with the business process owners (BPO’s), functional leads to identify the business processes and applications in-scope of the SAP project and finalizing the SoD policies and risk ratings (Critical, High, Medium, and low).

Critical Risk represents significant impact to company operations. Risk cannot be mitigated, it requires remediation.

Examples are

Hight Risk represents financial risk and causes loss or theft. Risk may be mitigated with proper management level report or it may require remediation.

Medium Risk represents medium profit and loss impact and disrupts an operational process. The risk can be mitigated with a management level report. 

Low risk can be mitigated

The definitions vary from company to company. Once the SoD policies and risks are defined, SAP standard and custom transactions should be evaluated and created for identified risks. Finally, these transactions are grouped into job functions (creating GL accounts, posting payments) and should be configured as rulesets, which are used to analyze SoD conflicts at the role or user level.

Apart from SoD policies and risk definitions, companies has to define the sensitive transactions to enable monitoring and reporting on SAP roles and users who have add, modify, delete or even display access to the company’s sensitive information such as vendor pricing, customer lists, financial data, HR information etc.

2. Initial Role and User Design

If it is a new security implementation, then role matrix needs to be created. The role matrix basically consists of role technical name, transaction code and its description. For this, transaction logs are analyzed to determine the set of monthly, quarterly or year end transactions that should be included in the newly designed SAP roles. The role matrix needs to be updated based on the BPO’s inputs.

The next step is to define the “role owners” for each role. Role owners are typically part of the functional implementation or business teams and usually responsible for managing and reporting on the data being updated by the SAP transactions and roles they own. For example, addition of SAP transactions, deletion, modification, and approval of mitigating controls if conflicts occur.

3. Role Build and User assignment

Once the role matrix is created and approved, then the roles can be created and assigned to users. The technical design phase starts with building the “master roles” or template roles. The next step is designing the SAP roles is to create “derived” or “child roles” which is where security restrictions are applied such as company code or cost center limitations.

End user role assignment is critical step when designing the SAP application security because some user may need one role, multiple or all company code roles. While assigning the roles to users it is important to that roles are SoD free. If the master roles have inherited the SoD conflicts, then all derived roles and subsequently assigned users will have conflicts.

4. Role and User access risk Analysis

Periodic role and user analysis need to be done for the newly designed roles that are in compliance with SoD policies. Risk analysis should be executed periodically. It is important that initially created ruleset in SAP access control may require changes based on addition or deletion of the new SAP transactions or creation of custom transactions.

Risk simulation needs to be performed before granting user access or modifying a role. This determine weather role or user changes are causing SoD or excessive access security risks.

5. Security Testing and Go-Live Preparation

SAP security unit testing and user acceptance testing are very important steps to make sure users will be having minimal access issues prior to go-live. Testing of security includes executing all the t.codes within a role to confirm that role has required transactions and authorization objects to complete the process. Testing of SAP security also include Segregation of Duties and sensitive access reviews to confirm that the newly created or updated SAP roles are SoD conflict free. It is also important to create test users for final UAT process in the quality system with the SAP roles to be used in the production environment.

6. Move to Production and Support

Once the testing is complete, the new SAP roles can be migrated to the production system as per the company’s change management policy and users can be assigned. Support team needs to be established to address the SAP access issues during the go-live. The team not only resolves the access issues, but also run access risk reports to determine if security changes will result in SoD or other access risks. 


Location: Chicago, IL, USA

Comments

Post a Comment

Popular posts from this blog

SAP Security: Critical Authorization Objects

SAP Security: Critical Authorization Objects 1. S_TABU_DIS: This authorization object enables authorization check for displaying or modifying the table content. For accessing the table data, users use SE16, SM30 or SM31 transaction codes. This object contains two fields, DICBERCLS (authorization group) and ACTCT. 2. S_RFC: This authorization object enables authorization check for remote function call to access program modules (function modules). This authorization object contains three fields, RFC_TYPE, RFC_NAME and ACTCT. 3. S_DATASET: This authorization object enable file access at operating system level. This gives permission to access files from ABAP programs. This object contains three fields, File name, Program and Activity. 4. S_ADMI_FCD: This authorization objects enable access to various administrator activities like system monitoring, spool administration, client creations, update administration etc. This object contains one field, system administration functions. 5. S_DE
Read more

SAP GRC Security Consultant Roles and Responsibilities

SAP GRC Security Consultant Roles and Responsibilities 1. SAP GRC Consultant should have a knowledge on Governance, Risk and Compliance products. 2. Should have a thorough knowledge as well as experience in relation between ERP and GRC systems. 3. Should have an experience in configuring and supporting of GRC components like ARA, ARM, BRM and EAM. 4. GRC consultant should be having good understanding of GRC architecture. 5. Should be having hands on experience in user provisioning, role management, risk analysis, emergency access management and monitoring. 6. Should have experience in pre installation, post installation, connector settings, rule building and MSMP workflows and BRF+ in the ARM and BRM components. 7. Should have experience in end to end implementation of GRC Access Controls. 8. Should have experience in designing and developing the SAP business process. 9. Should be able to gather business requirements and implement the same in the GRC AC modules like ARA, ARM, BRM and E
Read more

SAP Security: How to set auto Logoff for Inactive users in SAP

Image
How to set auto Logoff for Inactive users in SAP SAP provides an options for logging of inactive users in SAP automatically. Inactive means if there is no activity for a specific period of time. By setting the auto logoff improves the security in the SAP system. The auto logoff options is not active in the system by default. This needs to be activated using the profile parameter called rdisp/gui_auto_logout. The value for this parameter should be set in the form of seconds. The inactive users are logout of the system after the specific time period that is set in the parameter. The SAP system doesn't save the data before auto logoff and it does not popup any prompt before auto logoff. Procedure to set the value in the Profile parameter: Execute transaction code RZ10 Select the DEFAULT profile from the selection menu. Select the Extended maintenance and click on change icon. Click on the create parameter icon as shown below. Enter the new parameter name as rdisp/gui_auto_logout and c
Read more