Sap Roles And Authorizations 4x385p

SAP Authorizations and GRC

By: Ravi B Hemanth 1

Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Objectives







2

Learn how a role is built up in SAP, what role-based access is and why it is important. Understand why security and Segregation of Duties (SoD) is important in SAP. Understand the business value and usage of the applications in the SAP GRC Access Control Suite.


Why is security important in SAP?



 

3

Data theft and espionage is a growing crime - several examples where millions have been lost in damages. Intruders target profiles with extended authorizations. Long-term damages include financial damages, image loss declined stock, law suits and compliance violations.


Figures

U.S fraud cost were $52.6 billion in 2005

Intellectual property theft costs U.S. companies between $200 billion and $250 billion a year in sales

4


Famous scandals





5

Worldcom  Lost $127 billion in market value.  24 000 people lost their jobs.  Share value $62 to $0.20 in less than 3 years. Enron  Lost $ 19 billion in market value.  5500 people lost their jobs.


Who are they?

Paul Sarbanes

6

Michael Oxley


Sarbanes-Oxley (SOX)









7

In 2001/2002 large US companies like Enron or WorldCom went bankrupt. Their management had hidden and changed financial data and betrayed investors. In 2002 The Sarbanes-Oxley Act was made law to establish better controlling and ing transparency. The strongest focus is on Internal Controls.


Why SOX?









10

All companies that are registred on the NYSE/NASDAQ stock market, must be compliant with SOX. Massive impact for large enterprises who had to take measures to ensure internal control. SOX has generated thousands and thousands of hours of consultant work! There will be a similar law within EU - "Euro SOX".


Segregation of Duties





11

Definition: “Key duties and responsibilities in authorizing, processing, recording and reviewing official business transactions must be separated among individuals to reduce the risk of error or fraud”. Applied on our client: “One person should not control all stages of a process, a situation in which error or irregularities could occur without detection”.


SAP Security Concept for Roles and Authorizations

12


SAP example

Materials Management

Finance and Controlling

Production Planning Sales and Distribution

Mr. Smith

Human Resources

As a Financial ant, Mr. Smith probably has job duties that involve accessing components of the Finance and Controlling module (FI/CO).

13


Transactions

 





14

A performs tasks in SAP by entering transaction codes. A transaction code is a command that takes the to a certain program in the SAP system. The term ”transaction” is usually used to refer to the program that is run when the corresponding transaction code has been entered. For example, the enters the transaction code FB02 to run the transaction/program that is used to change documents in the general ledger.


Example: FB02

15


FB02

16


FB02

17


FB02

18


SAP Security model overview

Authorization Profiles

Composite Profile Master Record

or

Authorization

Simple Profile

Authorization field Authorization Object

19


Master Record

Example of a Master Record

Name Initial Group

21

Type

Valid Dates Authorization Profiles


Profiles

Composite Profile

Simple Profile A Allow Display access to documents Simple Profile B

Allow Change access to documents

22


Authorization Object


23


Authorization field

Data Dictionary

Authorization field


24


Data Element

Authorizations

Object

Field name

Value

S_TCODE

TCD

FB02

S_TCODE

TCD

FB03

Authorization

Authorization

Authorization fields

Authorization Object EXAMPLE: S_TCODE

25

EXAMPLE: TCD

EXAMPLE: FB02 EXAMPLE: FB03


Auth. Object check under transactions

Maintain Transaction Object

26

Activity Company Code


Display Company Code value

FB02

28


Authorization check

ABAP/4 Code AUTHORITY-CHECK OBJECT 'F_BKPF_BUK' ID 'BUKRS' FIELD s_bukrs ID 'ACTVT' FIELD '02'.


IF sy-subrc <> 0. MESSAGE E002(ZI) WITH text-200 s_bukrs ENDIF.

29


ST01: Trace Display

30


SAP Access Role concept 





31

Historically, s were given SAP access by direct assignment of Profiles, but to facilitate a more business oriented access management, the role layer was added. Roles were added as an additional abstraction level, in order to facilitate authorization design. Compare to object-oriented programming instead of programming in machine language.


Access Hierarchy F

A A C

S P

A P

S

PP

V

A

F

F

A U = S = Single role P = Profile A = Authorization object F = Field V = Value

V FB02

C = Composite role

32

V

A

S

FINANCIAL ANT GENERAL LEDGER JOURNALS MAINTAIN

V

F

A

C MR. SMITH

F

A

V

V

F $TCD $TCD $........... $........... $......... $....... $......... $........

A

Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding S_TCODE any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

FB02 FB03 …… …… …… …… …… ……

Profiles 

Single roles hold a 1:1 mapping towards Profiles.

C

S P P S

MR. SMITH

PP

C FINANCIAL ANT

S GENERAL LEDGER JOURNALS MAINTAIN

33


Single roles 

A Single Role corresponds to a Job task in the system, for example General Ledger Journals Maintain.

C

S

S

MR. SMITH

C FINANCIAL ANT

S

GENERAL LEDGER JOURNALS MAINTAIN

34


Composite roles 





A Composite Role corresponds to a Job role in reality, for example Financial ant. All s in the SAP systems have at least one and usually several Composite Roles assigned to them. A Composite Role is a predefined collection of Single Roles that have a relation to each other, and that together give the necessary access for the to fulfill a certain job role.

MR. SMITH

Composite role

Composite role FINANCIAL ANT (TECHNICAL NAME: RMUS_01_CCC01_FIN:0013)

35


PFCG: Role Maintenance

The technical name for Financial ant.

36


Single roles

37


Display Authorization Data

38


Display Authorization objects and values

39


Summary 







40

master records, profiles, transactions, objects etc. generic technical design in all SAP systems. Composite role/Single role concept - built-in possibilities in SAP that is used as best practice. How can the role concept be used to perform Segregation of duties? … to be SOX compliant?


Sarbanes-Oxley (SOX) compliance and Segregation of Duties (SoD)

41


Sarbanes-Oxley and Segregation of Duties 





The Sarbanes-Oxley act (SOX) is intended to ensure the correctness of US companies’ ing One effect of SOX is referred to as the Segregation of Duties (SoD) directive The SoD directive stipulates that no person must control several key steps in a connected process Approve Purchase Order

42

Receive Goods

Authori Custod Record Control zation y

Enter Goods Receipt


Clear Vendor

What is the impact of SOX and SoD on Roles and Authorizations in SAP?

43


Access Control Systems Mandatory Access Discretionary Access Role Based Access Control (MAC) Control (DAC) Control (RBAC)  Access objects and  Access is granted by  Each is able to s classified on a asg each on the linear security scale permissions he or she one or more access (E.g. Level 1, Level roles has to other s 2, ...)  A is given access  Each is given  If the ’s security access to the objects to an object if he or permission ”level” that his or her roles she has been given exceeds that of the specify access to it by  A may be given object’s the is another granted access to access either by new  There is commonly that object roles or by changing a one with irrevocable access to role that the already has all access objects (E.g. root, Low maintenance High versatility , ...) 44


Role Based Access

Role Architecture  A library of roles must be built and maintained  Principles must be established and followed for the role library to remain consistent

Role Provisioning  Provisioning is the process by which s are given new roles  Slow provisioning costs money in lost productivity

SOX directives

45


Role Architecture

46


Role Architecture • No role must contain internal SoD risks - Control over several steps in a process would mean that no could have this role

Permissions Enter Goods Receipt

Access Role

Permissions Clear Vendor

47


Role Architecture

Role Based Access – Design Principles  Each

access role mapped to a job role  Global template roles define action level security – ”what”  Locally derived roles define data level security – ”where”

48


Access Roles vs. Job Roles

49


Role Architecture • An access role is a role defined in the system; a job role is a real-world role - An access role contains all permissions needed to perform the tasks needed to complete the job role - Permissions = Actions + Data Access

• Benefit: Access roles are free from internal SoD risks (as long as job roles are)

50

Access role

Permissions

(e.g. a financial ant)

Financial ant

e.g. change G/L document, post G/L document

Access role

Permissions

(e.g. a sales assistant)

Sales Assistant

e.g. create sales orders, change sales orders


Role Architecture

Action level security? Data level security?

51


Role Architecture

• Action level security defines access to activities - In SAP, actions level security can be thought of as access to transactions

• Action level security is specified on a global level - A financial ant has the same access irrespectively of in which country he or she works

52

Access role template

Permissions

Financial ant

TCODE: FB01


Role Architecture

Data level security

53


Role Architecture • Data level security defines access to data - Access to display/maintain certain company codes, sales organizations, plants, etc.

• Locally derived roles define data access Global Template Role e.g. Financial ant_Template TCODE: FB01 ACTVT: BUKRS: -

Local Role e.g. Financial ant_Sweden TCODE: FB01 ACTVT: 01 BUKRS: 4200

54

Local Role e.g. Financial ant_China TCODE: FB01 ACTVT: 01 BUKRS: 6200


Role Provisioning

55


Role Provisioning 

No person must be given roles that give access to several steps in a connected process  Segregation is possible by process or geography Access role Security Advisor Sweden

OK

Access role Financial ant Sweden

56

Access role Billing Sweden

Mr. Smith

OK

Process separation

SoD Risk

Access role Billing Norway


Geographic separation

Role Provisioning

Traditional

Role Based Access



 Role

team grants access based on line manager demands  Access applied for on an asneeded basis  team responsible for security while business is trying to operate

57

provisioning flow controlled entirely by business  Access applied for on a job role basis  Business is responsible for maintaining security and operational effectiveness


Role Provisioning

Role provisioning process

58





Role provisioning flow controlled entirely by business  Business is responsible for maintaining both security and operational effectiveness Access applied for on a job role basis

Application Business approval

59

Security approval

Assignment


Role Provisioning

Why is a business approval needed?

60



SOX requires that a valid business reason for the order must exist  that the requested role match actual personal identity and job role  that the end- has a need to know of the information that will be available via the role

Business approval

61


Role Provisioning

Security approval

62


Role Provisioning



The security approval checks that no SoD risks appear for the  that no SoD risks appear for the  that is not given access to unnecessary critical actions (create s, change roles, etc.)  that is not given access to display sensitive data (financial statements etc.) Security approval

63


SOX audits

64


SOX Audits

   

65

What SoD risks do you have? Do you have proof that all access is properly authorized? How do you ensure the consistency of your roles? How are sensitive activities monitored?


SAP GRC Suite

66


VIRSA systems 

  





 

67

In April 2006, SAP bought VIRSA systems and started transforming the VIRSA suite into SAP GRC VIRSA stands for “Versatile Innovative Risk and Security istration” US company, founded in 1996 Today more than one million end s are subject to compliance at more than 170 customers worldwide Major references (Vodafone, IBM, Unilever, Panasonic, BASF, Boeing, Burger King, Sony, Nortel, Siemens, Gillette) Virsa provides the only solutions that monitor and enforce business controls in real time across enterprise systems Virsa is the global leader in cross-enterprise compliance solutions The company is privately funded with venture investment from SAP Ventures, Kleiner Perkins Caufield & Byers, and Lightspeed Venture Partners.


GRC Suite

68


SAP GRC Suite overview

Online ordering tool

Access Enforcer

Access in FireFighter

SAP

Compliance Calibrator

FireFighter logs

69


connection is = possible

Role Expert

GRC Suite Cross Enterprise Risk Management Enterprise Portals Risk Manager

Provisioning

Super access control

Fail-safe risk prevention

Role management

Risk Terminator

Firefighter

Access Enforcer

Role Expert

SoD analysis, critical transaction monitoring, & preventive simulation

SAP Compliance Calibrator by Virsa Systems

70



71



/VIRSA/ZVRAT

72



  

 

73

Part of the SAP GRC Suite Core application of the suite Uses the ERP Risk Framework (within ”Rule Architect” for SoD risk analysis of s SAPgui based (4.0, current version) Web based NetWeaver (5.2, release Q3 2007)





74

Compliance Calibrator  Source of ERP risk framework used for all SOD analysis  Is used to monitor s, roles, risks and mitigation controls  Compliance Calibrator increases visibility regarding SoD and assists in managing risks and s



Risk Definition

75


Compliance Calibrator Rule Architect

76


Compliance Calibrator Selection Screen (Cockpit)

77


Compliance Calibrator Analysis

Risk definition 1

Function A

Function B

Function C

Transaction Transaction . .



Risk

X

78

Risk definition 2

No risk

Y


Compliance Calibrator Risk Report

79


Access Enforcer

80


Access Enforcer: Purpose 





81

Used primarily to perform segregation of duty (SoD) analysis before roles are approved and allocated to s. Reduction of lead-times for roles allocation leads to significant business improvements. The istration will be fully automated. The tool will enforce the role approval process, secure that SoD checks are performed and that potential risks are mitigated - all prior to role allocation.


Access Enforcer: Business value 



 



82

Facilitate the SOX compliance from an SAP security perspective. Increase the accuracy of SAP authorizations and adhere the GAC principles. Reduce maintenance costs for the SAP istration. Reduce lead-times for roles allocation - leads to significant business improvements. Reduce security audit costs for SAP environments.


Access Enforcer: istration process 



83

The purpose of a istration Process is to assign/remove roles from SAP s. An online ordering tool and Access Enforcer ensure that the proper approval for every request is done and that all assigned roles are compliant to the security policy.


Access Enforcer: Order process

All orders for access to IT applications are managed via a tool for ordering online.

84


Access Enforcer: Requests for approval 

85

The first approver in the workflow receives the requests that was ordered in the online ordering tool.


Access Enforcer: Roles included in the order

86


Access Enforcer: Risk Analysis 





87

When the approver clicks Risk Analysis, Access Enforcer runs an analysis on the 's current roles in combination with the new roles that were ordered. In fact, Access Enforcer makes a call to Compliance Calibrator, where the SoD risk framework is stored. Compliance Calibrator runs the analysis and returns the result.


Access Enforcer: Risk Analysis result

88

The risks are listed with a Risk ID, Risk Description and Status.


SoD risk: FB01 and ME21

89


Access Enforcer: Risk simulation



90

Now we can uncheck Financial ant and Simulate the risks without that role.


Access Enforcer: Risk Analysis result

91


Role Expert: First approval step finished

93


What is Role Expert?

   

94

Tool for documenting roles and authorizations. Web based application. Automates creation and management of role definitions. RE enforces (sve. upprätthåller, genomdriver) best practice to ensure that role definitions, development, testing and maintenance is consistent through the implementation.


Role Expert functionality

     

95

Track progress during role implementation. Monitor the overall quality of the implementation. Perform risk analysis at role design time. Set up a workflow for role approval. Provide an audit trail for all role modifications. Maintain roles after they are generated to keep role information current.


Role Expert: Search screen

Enter TMUS*. (Technical name for single roles in the system called MUS).

96


Role Expert: Search results

97


Role Expert: Role definition

98


Role Expert: Add transactions

99


Role Expert: Company mapping

100


FireFighter

101


FireFighter

102


Summary SAP uses a complex structure The Sarbanes-Oxley act (SOX) to manage authorizations: imposes requirements on  Fields companies’ management of  Objects roles and authorizations:  Profiles  Segregation of Duties (SoD)  Roles  Business approvals  Audit trails Role Based Access (RBAC) is To manage compliance SAP required to fulfil the roles offers the GRC Suite:  Compliance Calibrator (SoD) and authorization  Access Enforcer (Role requirements of large organizations: provisioning)  Globally governed role  FireFighter (Critical access)  Role Expert (Role architecture  Business controlled role architecture) provisioning 103


Sap Roles And Authorizations 4x385p

Overview 26281t

More details 6y5l6z

Related Documents 3h463d

Sap Roles And Authorizations 4x385p

Sap Testing Roles And Responsibilities 68672

Seguridad Roles Sap 4s3c42

Structural Authorizations In Sap Hr-cts 6o2m1m

Primary Roles And Responsibilities 6lv10

More Documents from "Lý Bằng" 4a1s6b

Piso De Ruido 6d2343

Piccola Guida Di Italiano Per Stranieri 545p5f

Julius Evola Cinquantanni Di Cavalcare La Tigre 5s102p

Manoel De Barros - Livro Sobre Nada.pdf 1q4m1g

Soal Konservasi Cbt Ukdgi 5p115w

How To Become A Super Learner By Jim Kwik Workbook 66xc