Académique Documents
Professionnel Documents
Culture Documents
Information Document
Document Id:
Sap GRC RAR Overview
SAP GRC
Version1.0
Ashish Dhar
Page 1
Name
Ashish Dhar
Abhay Vaidya / Ramesh Deshmukh
Reviewers:
Role
Transition Manager
Project Manager
Name
Contact Details:
Name
Role
Email ID
Lotus Notes ID
Project
Manager
Technical
Consultant
SME
Revision History
Version #
1.0
Ashish Dhar
Description of Changes
Initial Document
Issue Date
5 Jan 2011
Page 2
Phone
Contents
1.0 SAP Presentation Interface
1.0.1 SAP Instance
1.0.1.1 SAP WAS ABAP System
1.0.1.2 SAP WAS JAVA system
1.0.1.3 SAP WAS ABAP + JAVA System
1.0.2 GRC Agenda
1.0.3 SAP GRC Components
5
5
6
7
7
8
9
10
11
11
11
12
13
13
14
14
15
16
17
18
18
19
21
22
22
23
24
24
25
25
26
26
27
28
28
29
31
Ashish Dhar
Page 3
34
1.4.1 Default Values
1.4.1.2 Performance Tuning
1.4.1.3 Additional Options
1.4.2 Mitigation Controls
1.4.3 Workflow
1.4.4 Miscellaneous
1.4.5 Connectors
1.4.6 Logical Systems
1.4.7 Cross Systems
1.4.8 Data Extractor
1.4.9 Master User Source
1.4.10 User Mapping
1.4.11 Custom User Groups
1.4.12 Upload Objects
48
1.4.14 Backend Sync
1.4.15 Background Jobs
1.4.16 Organization User Mapping
1.4.17 Custom Tabs
1.4.18 SAP Adapter Servers
1.4.19 Utilities
1.4.20 Configuration Change History
Ashish Dhar
Page 4
34
35
38
39
40
40
42
43
44
45
46
46
48
48
49
49
50
52
52
54
Ashish Dhar
Page 5
SAP system has one database and one or more instances as shown above. The
above diagram shows SAP GUI connected to WAS ABAP which in turn is connected to
Messaging server and Internet communication manager.
The Internet Communication Manager (ICM) enables SAP systems to communicate
directly with the Internet. The ICM receives requests from the Internet and forwards
them to the SAP system for processing. In doing so, it recognizes whether the
request is a call of a business server page or a Java application and forwards this
request to the ABAP runtime environment or the Java runtime environment.
Messaging Server Enables an SAP Instance to interact with any other distributed
ABAP or JAVA instance.
Ashish Dhar
Page 6
The above diagram shows SAP GUI connected to WAS Java which in turn is
connected to Messaging server and Internet communication manager. It receives
direct Http requests from web browser for processing.
1.0.1.3 SAP WAS ABAP + JAVA System
Ashish Dhar
Page 7
The above diagram shows SAP GUI connected to WAS ABAP+Java which in turn is
connected through Messaging server and Internet communication manager. ICM
integrates the connectivity for ABAP and Java instance for receiving http requsts.
Message server helps to interact with any other distributed ABAP or JAVA instance.
JCo is used for interaction between SAP and Java interface (Portal ).
Ashish Dhar
Page 8
The Sarbanes Oxley act 2002 is a legislative act brought into practice after Enron &
WorldCom financial frauds in order to protect shareholders and general public from
accounting errors and fraudulent practices in an Enterprise.
Sox legislation affects financial & IT sides of an Enterprise and stores all business
records including electronic records for not less than 5 years.
GRC Schema:
Ashish Dhar
Page 9
violations. Businesses can automate provisioning, test for SoD issues, streamline
approvals, and reduce the workload for IT staff.
SPM - Superuser privilege management enables users to perform activities outside of
their role using superuser-like privileges in a controlled, auditable environment. The
application tracks, monitors, and logs every activity a superuser performs with a
privileged user ID.
RAR Functionality:
1.1 RAR Informer Tab Overview
Ashish Dhar
Page 10
Ashish Dhar
Page 11
Ashish Dhar
Page 12
Ashish Dhar
Page 13
1.1.1.4. Comparisons
Choose quarterly or monthly comparisons. Analysis can be performed for User, Role
or Profile Remediation progress and percent completion.
1.1.1.5. Alerts
Alerts by month and conflicting alerts by process.
Here Conflicting tcodes are displayed for Yr. 2010. Also we can see alerts for
different processes . Eg SD has 2034 alerts.
Ashish Dhar
Page 14
Ashish Dhar
Page 15
Ashish Dhar
Page 16
Ashish Dhar
Page 17
Also we can see the conflicting Actions for Risk B001CQ (Tcodes SA38 and SM01 are
in a conflicting state). Risk level is high for Business Process Basis.
Ashish Dhar
Page 18
After running we found it gave conflicts eg. B001CQ01 for Tcodes SE38 and SM01.
Ashish Dhar
Page 19
1.1.2.3. HR Objects
Here we can run simulation for HR objects like position, org. units and jobs etc.
Ashish Dhar
Page 20
Ashish Dhar
Page 21
Ashish Dhar
Page 22
Simulation is accessible from the Risk Analysis screen. It is used to see the effect on
the system if you were to add or remove the following for users or roles/profiles:
Action
Role
Profile
Ashish Dhar
Page 23
SLIDES
1.2.1 RAR Rule Architect Business Process tab
Business Process:
The business area categories in which you would like to report Risk Analysis results
in RAR. We can see different Business Process like BS00-Basis, FI00-Finance, HR etc.
coming up which are created in RAR. The functionality to Change or Delete a BP is
also there.
Ashish Dhar
Page 24
Ashish Dhar
Page 25
Ashish Dhar
Page 26
Ashish Dhar
Page 27
Ashish Dhar
Page 28
Ashish Dhar
Page 29
When implemented, SoD reports can show that a User, Position, or Role has
been mitigated for a particular SoD risk(s).
Includes GRC Mitigating Control ID, Risk ID, Monitors and Approvers, Controls
Framework reference, etc.
Ashish Dhar
Page 30
Ashish Dhar
Page 31
Ashish Dhar
Page 32
Ashish Dhar
Page 33
Ashish Dhar
Page 34
Ashish Dhar
Page 35
Ashish Dhar
Page 36
Ashish Dhar
Page 37
Ashish Dhar
Page 38
Default risk level for risk analysis: This option determines the default risk
level populated when executing a Risk Analysis.
Default user type for risk analysis: This option determines the default user
type included when executing a Risk Analysis.
Default rule set for risk analysis: This option determines the rule set
defaulted as selection criteria when executing a Risk Analysis from RAR. The
default rule set is used for risk analysis initiated from CUP, ERM and Risk
Terminator. This option determines the default rule set for risk analyses and is
used by all capabilities. You can modify it for risk analyses performed within
RAR. You cannot modify it when the risk analysis is initiated from CUP,
ERM or Risk Terminator.
Exclude Locked Users: This option specifies whether locked users are
excluded when executing a Risk Analysis.
Exclude Expired Users: This option specifies whether expired users are
excluded when executing a Risk Analysis.
Exclude Mitigated Risks: This option specifies whether risks with assigned
mitigating controls are excluded when executing a Risk Analysis.
Ashish Dhar
Page 39
Ashish Dhar
Page 40
Ashish Dhar
Page 41
Ashish Dhar
Page 42
Ashish Dhar
Page 43
1.4.2 Mitigation Controls: Use the Mitigating Controls setting to specify, in days, the
validity period for a Mitigation Control. The validity period starts as the Mitigation is
assigned to a Risk. Because Mitigation Controls must have expiration when they are
assigned, this validity period will be designated automatically, if one is not specified
during risk mitigation.
Ashish Dhar
Page 44
1.1.1 1.4.3 Workflow: Use Workflow to specify the conditions under which workflows
are triggered, and which workflow engine to use Workflow is possible for several RAR
processes. However, Compliant User Provisioning must be enabled and configured in
order for workflow to work in Compliance Calibrator. Please reference the Compliant
User Provisioning User Guide for information to configure Compliant User Provisioning
to accommodate RAR workflow approval flows.
Ashish Dhar
Page 45
By default, logging is disabled until you specify an Alert log path and
file name, or enable Risk and Function Change Logs.
If you specify an Alert Log Filename & Location, you will need to
monitor the size of that file (in environments that generate many
alerts).
Ashish Dhar
Page 46
Ashish Dhar
Page 47
1.4.6 Logical Systems: A Logical System is two or more physical systems grouped
together, for the purpose of performing analysis against the same rules.
Ashish Dhar
Page 48
Ashish Dhar
You use logical systems to group rules in a way that limits the
amount of effort required to load and maintain identical rule
sets across multiple systems.
Page 49
Auth and Text data must be loaded for at least one physical
system. If text and authorization data is loaded for multiple
systems, the text and authorizations for the logical system will
default to the data loaded for the first system defined. The Auth
and Text data is used when manually updating functions. The
Text data is used for populating the descriptions in the analysis
reports.
1.4.7 Cross Systems: A Cross System is a group of physical systems, created for
the purpose of running user analysis operations across multiple systems. You can
select and view Cross Systems when you generate and view Informer Management
Reports, and when you perform risk analysis.
Physical systems, Logical Systems, and Cross Systems share the following relationships:
Ashish Dhar
Page 50
1.4.8 Data Extractor: Data Extraction enables you to obtain User, Role, and Profile
data from different systems and to reconcile and unify that data in Compliance
Calibrator format:
Search Extractor
Ashish Dhar
Page 51
Change the Master User Source setting only when you want to
change the primary system you use for user data. If you change the
Master User Source setting, verify and update any custom user
mapping you have done, and perform Backend Sync. Only systems
for which you have created a connector appear in the Select System
drop down menu.
1.4. 10 User Mapping: Use User Mapping to link multiple accounts associated with
an individual user, so that Risk Analysis operations produce valid results for each
user, and so that data displayed in reports reflect usage and violations on a per
user (rather than a per user account) basis.
Ashish Dhar
Page 52
Ashish Dhar
Page 53
1.4.11 Custom User Groups: Custom user groups are definable groups that
associate user accounts, so they can be processed together. You can specify these
custom user groups as selection criteria when you perform user-level risk analysis.
When uploading objects users have the ability to upload different object
data for different physical systems or for one or more logical systems.
Ashish Dhar
Page 54
Rules are packaged in the software as text files. SOD Action and
Permission level rules are provided for R/3, APO, ECCS, CRM and SRM.
HR Basis rules are included in R/3 and are also available separately.
Rules should only be uploaded once for new installations. User who are
upgrading should not reload ruleset as the rules will overwrite any
customizing done by die customer.
Ashish Dhar
Page 55
1.4.14 Backend Sync: When you integrate SAPs Management of Internal Controls
(MIC) application with Risk Analysis and Remediation, you must perform a back-end
synchronization with MIC. Doing this transfers the mitigation and rule information
from Risk Analysis and Remediation to the back-end ABAP stack where the MIC
application resides.
Mitigation Sync
Rule Sync
Ashish Dhar
Page 56
Schedule Job: When you schedule a synchronization background job, you can
synchronize in Full mode or Incremental mode.
Alert Generation: When you generate an action log, the data is loaded to a local
table in Risk Analysis and Remediation. You can generate alerts based on the
following alert types:
1.4.16 Organization User Mapping: The Org. User mapping menu item allows you
to specify a system that contains organizational user data you want to add to or
synchronize within Compliance Calibrator.
Ashish Dhar
Page 57
Ashish Dhar
Page 58
The Custom Tabs menu item enables you to add any URL, such as a
customdeveloped web page, as an additional tab to the left of the
Compliance Calibrator Configuration tab. You can use this feature to
add up to three URLs under three custom tabs.
Additional reports can be uploaded using Java archive files. You upload
and activate those java files using the Upload Informer Reports menu
item. A complete installation of Java is not being required to activate
additional reports delivered by SAP
Ashish Dhar
Page 59
The SAP Adapter provides real time analysis in the Risk Terminator.
Whenever Risk Terminator is triggered in the SAP system, it will send
data to the SAP Adapter for SOD risk analysis. The SAP Adapter will
then send this data to Compliance Calibrator for analysis and then
sends the results back to the Risk Terminator.
1.4.19 Utilities: The Utilities options include Export, Import, Purge Action Usage,
and Manage Deletion utilities.
Ashish Dhar
Page 60
Import Utility: The Import utility imports files exported from other
Risk Analysis and Remediation instances. The data format from the
exported file is used during the data import.
Purge Action Usage Utility: The Purge Action Usage utility archives
records from time periods that are no longer of interest. This utility
reduces the size of large databases or files. You specify the location the
system stores the file in Miscellaneous.
Ashish Dhar
Page 61
1.4.20 Configuration Change History: RAR tracks configuration changes. You can
use Configuration Change History to search for the change history for specific areas.
Ashish Dhar
Page 62
Ashish Dhar
Page 63