Training Institute

SAP GRC Access Control 10.0 Introduction

Agenda
SAP GRC Overview SAP GRC Access Control 10.0 Introduction SAP GRC Access Control 10.0 Features

GRC Defined

GRC is a system of people, processes, and technology It enables an organization to:

understand and prioritize stakeholder expectations; take a holistic approach to risk management; set objectives congruent with values and risks; achieve objectives while optimizing risk profile and protecting value; operate within legal, internal, and social boundaries; provide relevant, reliable, and timely information to appropriate stakeholders; and enable the measurement of the performance and effectiveness of the system

People

Process

Technology

GRC Defined
management approach through which senior executives direct and control the entire organization

Risk: Effect of uncertainty on objectives Risk Management: set of processes through which management identifies, analyzes, and, where necessary, responds appropriately to risks

Governance

Risk

Complianc e

compliance means conforming to a rule, such as a specification, policy, standard or law.

GRC Defined
MANDATED BOUNDARY
boundary established by external forces including laws, government regulation and other mandates.

BUSINESS MODEL
strategy, people, process, technology and infrastructure in place to drive toward objectives

OPPORTUNITI ES OPPORTUNITI ES OPPORTUNITI ES

OBSTACLES

OBJECTIVES
strategic, operational, customer, process, compliance objectives

VOLUNTARY BOUNDARY
boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies.

Benefits of GRC Solutions

Minimize risk Tightens up business process Helps drive innovation Increases agility Eliminates costly, repetitive tasks in the ERP landscape Can be implemented in stages

Business Case for GRC

Fragmented Mostly reactionary Individual projects Separate from mainstream process and decision making

Before GRC

Business Case for GRC

Initiative Tracking Strategy Situation Analysis Cost Tracking KPI Dashboards Ad Hoc Reporting Business Planning

Strategy

Simulation Budgeting

Project Reporting

Controls Risk Management

Data Warehouse

Execution

ERP & Transaction Systems

Business Case for GRC

Integrated management and performance Integrated capability Embedded with mainstream process and decision making Coordinated transactions and shared data

After GRC

SAP BusinessObjects Solutions

Enterprise Performance Management
Planning, Strategy Budgeting and Managemen Forecasting t Profitability and Consolidation Cost Management Spend and Supply Chain

Governance Risk and Compliance

Risk Management
Process Control

Access Control
Global Trade Services

Environment, Health and Safety

Business Intelligence
Query, Reporting, and Analysis Search and Navigation

Information Management

Reporting Dashboards and Visualization

Data Integration

Data Quality Manageme nt Metadata Management

Advanced Analytics

Master Data Management

Agenda
SAP GRC Overview SAP GRC Access Control 10.0 Overview SAP GRC Access Control 10.0 Features

SAP GRC Access Control

SAP BusinessObjects GRC Solutions

Provides a unified, business-user focused approach

Organizes all compliance requirements Creates a common method to measure risks Ensures strategy considers risks Implements and monitors controls in business processes Detects and alerts to exceptions for risks and controls Promotes sustainable operations

SAP GRC Access Control

Document and Audit
Streamline audits Provide proof Automate Reviews

Protect information and prevent fraud

automatically eliminate access and authorization risks with out-of-the-box rules enforce SoD across applications and departments

Analyze and Remediate

Analyze and remediate risk

Manage by exception

Collaborate across functions

Embed and Execute

Compliant user provisioning

Superuser privilege management

Embed cross-function

FIN

SCM SRM MFG

HR

Embed cross-platform SoD Rules & Regulations Corporate Policies Best Practices Enterprise role management Identity Management

prevent improper access instead of reacting to problems

Model and Control

SAP GRC Access Control

Document and Audit
Streamline audits Provide proof Automate Reviews

Optimize operations automate SoD managemnet

Analyze and Remediate

Analyze and remediate risk

Manage by exception

Collaborate across functions

automate access management

promote IT and Line of Business collaboration enforce accountability with review and approval process ease compliance and avoid authorization risk

Embed and Execute

Compliant user provisioning

Superuser privilege management

Embed cross-function

FIN

SCM SRM MFG

HR

Embed cross-platform SoD Rules & Regulations Corporate Policies Best Practices Enterprise role management Identity Management

Model and Control

SAP GRC Access Control

Document and Audit
Streamline audits Provide proof Automate Reviews

Minimize time and cost for financial compliance

Analyze and remediate risk Manage by exception Collaborate across functions

provide proof and reliability with control test and audit trail for SoD controls report and review key risk indicators for system access

Analyze and Remediate

Embed and Execute

Compliant user provisioning

Superuser privilege management

Embed cross-function

FIN

SCM SRM MFG

HR

Embed cross-platform SoD Rules & Regulations Corporate Policies Best Practices Enterprise role management Identity Management

Model and Control

Approach
Effective Management Oversight and Audit

Minimal Time For Compliance

Continuous Access Management

(Get Clean)
Risk Identification and Remediation Rapid, cost-effective and comprehensive initial clean-up Enterprise Role Management Enforce SoD compliance at design time

(Stay Clean)
Compliant User Provisioning Prevent SoD violations at run time Superuser Privilege Management Close #1 audit issue with temporary emergency access

(Stay in Control)
Periodic Access Review and Audit Focus on remaining challenges during recurring audits

Risk analysis, remediation and prevention services

Cross-enterprise library of best practice segregation of duties rules

Approach
Minimal time for compliance

setting up of right access controls through the use of comprehensive library of SoD rules out-of-the-box Continuous access management

enforcing SoD compliance from the start with enterprise-wide role design, documentation and maintenance; prevents reintroduction of SoD violations; perform emergency activities in a controlled manner Effective management oversight and audit

through user access reaffirmations and reviews of access-risk, SoD rules, mitigating controls and roles; provides audit trail

Approach

Benefits

Access Control protects information and prevents fraud Automatically eliminates access and authorization risks with out-of-the-box rules Enforces segregation of duties across applications and departments Optimizes operations Minimizes time and cost for compliance

Agenda
SAP GRC Overview SAP GRC Access Control Overview SAP GRC Access Control 10.0 Features

SAP GRC Access Control 10.0

Access Control 10.0 is part of the GRC 10.0 Suite Previous version of Access Control is 5.3 (for PC and RM, 3.0) Access Control 10.0 highlights improvements in six (6) key focus areas:

Access Control Harmonization Unified Compliance Platform Streamlined User Access Management Business Role Governance

Centralized Emergency Access

Improved Identity Management Integration

Feature Highlights

1. Access Control Harmonization

Harmonization is a key strategy of the GRC 10.0 release and Access Control 10.0 will undergo its own harmonization with each of its four capabilities Access Risk Analysis, User Access Management, Emergency Access Management, and Business Role Management GRC 10.0 has been reengineered onto an ABAP platform allowing for new benefits such as object level security, environment transportability, and data archiving This harmonization within the four components lowers total cost of ownership by eliminating redundancy in administration, configuration, setup, training, and increase the ease of supportability

Feature Highlights

2. Unified Compliance Platform

Access Control 10.0 will also harmonize with applications across the GRC Suite Process Control, Risk Management, and Global Trade Services
The GRC Suite will share a single user interface and an integrated data model allowing for sharing of key data such as business processes and subprocesses, organizations, and controls Provides ease in administration by eliminating the need to recreate shared administrative and master data for each application

Feature Highlights

2. Unified Compliance Platform

Harmonization in two ways -- within AC and across the entire GRC Suite AC-PC-RM harmonization both at the user interface and data layers Introduction of Organization Compliance Hierarchy allowing sharing of business processes and controls Ability to analyse risks in AC and mitigate with documented, tested, monitored and certified controls in PC

Ability to schedule risk analysis from PC automated rule framework

Feature Highlights

2. Unified Compliance Platform

Feature Highlights

2. Unified Compliance Platform

Feature Highlights

2. Unified Compliance Platform

Common GRC user interface

Feature Highlights

2. Unified Compliance Platform

Unified Inbox

Feature Highlights

3. Streamlined User Access Management

Access Controls user provisioning capability will standardize on SAPs Business Workflow engine providing support for dynamic, multi-stage approval routing based on information such as user, role, or system Provides customizable access request forms which allows customers to tailor end user forms dynamically based on user and system accessed ensuring only relevant data is requested of the end user Streamlined access requests and periodic reviews will enable approvers to make more informed decisions by presenting usage details and more information about what else the requestor is authorized to access

Feature Highlights

3. Streamlined User Access Management

Access requests enhancements: New customizable access request forms New template based access requests New position-based role assignment requests New end-user display of profile, access assignments, and request history
Enhanced search for roles, groups, and system based on authorization New customizable approver views New multiple rule set support Enhanced periodic reviews for user access and access risks

Feature Highlights

4. Business Role Governance

Business Role Management bridges the gap between complex system authorizations and business functions and delivers simplified assignment of access, reduced compliance risk, and improved operational efficiency BRM will centralize compliant role administration with all roles being stored centrally within BRM and analysed for access violations Provides a new impact analysis simulation report utilizing what-if logic to allow customers determine if role authorization changes will introduce access risk to all users assigned the role, before implementing in production

Feature Highlights

4. Business Role Governance

New centralized business role management with embedded access risk analysis Enhanced process for mapping technical access authorizations to business functions New role design and flexible role building workflows, including preventative simulations New ability to analyse role usage for optimal assignment and to keep role definition up to date

Improved role comparison to detect backend changes provides role consistency, synchronization, and compliance
New process for periodic role certification

Feature Highlights

5. Centralized Emergency Access

By unifying the configuration and administration of superusers into a centralized process, the customer will now be able to assign and define firefighter and supervisor relationships for all EAM systems from a single interface This reduces administration redundancies and greatly enhances visibility of all superuser assignment and supervison Benefit from improved log reporting of system events and a new workflow for ensuring that log reports have been analysed and processed by superviosrs

Feature Highlights

5. Centralized Emergency Access

Administrators centrally manage firefighter assignments, controllers, and other master data

New options for group owners and controllers and improved provisioning
Firefighters centrally access their assignments

New ability for firefighters to update the activity log with unplanned firefighting tasks
Access specific log reports from transaction report New workflow driven firefighter log report New categorization of firefigther access signifies criticality and drives workflow logic

Feature Highlights

5. Centralized Emergency Access

Feature Highlights

6. Improved Identity Management Integration

Customers that provision user access via Identity Management (IdM) will be able to embed compliance in this provisioning process through integration with Access Control IdM will be able to call risk analysis prior to user provisioning and then initiate remediation events in Access Control when access risks are found IdM customers will also be able to provision BRM roles, which will enable customers to eliminate access risks from both the user provisioning and role management process

Feature Highlights

6. Improved Identity Management Integration

New support for IdM to perform access risk analysis prior to submitting for remediation Enhanced communication services, including callback and look up, between IdM and AC Enhanced infrastructure to support standard SPML 1.0 protocol for all outbound communication from AC Enhanced support for audit tracking of requests and events

Landscape and Architecture

Training Institute

Questions?

Training Institute

Thank you.