SAP GRC Access Control

8 May 2008

Carl Clicteur
 ! "

#$ %

&' (% #$ )*
+

( ( ( % % ,(

#$ ( -.
- ! ( (,
 % , %- . ,(- ,/ (- % 0(

/ ! ( -(% 0( ( (, ( %( 1
(- -- - ( - ( 2 %- , ( ,3

# % ( ' % 4.
5 % 6 1,% 7( (
8%

-% , ,( % 2 3 ( ( %- -( -
% -2 (,
,( 0( 93

8% , !( 2
(- , 3 (- (- % !
-( - -
 ( ( ! - (%- : ( %( (%( (-
% 8% -( - ,*

, ' %( ( %%
, ,( % ( %-
audit
audit
risk

audit

Continuous monitoring

time
 ( %( % ( (-
,!1 ( - (

Automation Continuous
Non-awareness Spreadsheets True Vision
of controls Compliance

; Lack of visibility ; Lack of visibility ; Approach driven ; Embedded risk & ; Embedded risk
; Lack of control ; Lack of control by risk control library management
; Manually-intensive ; Manually-intensive ; Automated user ; Proactive approach ; True Business
Business & IT Business & IT access process by simulation of transparency
processes processes ; Real-time risk changes ; Increased
; Reactive and ; Reactive and non- analysis ; Alerts & monitor stakeholder
non-integrated integrated ; Integrated, but effectiveness of confidence
approach approach reactive approach controls ; Improved Business
; Overwhelming ; Approach not ; Reduced sample ; Business value performance and
sample sizes driven by risk sizes for audit ; Audit trial of all sustainability
(audit) ; Large sample sizes changes and
for audit approvals

Confusion Manual Automated Monitoring Benefit

 ! "

#$ %

&' (% #$ )*
+

( ( ( % % ,(

#$ ( -.
- ! ( (,
 ! ! "

Stage 1: Stage 2: Stage 3:

Get clean Stay clean by continuous Access Management Stay in control

Risk Identification Emergency Role Change User Access Periodic Review &
& Remediation Access Control Management Management Audit

SAP GRC SAP GRC SAP GRC

Super user Enterprise Compliant
Privilege Role User
Management Management Provisioning
(Firefighter) (Role Expert) (Access Enforcer)

SAP GRC Risk Analysis and Remediation (Compliance Calibrator)

SAP GRC Access Control 5.2

 (! (- -( 2 <1 ( ( ( ( 3

=( ( - % ' % ( -.
5

( 0 -- ( - /

(1 (- 1 ! ( (!

-( (

# ( - % ! %(

%- ( ! (, %

SAP GRC SAP GRC SAP GRC

Super user Enterprise Compliant
Privilege Role User
Management Management Provisioning
(Firefighter) (Role Expert) (Access Enforcer)

SAP GRC Risk Analysis and Remediation (Compliance Calibrator)

 # $
Business language

% # P001: Procure to Pay Process

PR07: Maintain a Vendor's Bank Account Number

Risk * and Release Invoice for payment, might lead
to monetary loss.

Function 1 Function 2 PR01: Maintain Vendor Master Data

AP03: Release Blocked Invoices

Actions Actions SAP transaction codes:

FK01, FK02, XK01, XK02, XK99 & MRBR
Technical talk

Permissions Permissions SAP authorization objects and values:

F_LFA1_APP: ACTVT= 01 or 02
APPKZ = F
F_LFA1_BUK: ACTVT= 01 or 02
BUKRS= $BUKRS

F_LFA1_GRP: ACTVT= 01 or 02
Org. rules KTOKK= VEN1
Org. rules
Organizational rules:
Belgium => $BUKRS = BE00

% ) 1- - %1 1 1 <
( / # , 2 <1 ( 3

> , 0 -( 8%

% ( -( ( ( (, 2
' '3

( (! 8% ( (

5( ( ' ( ( (2 % ( ,%(, 3

% ( -% , #

% ( ,, , 8% ( ( (- - (

SAP GRC SAP GRC SAP GRC

Super user Enterprise Compliant
Privilege Role User
Management Management Provisioning
(Firefighter) (Role Expert) (Access Enforcer)

SAP GRC Risk Analysis and Remediation (Compliance Calibrator)

 & ! '( ! ! "

User Data
Source

User Data &

2 Authentication

SAP GRC Access Enforcer

1 Automated
Workflow Provisioning
Initiator SAP
Connectors
SAP end users Request System
or Line Managers
6
3

Risk
4 Analysis
5 Notifications
& Reminders

SAP GRC Email

Risk Analysis Approvals
Server
& Remediation Line Managers
Role Owners
Risk Owners
% / # , ( (, 2 <1 (= , #3

# 1( - , !(
% ( 1 ( ( ' = , - ( ( -
% ( - , ,
( -(%- ( -(
%- ( !2
==1% ? #@ AA1% 3
1 ( - , %- , ( (!

SAP GRC SAP GRC SAP GRC

Super user Enterprise Compliant
Privilege Role User
Management Management Provisioning
(Firefighter) (Role Expert) (Access Enforcer)

SAP GRC Risk Analysis and Remediation (Compliance Calibrator)

 & ! ! ! "

regular mode Firefighter mode

Pre-approved User enters User receives User leaves User looses

User activates
access to use Business elevated Firefighter elevated
Firefighter mode
Firefighter justification privileges mode privileges

E-mail
Log files Log report
notification
collected sent to
sent to
for User Controller
Controller
 ( (, 2 <1 < 3

( ( (, (% 0(

% ( ( (, B'

(' ' (,

# ( (!

% ( , ( # !

%- ( (- , ( (,

Role Definition Authorizations Risk Analysis Approval Generation

SAP GRC SAP GRC SAP GRC

Super user Enterprise Compliant
Privilege Role User
Management Management Provisioning
(Firefighter) (Role Expert) (Access Enforcer)

SAP GRC Risk Analysis and Remediation (Compliance Calibrator)

 ! "

#$ %

&' (% #$ )*
+

( ( ( % % ,(

#$ ( -.
- ! ( (,
") *+
, -./

#
, A(% #(- ( % (( 2 % ' -' (! 3

# (

# ( ( -/ ,( 2 ( (! ( -% ,3

. :< % 2 ,% ( 4 ,( -((3

( - ,
C ( !(-- - (- ( < -
C . ,( % ,

( (, ( (, %- 5 (

( (, ! <
C .
- % ,( -
C # - ,( ( % ( !
") *+
, -0/

& !
-1% 8% % 0(

. ,( ' % -(( %

#( ' -
C % - B( # ( -D -'( -
C / ( ' - 1 ' ( ( ,

1 ! ( (! ( 8%

( / # , B( # ( -D -'(-

/ 0 > ,, #

( / %

. ,( ' ( , !

.
- ! ( (, . ,( ' (E . -
 ") *+
, -,/

1
( - - ( 2 , (% ( 3

( - ( (! (- %(

! , ( % ! (

! !(

% ( 1 # (- 1'-

. ,( ' # #F # $ ( 2
#= $3

& !
( - ,

% ' = , .

% ( ( ( A,
 ! "

#$ %

&' (% #$ )*
+

( ( ( % % ,(

#$ ( -.
- ! ( (,
 )

,(, , % ( -.5 ( - % 0 (- 1%
- ( -,( ( 8% * ( -( % ' . ( %- *

( (, % 1 ( , % ( (
,( 0( ' ( (-- , (

% ; %- (- , ,( 0( G ! % ( '
( % ( ( 2% 3
%

6 - , ( ,7 ; % - , % $ %
! ( ' ( ( ( ( % ( ( %

. (( *. , ( ;( ( ( (( #
( 6 -(! 7 H ' ( % % ,( 8% %
(- <

- % ,( 0( !- , ( (
% ( ( 2* ,* ( ' E ' ' !
(, ,( 0( 3
 ! "

#$ %

&' (% #$ )*
+

( ( ( % % ,(

#$ ( -.
- ! ( (,
2 '
Thank you for your attention