GR2 - Access Risk Management Process Diagram. ©2014 SAP AG. All rights reserved.2 Purpose,...
-
Upload
hilary-owen -
Category
Documents
-
view
214 -
download
0
Transcript of GR2 - Access Risk Management Process Diagram. ©2014 SAP AG. All rights reserved.2 Purpose,...
GR2 - Access Risk Management
Process Diagram
© 2014 SAP AG. All rights reserved. 2
Purpose, Benefits, and Key Process Steps
Purpose This scenario describes effective collaboration between business users in Access Risk Management
Process .
Benefits Real time access risk analysis to monitor latest user access risks Batch jobs scheduled for Dashboard update per business needs Detecting violation/risks triggers remediation actions (Mitigation Control, Removing role) quickly in a very
straightforward way Deep integration of Segregation of Duty (SoD) and User Access Review (UAR)
Key Process Steps Regular access risk analysis and remediation Periodic access analysis and remediation : SoD review Periodic access analysis and remediation : UAR review
© 2014 SAP AG. All rights reserved. 3
Required SAP Applications and Company Roles
Required SAP Applications SAP Access Control 10.1
Company Roles Compliance Officer Manager Risk Owner Role Owner Mitigating Control Owner Mitigation Control Monitor
© 2014 SAP AG. All rights reserved. 4
Detailed Process Description (1/2)
GR2 - Access Risk Management
Regular access risk analysis and remediation:
•Compliance Officer Review High-level Access Violation Report
•Risk Owner Perform Real-time Risk Analysis
•Perform Remediation Activities:
• Risk Owner Assign Existing Mitigation Control
• Risk Owner Assign Newly Created Mitigation Control:
-Risk Owner Create New Mitigation Control
- Mitigation Control Owner Approve new Mitigation Control
- Risk Owner Assign New Mitigation Control
• Mitigation Control Owner Review Mitigated User List
• Remove Role via User Level Risk Violation Report
• - Risk Owner Create De-provision Request
• - Manager Approve De-provision Request
© 2014 SAP AG. All rights reserved. 5
Detailed Process Description (2/2)
• Perform
• - Role Owner Approve De-provision Request
• Compliance Officer Review High-level Violation Report
Periodic access analysis and remediation:
• Segregation of Duty Review
• Schedule Segregation of Duty(SoD) Review
• Preview and Check SoD Review Request
• Update Workflow Job
• Review and Remediate SoD Issues
• User Access Review
• Schedule User Access Request (UAR) Review
• Preview and Check UAR Review Request
• Update Workflow Job
• Review and Remediate UAR Issues
© 2014 SAP AG. All rights reserved. 6
GR2 Access Risk Management(Regular Access Risk Analysis and Remediation 1/1 )
SAP Access Control
Compliance Officer Mitigating Control OwnerRisk Owner Manager Role Owner
Reviewing High-Level Access Violation Reports
A
Reviewing High-Level Access Violation Reports – (Technical/Business/Remediation View)
B
Remediation – Assign Existing
Mitigation Control
CRemediation – Assign Newly
Created Mitigation Control
Create New Mitigation Control
D
Assign Existing or New Created
Mitigation Control
F
Approve New Mitigation Control
E
Review Mitigated Users List
G
Reviewing High-Level Violation
Reports
K
Approve De-provision Request
I
Approve De-
provision Request
J
Relevant Role
Removed for User
Remediation – Remove Role via Use Risk Violation
Report
1
2
SAP ERP
3
Create De-provision Request (via
Remediation View)
H
1 Regular Access Risk Analysis and Remediation
© 2014 SAP AG. All rights reserved. 7
GR2 Access Risk Management(Periodic Access Analysis and Remediation) 1/1
SAP Access Control
Reviewer (Risk Owner) Reviewer (Manager) SAP ERP
Scheduling SoD Review
L
Previewing and Checking Requests
M
Updating Workflow Job for SoD Review
N
Reviewing and Remediating SoD Issues
O
Scheduling UAR Review
P
Previewing and Checking Requests
Q
Updating Workflow Job for UAR Review
R
Reviewing and Remediating UAR Issues
S
5
4
Compliance Officer
Relevant Role Removed for User
2
2
Periodic Access Risk Analysis and Remediation – SoD Review
Periodic Access Risk Analysis and Remediation – UAR Review
© 2014 SAP AG. All rights reserved. 8
GR2 – Access Risk Management Regular Access Risk Analysis and Remediation
Icon Legend
Icon Name
Regular Access Analysis and Remediation
Log on as Compliance Officer.SAP GRC AC NWBC: Reports and Analytics -> Access Dashboards -> Risk ViolationsLog on as Risk Owner.SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User LevelLog on as Risk Owner.SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User LevelLog on as Risk Owner.SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User LevelLog on as MC Owner. SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox Log on as Risk Owner.SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User LevelLog on as MC Owner.SAP GRC AC NWBC: Access Management -> Mitigated Access -> Mitigated Users Log on as Risk Owner. Must choose Remediation View.SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User Level Log on as Manager. SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox
Log on as Role Owner. SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox Log on Compliance Officer.SAP GRC AC NWBC: Reports and Analytics -> Access Dashboards -> User Analysis
A
B
C
D
E
F
G
H
I
J
1
K
© 2014 SAP AG. All rights reserved. 9
GR2 – Access Risk Management Periodic Access Risk Analysis and Remediation
Icon Legend
Icon Name
Periodic Access Analysis and Remediation
Log on as Compliance Officer.SAP GRC AC NWBC: Access Management -> Scheduling -> Background SchedulerLog on as Compliance Officer.SAP GRC AC NWBC: Access Management -> Compliance Certification Reviews -> Request Review Log on as Compliance Officer.SAP GRC AC NWBC: Access Management -> Scheduling -> Background SchedulerLog on as Risk Owner.SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox Log on as Compliance Officer.SAP GRC AC NWBC: Access Management -> Scheduling -> Background SchedulerLog on as Compliance Officer.SAP GRC AC NWBC: Access Management -> Compliance Certification Reviews -> Request Review Log on as Compliance Officer.SAP GRC AC NWBC: Access Management -> Scheduling -> Background SchedulerLog on as Manager.SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox
L
M
N
O
P
Q
R
S
2
© 2014 SAP AG. All rights reserved. 10
GR2 - Access Risk Management
Icon Legend
Icon Name
Mitigation Control Owner receives an Email that there is a new mitigation control request needs to be approved
Manager receives an Email that that there is a de-provision request needs to be approved or rejected after review.
Role Owner receives an Email that that there is a de-provision request needs to be approved or rejected after review.
Risk Owner receives an Email notifying risk review request.
Manager receives an email notifying user access review request.
Email 1
Email 2
Email 3
Email 4
Email 5
Appendix
© 2014 SAP AG. All rights reserved. 12
Process Diagram Legend
User Role
<name>*
≈≈
* <name>: SAP System (PPMS name), or non-SAP System, or lane for steps outside software
Lane Process Step
Process Step Outside Software
Optional Process Step Outside Software
Optional Automatic Process Step
1
Automatic Process Step
1
Process Step (manual or automatic)
1A
Optional Process Step (manual or automatic)
1A
Optional Manual Process Step
A
Manual Process Step
AProcess Step Outside
Scope Item ScopeA
Interface
User Interface (UI)
Batch Script
Interface (like A2A/B2B Message)
1
A
1
Sequence flow
Connection Documents GatewaysEvents
Data flow
Inline / Standalone
Output Document
1
1
1
1
Accounting Document
A
Link to SAP Best Practice Processes or scope items
Page Link
(<BBID>) Link to SAP Best
Practice Process
Link
Incoming Link
Outgoing Link
Timer Event
Message
XOR
OR
AND
Complex
Thank you
© 2014 SAP AG. All rights reserved. 14
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG (or an SAP affiliate company) in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP AG or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP AG or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP AG or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP AG’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP AG or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
© 2014 SAP AG or an SAP affiliate company. All rights reserved.