S_TABU_NAM sapnote_0000986996

3

Click here to load reader

Transcript of S_TABU_NAM sapnote_0000986996

Page 1: S_TABU_NAM sapnote_0000986996

07.02.2011 Page 1 of 3

SAP Note 986996 - GRC Access Control- Best Practice forRules and Risks

Note Language: English Version: 10 Validity: Valid Since 03.05.2010

Summary

Symptom

Explanation of delivered Risk Analysis and Remediation rules.

Other terms

SAP Compliance Calibrator, Risk Analysis and Remediation, rules, functions,risks, ruleset

Reason and Prerequisites

How was the decision made to build the rules and risks that are found inthe rule set delivered with SAP CC?

Solution

Best practices for controls state that the company's environment is theprimary consideration for establishing controls. This is the same forSegregation of Duty rules.

We provide a set of rules that we have found hit the majority of globalrequirements for the basic processes: Finance, Procure to Pay, Order toCash, etc. Special rules have been provided for other specialty areas byworking with partners and customers for CRM, HR, and ECC, etc. The wholepurpose is to provide our customers a solid starter set rather thanbuilding rules from scratch. The delivered ruleset is meant to cover themajor risk areas present in the majority of customers. Not every SAPapplication is included in the delivered ruleset and at this point, thereare no plans to further develop additional industry specific component oradd-on product rules.

The time the company spends is to make sure the risks are appropriate fortheir implementation of SAP and adding custom related transactions, ratherthan starting from scratch.

A zip file presentation has been attached that explains the ruleset updateprocess as well as a summary of the number of rules delivered and whatareas are covered.

The rules were created on a 4.6c system, with the exception of transactionsthat only exist in higher versions. The underlying assumption is that wewant to ensure the rules do not have any false negatives. This means thatwe purposely activate the fewest authorization objects required in order toexecute the transaction.

If new or different auth object settings come into play in the higherreleases (4.7, 640 and 700) and you feel this results in false positives(conflicts that show that don't really exist), then you can adjust therules to add these authorization objects to the rules.

Page 2: S_TABU_NAM sapnote_0000986996

07.02.2011 Page 2 of 3

SAP Note 986996 - GRC Access Control- Best Practice forRules and Risks

Again, our assumption is that the delivered ruleset should err on the sideof showing too many conflicts which can be further filtered by thecustomer, versus excluding users that should be reported.

The data contained in the default ruleset is the same regardless of theversion of Risk Analysis and Remediation (Compliance Calibrator)implemented (4.0, 5.1, 5.2 or 5.3). The main difference is just in theformat. In 4.0, it is not possible to create single function risks. Forthat reason, Critical Action risks are delivered as part of the CriticalTransaction table and not as individual Functions and Risks. In 5.X, theCritical Actions are delivered as individual Functions and Risks that areincorporated into the normal ruleset. However, please understand theactual Critical Transactions are the same in 4.0 and 5.X.

Header Data

Release Status: Released for CustomerReleased on: 04.05.2010 17:48:49Master Language: EnglishPriority: Recommendations/additional infoCategory: ConsultingPrimary Component: GRC-SAC-SCC Risk Analysis & Remediation(formerly Compliance Calibrator)

The Note is release-independent

Related Notes

Number Short Text

1552985 F110S rule incorrect - lists F_REGUL_KO should be F_REGU_KOA

1541577 Impact of S_TABU_NAM in Risk Analysis and Remediation

1535330 Compliance Calibrator 4.0 - Full Rule Deletion

1519557 Rules by Process under Rule Library do not show numbers

1446680 Risk Analysis and Remediation Rule Update Q2 2010

1349969 Function AR04 - incorrect permission activated

1326497 Risk Analysis and Remediation Rule Update Q2 2009

1238023 New authorizations not updating in rule set

1173980 Risk Analysis and Remediation Rule Update Q2 2008

1133589 CC 5.x - How to build rules for "all" or "any" values

1083611 Compliance Calibrator Rule Update Q3 2007

1061380 Compliance Calibrator Rule Update Q2 2006

1050832 ME23N in Compliance Calibrator (RAR) Default rules

Page 3: S_TABU_NAM sapnote_0000986996

07.02.2011 Page 3 of 3

SAP Note 986996 - GRC Access Control- Best Practice forRules and Risks

Number Short Text

1035070 Compliance Calibrator Rule Update Q1 2007

1033326 Risk Analysis and Remediation Rule Upload guidance

Attachments

FileType

File Name Language Size

ZIP RAR_Rule_Updates.zip E 143 KB


Daniel Zanella and Alexander Weygers

Daniel Zanella and Alexander Weygers

How Computer Monitors Work

How Computer Monitors Work

Chapter 23

Chapter 23

Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

European Colinization of Latin America

European Colinization of Latin America

Algorithms

Algorithms

Improve the Color Quality Of Your Monitor

Improve the Color Quality Of Your Monitor

Heidegger Kritik

Heidegger Kritik

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Personality Development

Personality Development

Who Killed God

Who Killed God

Explore The Levels of Creation

Explore The Levels of Creation

The Dutch Republic In International Trade

The Dutch Republic In International Trade

(Tesla) - The Tesla Magnetic Car Engine

(Tesla) - The Tesla Magnetic Car Engine

Fortran

Fortran

Tragic Heroes

Tragic Heroes

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Star Wars Prequel Trilogy Trivia (Episodes I-III)

One Flew Over the Cuckoo's Nest

One Flew Over the Cuckoo's Nest

Iron Mills Essay

Iron Mills Essay

Simple Functions in Haskell

Simple Functions in Haskell