Training Institute

SAP GRC
Access Control 10.0
Introduction
Agenda

 SAP GRC Overview

 SAP GRC Access Control 10.0 Introduction

 SAP GRC Access Control 10.0 – Features

 GRC Defined

 GRC is a system of people, processes, and

technology

 It enables an organization to:

 understand and prioritize stakeholder
expectations; People Process
 take a holistic approach to risk management;
 set objectives congruent with values and risks;
 achieve objectives while optimizing risk profile
and protecting value; Technology
 operate within legal, internal, and social
boundaries;
 provide relevant, reliable, and timely
information to appropriate stakeholders; and
 enable the measurement of the performance
and effectiveness of the system
 GRC Defined

management approach
through which senior
Risk: Effect of uncertainty Governance
executives direct and
on objectives control the entire
organization

Risk Management: set of

processes through which Risk
management identifies,
analyzes, and, where compliance means
necessary, responds conforming to a
appropriately to risks Complianc rule, such as a
specification,
e policy, standard or
law.
GRC Defined

MANDATED BOUNDARY
boundary established by external
forces including laws,
government regulation and other
mandates.

OBSTACLES
OPPORTUNITI
ES
BUSINESS MODEL OBJECTIVES
OPPORTUNITI strategic, operational,
strategy, people, process, technology and
customer, process,
infrastructure in place to drive toward objectives ES compliance objectives
OPPORTUNITI
ES

VOLUNTARY BOUNDARY
boundary defined by management
including public commitments,
organizational values, contractual
obligations, and other voluntary
policies.
 Benefits of GRC Solutions

 Minimize risk
 Tightens up business process
 Helps drive innovation
 Increases agility
 Eliminates costly, repetitive tasks in the ERP landscape
 Can be implemented in stages
 Business Case for GRC

 Fragmented
 Mostly reactionary
 Individual projects
 Separate from
mainstream process
and decision making

Before GRC
Business Case for GRC
Initiative
Tracking

Strategy Business Planning

Situation Analysis Simulation

Strategy
Cost Tracking Budgeting

KPI
Project Reporting
Dashboards

Ad Hoc
Controls
Reporting

Risk
Data Management
Warehouse

Execution

ERP &
Transaction Systems
 Business Case for GRC

 Integrated
management and
performance
 Integrated capability
 Embedded with
mainstream process
and decision making
 Coordinated
transactions and After GRC
shared data
SAP BusinessObjects Solutions

Enterprise Performance Governance Risk

Management and Compliance

Strategy Planning, Risk Access

Managemen Budgeting and Management Control
t Forecasting
Profitability and Process Global Trade
Consolidation
Cost Control Services
Management
Spend and Environment,
Supply Chain Health and Safety

Business Information
Intelligence Management

Query, Reporting,
Reporting Data Data
and Analysis
Integration Quality
Manageme
Dashboards and Search and nt
Visualization Navigation
Master Data Metadata
Advanced Management Management
Analytics
Agenda

 SAP GRC Overview

 SAP GRC Access Control 10.0 Overview

 SAP GRC Access Control 10.0 – Features

 SAP GRC Access Control

SAP BusinessObjects GRC Solutions

 Provides a unified, business-user focused
approach

 Organizes all compliance requirements

 Creates a common method to measure risks

 Ensures strategy considers risks

 Implements and monitors controls in business

processes

 Detects and alerts to exceptions for risks and

controls

 Promotes sustainable operations

 SAP GRC Access Control
Document
and Audit

Streamline audits Provide proof Automate Reviews

Protect information and prevent
fraud

Analyze and Manage by exception Collaborate across

 automatically eliminate
Analyze and

functions
Remediate

remediate risk
access and authorization
risks with out-of-the-box rules

 enforce SoD across

Compliant Superuser Embed cross-function
Embed and

user privilege FIN SCM SRM MFG HR

provisioning management
applications and
Execute

Embed cross-platform
departments

 prevent improper access

 SoD Rules & Regulations Enterprise role Identity
Model and

 Corporate Policies management Management

Control

 Best Practices
instead of reacting to
problems
 SAP GRC Access Control
Document
and Audit

Streamline audits Provide proof Automate Reviews

Optimize operations

 automate SoD managemnet

Analyze and Manage by exception Collaborate across
Analyze and

functions
Remediate

remediate risk
 automate access
management
Embed cross-function
 promote IT and Line of
Compliant Superuser
Embed and

user privilege FIN SCM SRM MFG HR

Business collaboration
provisioning management
Execute

Embed cross-platform
 enforce accountability with
 SoD Rules & Regulations Enterprise role Identity
review and approval process
Model and

 Corporate Policies management Management

Control

 Best Practices

 ease compliance and avoid

authorization risk
 SAP GRC Access Control
Document
and Audit

Streamline audits Provide proof Automate Reviews

Minimize time and cost for

financial compliance
Analyze and Manage by exception Collaborate across
 provide proof and reliability
Analyze and

functions
Remediate

remediate risk

with control test and audit

trail for SoD controls
Compliant Superuser Embed cross-function
 report and review key risk
Embed and

user privilege FIN SCM SRM MFG HR

provisioning management
indicators for system access
Execute

Embed cross-platform

 SoD Rules & Regulations Enterprise role Identity

Model and

 Corporate Policies management Management

Control

 Best Practices
Approach

Effective
Minimal Continuous
Management Oversight
Time For Compliance Access Management
and Audit
(Get Clean) (Stay Clean) (Stay in Control)

Risk Identification and Enterprise Role Compliant User Superuser Privilege Periodic Access
Remediation Management Provisioning Management Review and Audit

Rapid, cost-effective Enforce SoD Prevent SoD Close #1 audit issue Focus on remaining
and comprehensive compliance at design violations at with temporary challenges during
initial clean-up time run time emergency access recurring audits

Risk analysis, remediation and prevention services

Cross-enterprise library of best practice segregation of duties rules

 Approach

Minimal time for compliance

• setting up of right access controls through the use of comprehensive library of

SoD rules out-of-the-box

Continuous access management

• enforcing SoD compliance from the start with enterprise-wide role design,
documentation and maintenance; prevents reintroduction of SoD violations;
perform emergency activities in a controlled manner

Effective management oversight and audit

 through user access reaffirmations and reviews of access-risk, SoD rules,

mitigating controls and roles; provides audit trail
Approach
 Benefits

 Access Control protects information and prevents fraud

 Automatically eliminates access and authorization risks with out-of-the-box

rules

 Enforces segregation of duties across applications and departments

 Optimizes operations

 Minimizes time and cost for compliance

Agenda

 SAP GRC Overview

 SAP GRC Access Control Overview

 SAP GRC Access Control 10.0 – Features

 SAP GRC Access Control 10.0

 Access Control 10.0 is part of the GRC 10.0 Suite

 Previous version of Access Control is 5.3 (for PC and RM, 3.0)

 Access Control 10.0 highlights improvements in six (6) key focus areas:

 Access Control Harmonization

 Unified Compliance Platform

 Streamlined User Access Management

 Business Role Governance

 Centralized Emergency Access

 Improved Identity Management Integration

 Feature Highlights
1. Access Control Harmonization

 Harmonization is a key strategy of the GRC 10.0 release and Access Control 10.0 will
undergo its own harmonization with each of its four capabilities – Access Risk Analysis,
User Access Management, Emergency Access Management, and Business Role
Management

 GRC 10.0 has been reengineered onto an ABAP platform allowing for new benefits such
as object level security, environment transportability, and data archiving

 This harmonization within the four components lowers total cost of ownership by
eliminating redundancy in administration, configuration, setup, training, and increase
the ease of supportability
 Feature Highlights
2. Unified Compliance Platform

 Access Control 10.0 will also harmonize with applications across the GRC
Suite– Process Control, Risk Management, and Global Trade Services

 The GRC Suite will share a single user interface and an integrated data model
– allowing for sharing of key data such as business processes and
subprocesses, organizations, and controls

 Provides ease in administration by eliminating the need to recreate shared

administrative and master data for each application
Feature Highlights
2. Unified Compliance Platform

 Harmonization in two ways -- within

AC and across the entire GRC Suite

 AC-PC-RM harmonization both at the

user interface and data layers

 Introduction of Organization
Compliance Hierarchy allowing
sharing of business processes and
controls

 Ability to analyse risks in AC and

mitigate with documented, tested,
monitored and certified controls in PC

 Ability to schedule risk analysis from

PC automated rule framework
Feature Highlights
2. Unified Compliance Platform
Feature Highlights
2. Unified Compliance Platform
Feature Highlights
2. Unified Compliance Platform

Common GRC user interface

Feature Highlights
2. Unified Compliance Platform

Unified Inbox
 Feature Highlights
3. Streamlined User Access Management

 Access Control’s user provisioning capability will standardize on SAP’s Business

Workflow engine providing support for dynamic, multi-stage approval routing
based on information such as user, role, or system

 Provides customizable access request forms which allows customers to tailor

end user forms dynamically based on user and system accessed ensuring only
relevant data is requested of the end user

 Streamlined access requests and periodic reviews will enable approvers to

make more informed decisions by presenting usage details and more
information about what else the requestor is authorized to access
Feature Highlights
3. Streamlined User Access Management

 Access requests enhancements:

 New customizable access request
forms
 New template based access
requests
 New position-based role
assignment requests
 New end-user display of profile,
access assignments, and request
history
 Enhanced search for roles, groups, and
system based on authorization
 New customizable approver views
 New multiple rule set support
 Enhanced periodic reviews for user
access and access risks
 Feature Highlights
4. Business Role Governance

 Business Role Management bridges the gap between complex system

authorizations and business functions and delivers simplified assignment of
access, reduced compliance risk, and improved operational efficiency

 BRM will centralize compliant role administration with all roles being stored
centrally within BRM and analysed for access violations

 Provides a new impact analysis simulation report utilizing what-if logic to allow
customers determine if role authorization changes will introduce access risk to
all users assigned the role, before implementing in production
Feature Highlights
4. Business Role Governance

 New centralized business role management with

embedded access risk analysis

 Enhanced process for mapping technical

access authorizations to business functions

 New role design and flexible role building

workflows, including preventative simulations

 New ability to analyse role usage for optimal

assignment and to keep role definition up to
date

 Improved role comparison to detect backend

changes provides role consistency,
synchronization, and compliance

 New process for periodic role certification

 Feature Highlights
5. Centralized Emergency Access

 By unifying the configuration and administration of superusers into a

centralized process, the customer will now be able to assign and define
firefighter and supervisor relationships for all EAM systems from a single
interface

 This reduces administration redundancies and greatly enhances visibility of all

superuser assignment and supervison

 Benefit from improved log reporting of system events and a new workflow for
ensuring that log reports have been analysed and processed by superviosrs
Feature Highlights
5. Centralized Emergency Access

 Administrators centrally manage

firefighter assignments, controllers,
and other master data
 New options for group owners and
controllers and improved
provisioning
 Firefighters centrally access their
assignments
 New ability for firefighters to update
the activity log with unplanned
firefighting tasks
 Access specific log reports from
transaction report
 New workflow driven firefighter log
report
 New categorization of firefigther
access signifies criticality and drives
workflow logic
Feature Highlights
5. Centralized Emergency Access
 Feature Highlights
6. Improved Identity Management Integration

 Customers that provision user access via Identity Management (IdM) will be
able to embed compliance in this provisioning process through integration
with Access Control

 IdM will be able to call risk analysis prior to user provisioning and then initiate
remediation events in Access Control when access risks are found

 IdM customers will also be able to provision BRM roles, which will enable
customers to eliminate access risks from both the user provisioning and role
management process
Feature Highlights
6. Improved Identity Management Integration

 New support for IdM to perform

access risk analysis prior to submitting
for remediation

 Enhanced communication services,

including callback and look up,
between IdM and AC

 Enhanced infrastructure to support

standard SPML 1.0 protocol for all
outbound communication from AC

 Enhanced support for audit tracking

of requests and events
Landscape and Architecture
Training Institute

Questions?
Training Institute

Thank you.