Orange County Convention Center

Orlando, Florida | May 15-18, 2011

How to effectively utilize SAP Business Objects Access Control

Enterprise Role Management (ERM) ]
Vinod Nanu
Prateek Jain
[ Learning Points
Defining core concepts around Role definition
Defining the Concept of Roles in SAP
Enterprise Role Management (ERM) overview
Recommended approach for implementing ERM
Gain instructions of ERM configurations
Creating Roles using ERM
Enterprise Role Management reports
Whats new in GRC 10.0 AC

Real Experience. Real Advantage. 2

[ Index
Defining core basics related to Role
Role with relation to Enterprise
Roles and the Enterprise Basics
Roles from an Organizational Point of View
How are Roles Aligned to Organization Structure?
How are Roles aligned to Business Process?
How are Roles Aligned to SAP Transaction & Role Concepts in SAP?
Role Concepts
Role Engineering Concepts
Role Types & Forms
Role Naming Convention and Tiered Approach
Perfect World of Role
Finding a Balance
Importance of Role Governance
Defining the Concept of Roles in SAP
SAP Authorization Concept
What You Need to know About Roles/Profiles
Types of roles
Overview of Security Construct
SoD Concept and Challenges
Enterprise Role Management (ERM) overview
Enterprise Role Management as a stand-alone solution
Recommended Approach for Implementing ERM
Gain instructions of ERM configurations
Creating Roles using ERM
Running risk analysis with ERM
Enterprise Role Management reports
Whats new in GRC v10.0
Best Practices
Key Learnings

Real Experience. Real Advantage. 3

[ Roles and the Enterprise basics
Roles are a business - NOT a technology problem.
Well-defined and maintained roles are essential for
efficient, cost-effective security administration.
Roles should integrated and tied to business
processes and span multiple resources (BW
Business Warehouse, CRM Customer
Relationship Manager, SRM Supplier
Relationship Manager)
Where possible, a well-balanced approach needs to
be adopted between security and business policies by
using leveraging rules or other constructs (Context-
based roles in NWIDM Net Weaver Identity
Management).
Centralized approach should be adopted toward
roles and policies just as with user identities. This
will ensure standardization across the enterprise.
Role governance must be managed in conjunction
with overall identity management initiatives (IDM).

Real Experience. Real Advantage. 4

[ Roles from an Organizational Point of View
Organization Object and Legal
Form help define the primary
goals of the organization, Legal
which in turn helps define Institutional
where the most value around
Organization
access should be primarily
emphasized. Organization

The SAP Authorization Configurationally

concept is tied to the Instrumental
Instrumental concept. Functional
Business Process Tasks, sub-
tasks and actions are all part
of the Instrumental Concept.

Real Experience. Real Advantage. 5

[ How are Roles Aligned to Organization Structure?
Single-Line Organization
Top-down hierarchy, one direct
supervisor who is authorized to issue
Simple Line (Hierarchy) Organization
instruction

Multiple-Line Organization
Defining access requires both object and
action level segregation i.e., activity based
segregation along with organization level
segregation
Cross Line/Reporting Organization
Matrix Organization
Most of the access is granted by using the
combination of the Action and Object Specific Action
principle
Finance Sales Procurement
Specific Object

Product A Product A Product A Product A

Product B Product B Product B Product B

Matrix/Structured Organization

Real Experience. Real Advantage. 6

[ How are Roles Aligned to Business Process?
Organization is typically challenged segregating the
access setup at all this level to enable day to day
operation with out causing any inappropriate access.
(i.e., enabling emergency access to support team
while ensuring core business process is enabled
accurately)

Real Experience. Real Advantage. 7

[ How Are Roles Aligned to SAP Transaction & Role
Concepts in SAP?
Task
A complete set of all activities
that needs to be carried out by a
job Position (Order to Cash)
Sub-Task
A logical break down of sub-
activities that can be performed
with a task; one sub-task can
belong to multiple tasks. (Sales
Order)
Action
A set of operations that allows a
sub-task to be performed (Sales
Order Processing, Sales Order
Reporting)
Activity
A specific step in a action that
enables the action to be
differentiated at a granular level
(create, change, display)

Real Experience. Real Advantage. 8

[ How Are Roles Aligned to SAP Transaction & Role
Concepts in SAP?

Real Experience. Real Advantage. 9

[ Role Engineering Concepts
Define top down from Business Process Layer Responsibilities
Business Process and
bottom up from Role Management Roles
technology
Work from both Authorization Object Layer Activities
directions in a organized
manner
Assignment concepts
Static: user groups
User
Dynamic: auto
assignment

Real Experience. Real Advantage. 10

[ Role Types & Forms
Defining roles require some fundamental understanding of the
different types of roles.
Each type helps define some unique entity component of the
organization
Example:
Basic: employee, contractor
Organizational: Plant Manager, Division Manager, District
Manager
Functional: audit, compliance, engineer, security
Hierarchical: Managing Director, HR Manager, management
Special/Custom: project related, special purpose
Locality: Sub-area, US, Asia, Europe, Dallas

Real Experience. Real Advantage. 11

[ Role Types & Forms
Discrete unique
One role assumed by Role

multiple entities (single

roles)
Collective or hierarchical Role

One entity aggregating the

characteristics or several
roles (composite or Role Role

derived)
Dynamic
Conditional assignment of
a role Condition 1

Role
Policy or rule-driven Condition 2

(context based)

Real Experience. Real Advantage. 12

[ Role Naming Convention and Tiered Approach

- - - -
Bus

-
Org
Key Type Tier Process Dept Functional
Area Level
(3) (2) (8)
(1) (1) (1) (5) (4)

Tier 5: Special Access Role

Roles containing transaction needed by some users in some
countries, using derived concept unique transaction content

Tier 4: Special Access Role Tier 4: Special Access Role

Transactions restricted to specific users Roles containing transaction needed by some users in some
(i.e., release PO authorization, open close period) countries, using derived concept some change to transaction content

Tier 3: Functional Role Tier 3: Cross-Country Functional

Roles containing transaction needed by some users in some
Transactions which represent the execution of the job function
countries, using derived concept , no change to transaction content

Tier 2: Departmental Role Tier 2: Cross-Country Divisional

Transactions which everyone in the Roles containing transaction needed by some or call users in all
department will have access, limited to display only countries, using derived concept , no change to transaction content

Tier 1: Basic Role Tier 1: Basic Role (Cross Country)

Transactions which everyone in the organization will have access (i.e., Transactions to which either some or all users in the organization will have
SU53) access (i.e., single roles with minimal transaction content change)

Real Experience. Real Advantage. 13

[ Perfect World for Role

Role
Nirvana

Roles Rules

Real Experience. Real Advantage. 14

[ Finding a Balance
Business Process Analysis Role Mining and Data Analysis
User to Role Sets of
Assignment permissions

Permissions
Roles

Balanced approach Resources

End
Users
Responsibilities Privileges

Real Experience. Real Advantage. 15

[ Importance of Role Governance
Roles also require a good governance model:
What are the criteria for role definition?
Who determines when new roles are required?
What are the criteria in determining when roles change?
Who determines when a role should be modified?
What are the criteria for removing a role?
Who determines when a role should be removed?
What are the processes for implementing these changes?
Who determines what is appropriate for each role?
Who determines who, how and when roles are certified and
attested?
Who will verify and validate role compliance?

Real Experience. Real Advantage. 16

[ Defining the Concept of Roles in SAP
Protects transactions and programs from unauthorized use

Allows only approved users to perform specific functions or to

access specified objects

Authorization profiles assigned to users determine the access

allowed within the system

Only users with active User Master Records can log onto the
system

Real Experience. Real Advantage.

[SAP Authorization Concept

User Master Record User Master Record

Role Role
Authorization for Authorization for
Task A Task B

Action Action

Transaction permitted?

Authorizations assigned?

Objects needing protection

Vendor Company Code Material Plant

Real Experience. Real Advantage.

[ SAP Authorization Concept
SAP Authorization levels
Transaction code Org elements Field values

Real Experience. Real Advantage.

[ What You Need to know About Roles/Profiles
Example role and associated profile

Role Name

Profile Name

Real Experience. Real Advantage.

[ Types of Roles
Single Role

Grouping of transaction codes and underlying authorization objects

Can be assigned to users

Composite Role

Grouping of single roles

Typically used to simplify user provisioning
Can be assigned to users

Real Experience. Real Advantage. 21

[Types of Roles
Master Role

Template role with transaction codes and underlying

authorization objects
Organizational values are variables
Not assigned to users
Used by the derived role as template

Derive Role

Links to the parent role and inherent in the assigned

transaction codes and authorization objects
Organizational values are maintained for each derived role
Can be assigned to users

Real Experience. Real Advantage. 22

[Overview of Security Construct
SAP
SAP transactions are assigned
Transaction(s) to roles.
(~16,000)

Roles are combined and mapped

Role(s) to positions/job responsibilities
Receive Material known as Composite Roles.

Position(s)
Composite Roles are assigned to
Shipping users based on their functional
Manager position, approval, and
completion of training.

Real Experience. Real Advantage. 23

[Overview of Security Construct
How user access is granted in SAP
VD 02 Attempts to access
Transactions transaction OB 52
Authorization OB 52 Open/Close Periods

User 1 Role 1 Profile 1 Authorization 1 Authorization needed to

launch the transaction
Authorization 2
Authorization 1
Authorization 3
Authorization 4
Authorization 4
Authorization 5
Role 2 Profile 2 Authorization 5 Authorization 8

Authorization 6
ACCESS GRANTED
Role 3 Profile 3 Authorization 7

Authorization 8

Real Experience. Real Advantage. 24

[Overview of Security Construct
How user access is refused in SAP
VD 02 Attempts to access
Transactions transaction VD 02
Authorization OB 52 Open/Close Periods

User 1 Role 1 Profile 1 Authorization 1 Authorization needed to

launch the transaction
Authorization 2
Authorization 1
Authorization 3
Authorization 4
Authorization 4
Authorization 8

Role 2 Profile 2 Authorization 5 Authorization 10

Authorization 6
ACCESS REFUSED
Role 3 Profile 3 Authorization 7

Authorization 8

Real Experience. Real Advantage. 25

[Segregation of duties (SoD): concept
Definition
SoDs are a primary internal control intended to prevent (or decrease) the risk of
errors or irregularities, identify problems, and ensure corrective action is taken.
Corrective action ensures that no single individual has control over all phases of a
business transaction.

There are four general categories of duties:

In an ideal system, different employees perform each of these four major
Authorization
functions. In other words, no one employee has control of two or more of
Custody these responsibilities. The more negotiable the asset, the greater the need
Record Keeping for proper segregation of duties, especially when dealing with cash,
negotiable checks and inventories.
Reconciliation

Real Experience. Real Advantage. 26

[ SoD Conflict example: Finance and Controlling

Given below is one possible 1 Finance and

combination of SoD. Identify the other Controlling
possible combinations of SoD for the
Finance and Controlling (FI) module: 0 Materials Management
0 Sales and Distribution

Conflicting Functions Risks

Maintain GL Master Post Journal Entry Create a fictitious GL account and generate journal activity or hide
Records activity via posting entries.

Real Experience. Real Advantage. 27

[ SoD Conflict example: Materials Management
0 Finance and Controlling
Given below is one possible
combination of SoD. Identify the other 1 Materials
possible combinations of SoD for the
Materials Management (MM) module: Management
0 Sales and Distribution

Conflicting Functions Risks

Maintain Purchase Process Vendor Purchase unauthorized items and initiate payment by invoicing
Order Invoices

Real Experience. Real Advantage. 28

[ SoD Conflict example: Sales and Distribution
0 Finance and Controlling
Given below is one possible
combination of SoD. Identify the other 1 Materials Management
possible combinations of SoD for the
SD module: 1 Sales and
Distribution
Conflicting Functions Risks
Customer Master Process Customer Make an unauthorized change to the master record (payment
Maintenance Invoices terms, tolerance level) in favor of the customer and enter an
inappropriate invoice.

Real Experience. Real Advantage. 29

[Discussion: SAP Authorization ongoing challenges
Users Security and Controls Auditor
I need Team Sigh.. s
SAP_ALL

Users need SAP integration Violating so

Why dont Overburdened security many
teams Too many control
you let me do controls
my job? violations!

Difficulty on the job

Why cant
you get Management
your act
together?
I need XK01
now! ASAP!

Overburdened control teams Management frustration

Urgent technology needs

Real Experience. Real Advantage. 30

[ Summary
What we have covered:

SAP Authorization concepts

SAP Roles and profiles

Segregation of Duties (SoD) concepts

The challenges in achieving compliance with

authorization and SoD controls

Real Experience. Real Advantage. 31

[ Enterprise Role Management overview
Standardizes and centralizes role management
Defines compliant roles
Creates and maintains roles with flexible process maps
Automates parent-child role generation
Identifies potential audit and SoD issues
Provides reports for:
SoD risk identification
Facilitating role quality management

Real Experience. Real Advantage. 32

[ Enterprise Role Management as a stand-alone solution
Key functionalities Centralized role management
Enterprise role definition framework
Design/Definition

Enterprise rules Role Audit log

Design standards enforcement expert

Proactive risk analysis

Transaction usage analysis

Approval workflow
Change mgmt.

SAP Non-SAP Custom

Automated role comparison

Automated role generation

Compliant enterprise
Reporting

Audit log
Role Role Role Role Role Role
Role Role Role Role
Role

Real Experience. Real Advantage. 33

[ Recommended Approach for Implementing ERM
1 Role framework
Assess
1. Review and define policy and
procedure toward role
management
2. Review/create/refine enterprise-
wide role definition philosophy
3. Review/create/refine current
user access management
process
4. Understand global and local
challenges related to role
definition
5. Understand/meet all key players
in the role management process
6. Define/review/accept role
definition process
7. Define role-naming convention,
exception and uniqueness
8. Understand critical attributes
dependency from HR master
9. Define workflow and approval
process around role
creation/modification
Real Experience. Real Advantage.
2 Role integration
Improve
1. Design standards enforcement
process
2. Define/create/refine layers
within role definition for ERP
application
3. Define/create/refine role naming
convention within individual
application (activity group,
profile, composite, single,
derived)
4. Converting existing role and/or
enhance role with appropriate
access
5. Review SoD report to identify
roles with conflict and issues
6. Integrate workflow for role
approval
7. Integrate and document process
toward T-code Assignment to
Role, Users to Role, Users to
Profile (PFCG, SU01, SU10)
Implementation
3 and reporting
Monitor
1. Integrate Risk Terminator with
Enterprise Role Management
2. Identify audit logs and reports
that will be used to manage
appropriate access
3. Integrate role export with user
provisioning process (AE)
4. Review and validate connector
adaptability to application in
scope
5. Review workflow process
6. Review integration of
compliance calibrator with role
definition process
7. Integrate automated risk
analysis
8. Review process to integrate role
with all environment and
landscape along with CUA
(Central User Administration)
34
[ Predefined configuration options

Configuration tab >

Actions

Real Experience. Real Advantage. 35

[ Configuration options

Role Status
Select Development or Production
Org Level Mapping
Define the Org levels, e.g., Plant, Company Code
Condition Groups
Define conditions on role attributes
Methodology
Define action, step and process
Workflow
Define approval criteria
Transaction Import
Import transaction code from the backend
system
Role Import
Import roles from backend system

Real Experience. Real Advantage. 36

[ Configuration - Role Usage Synchronization

Real Experience. Real Advantage. 37

[ Configuration -Defining and maintaining role definitions

Real Experience. Real Advantage. 38

[ Configuration - Naming Convention

Real Experience. Real Advantage. 39

[ Creating role using ERM

Real Experience. Real Advantage.

[ Creating role using ERM

Real Experience. Real Advantage.

[ Define Authorization data

Real Experience. Real Advantage. 42

[ Creating a composite role
You can create and define a composite role using Role
management tab

Adding single roles to a composite role

Real Experience. Real Advantage.

[ Running risk analysis with Enterprise Role Management
Risk analysis through Enterprise Role Management includes
Transaction based
Object based
Organization level based

Performing risk analysis and generating a risk analysis report

Risk Analysis icon from the Initial page
Risk Analysis icon from the Role Definition Form page

Real Experience. Real Advantage.

[ Enterprise Role Management reports
Enterprise Role Management provides a set of reports for
monitoring the current status or tracking the progress in role
definition and development, role analysis, and role change
management.

Real Experience. Real Advantage.

[ Types of Enterprise Role Management Reports

Real Experience. Real Advantage.

[ Whats new in GRC v10.0
Unifies Risk Management, Access Control, and Process Control data model on a
common technology (ABAP) platform.

Provides common look and feel with configurable role based user access for GRC
functions from the SAP Portal or NetWeaver Business Client.

Allows customization without programming to display component and compliance

regulation data fields through configuration.

Enables business users to display ABAP-based reports in Crystal format by

leveraging the ALV-Crystal integration framework.

Enables the content ecosystem by supporting version control, packaging, import and
export of content; supports parallel evolution of content and subsequent partner
updates to it.

Source : SAP

Real Experience. Real Advantage. 47

[ Whats new in GRC v10.0
Unifies SAP BusinessObjects
Access Control capabilities
on a standardized ABAP
platform, offering enterprise
supportability, granular
security, transport, and
archiving.

Provides a standardized role

compliance framework,
centralized across
organizations, systems, and
applications. Translates roles
into terms business users can
understand.

Source : SAP

Real Experience. Real Advantage. 48

[ Configuration Options

Real Experience. Real Advantage. 49

[ Configuration - Naming Convention

Real Experience. Real Advantage. 50

[ Best Practices
Create a role in DEV system using ERM and using SAP
standard transport process to transport role to QA and PRD
systems.
Design a good role-naming convention.
Standardize processes for role design/definition and access
requests.
Identify Users (e.g., Role Owners, Security Administrators, and
User Administrators).
Configuration, such as design of functions, risks, and rules,
must be owned by the business process and role owners.

Real Experience. Real Advantage. 51

[ Key Learnings
Roles are a business- NOT a technology problem
Well-defined and maintained roles are essential for efficient,
cost-effective security administration
SAP Authorization Concept and Segregation of Duties (SoD)
concepts
Challenges in achieving compliance with Authorization and
SoD controls
Enterprise Role Management implementation approach
Ability to manage, monitor and configure roles using
Enterprise Role Management

Real Experience. Real Advantage. 52

[

Thank you for participating.

Please remember to complete and return your
evaluation form following this session.
For ongoing education in this area of focus, visit www.asug.com.

SESSION CODE: 1013

INSERT SESSION CODE

Real Experience. Real Advantage.