Professional Documents
Culture Documents
July 2016
v2.0
Objectives and key goals
Provide foundational knowledge of SAP GRC
Tool
At the end of this training, each compliance manager should have the
necessary information to use SAP GRC to support access management
processes
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 2
Agenda and schedule
Segregation of Remediation /
Duties / Sensitive Mitigation of
New User Modify Access Reviews Access
Request Existing Terminate Violations
this group
Access Existing
Access
Global SOX and User Access
Access Approval GxP Rule Set Reviews
Lock / Unlock
User Design (Role User
Maintenance Assignments)
Preventative SoD Check
Disable Role
I/T Focused
Adhoc reporting
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 7
Systems in Scope
The following topics will be included in the Compliance Manager training:
Adhoc reporting
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 8
What we have completed as part of this
project
The following topics will be included in the Compliance Manager training:
Adhoc reporting
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 9
Module objectives and key goals
Actions ME21N Create ME22N Change MIGO Goods MB01 Post Goods
(SAP Transaction Purchase Order Purchase Order Movement Receipt on PO
Codes)
Global Primary
Global SoD access risks will be evaluated during user provisioning.
SoD Risks This rule set will also be used for the periodic SoD review.
Global Global Sensitive access risks are not evaluated during user provisioning.
Sensitive Access This rule set will be used for the periodic sensitive access review only.
SoX Risks Subset of the global SoD and Sensitive Access rule sets which contains
only SOX relevant risks. This rule set can be used for ad hoc reporting.
Subset of the global SoD and Sensitive Access rule sets which contains only
GxP Risks risks GXP relevant risks. This rule set can be used for ad hoc
reporting.
When user executes a risk analysis report, the global components will automatically
be combined with the applicable local components.
F-01
Global Enter Sample Document
Elements F-02
Global Enter G/L Account Posting
permissions are
included with ABAD_OLD
the Standard Asset Retire from Sale w/
Tcodes Customer
ZFIR35
Custom Tcode
Local ZFIE14
Elements Custom Tcode
Local
permissions are ZFIR36
included with Custom Tcode
the Custom
Tcodes 19
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 19
Overview of J&J Rule Set
Risk Levels
The following risk levels are defined in the J&J rule sets:
1 2
1
Rule Set ID: The identification
code for the rule set.
2
Description: A short
description of the rule set.
3 Risk Level: The severity of the risk. Risk Levels include Low, Medium, High and
Critical.
4 Risk Type: The nature of the risk. Risk types include SoD risk, Critical Action risk or
Critical Permission risk.
5 Function ID: The identification code of the function that is contained within the
risk.
6 Business Process: The business process of the risk.
Functions Tab: The conflicting functions that constitute the risk will be present
here.
Rule Sets Tab: The rule set with which the risk is associated will be present in
this tab.
Risk Owners Tab: The individual(s) who have oversight responsibility and final
approval authority for any steps taken to update the risk will be listed in this tab.
J&J GRC Center of Excellence (CoE) is responsible for the rule set
maintenance, and will be performed at scheduled times throughout the year. As
the Compliance Manager, you are responsible for the following activities in the
rule set change process:
Identify the need for a rule set change
Complete the rule set change request form
Send the change request form to GRC CoE Team
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 27
J&J Rule Set: Recap
There are four different rule sets defined for J&J to address global
SOD and sensitive access for SOX, GXP, and operational risks
The J&J rule sets are used to identify risks in two different ways.
Preventative: The rule sets are used to identify new risks when a
new/change user access request is submitted.
Displays SOD risks which will occur from the access requested
Organization is required to take appropriate action prior to
approving the request
Detective: Rule Set is used to run risk analysis reports on users and
roles to review open SOD risks or sensitive access
Risk Analysis reports are run periodically or on an ad-hoc basis
Organization is required to take necessary actions to address the
open access risks Current Scope
Eliminate the Risk: The risk can be completely eliminated from the system
by removing roles from the user, altering the authorizations of the role, or
changing the rule set.
Mitigate the Risk: The organization can accept the risk and assign a control
to mitigate the risk at the role or user level.
Controls are mapped to the J&J Parent Organization and assigned to Access
Risks which commonly occur across the organizations
Global Controls can only be used as reference templates which can be adopted by
local organizations. Local ownership is required.
The GRC CoE is responsible for maintaining the global mitigating controls.
Control Owner (Approver): The person responsible for executing the actual control
6
steps (if manual) to make sure the control is performed. The Control Owner is also
responsible for reviewing the periodic mitigating control reports to confirm
appropriate assignment of controls to Roles and Users.
Control Monitor: The person responsible for executing the actual control steps (if
7
manual) to make sure the control is performed. If the control monitor determines that
the control is no longer operating effectively, action must be taken to find an
alternative control.
2
2
The request to create new mitigation control will require approval from
the control owner. If the request is approved, the mitigating control is
available in the system.
If a new Mitigation Control request is rejected, the Compliance
Manager has to find a different Mitigating Control to address the risk or
remediate by removing access from the user.
Request
Rejec
Closed
t
No
A Control Approver and Control Monitor are required for each control
The same user could be defined as Approver and Monitor
An Approver and Monitor are required for each control; this can be
the same individual
Once the mitigating control is submitted for creation, SAP GRC will automatically route
it to the Approvers Work Inbox for review and approval. An email notification will also
be sent.
Key Points:
Validate that the control ID has been assigned following the proper naming convention.
Refer to slide 28 for mitigating control ID naming standards.
Determine if there are any existing mitigating controls in the SAP GRC mitigating controls
library which are similar or duplicative to the control requested to be created.
Key Points:
Based on the review of the control, the mitigating control owner will either approve or reject
the creation of the control.
Look for similar controls that already exist in the SAP GRC controls
library or duplicative to the control requested to be created.
Validate if the control is applicable to your organization
The delegation screen can be found in the My Home section of SAP GRC.
1 3
4
2
1 Field items are changeable by selecting criteria from the drop-down listings.
Copy a search line by selecting the +. Adding a duplicate search line acts as an
OR.
4
2
4
multiple values.
2
The Access Risk Analysis type displays mitigated and unmitigated conflicts
Select Permission Level for SOD analysis
Select Critical Action and Critical Permission for Sensitive Access
The first step defines the analysis criteria (same as Access Risk Analysis). The
user or role on which the simulation will be run is specified
The second step defines the access change at the Role, Action, or Profile level
Action. Additional Criteria can be selected to refine the analysis.
Review the
Permissions defined
for the added Actions,
Roles and Profiles.
The majority of this risk is managed by the Access Request process in GRC, however,
additional periodic review is required.
All organizations will follow the global periodic access review process, but there is flexibility
built in to allow organizations options to choose how to break down the reports and choose
reviewers.
Report criteria must be reviewed for completeness and accuracy before they are run in
SAP GRC
The reviews will be split based on platform requirements (this can happen either through
the SAP GRC criteria, or manually by the compliance managers)
The review must be completed within 30 days of the report being sent
All completed reviews are stored in a central location and managed by the CoE CoE
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 65
Roles & Responsibilities
There are three specific groups of people that participate in the periodic review processes
in the previous slide. The GRC CoE retains overall accountability for the process, but each
group has important responsibilities.
This group of individuals would Based on the type of review,
The GRC CoE will oversee the be either the compliance this would be role owners or
completion of periodic reviews at a managers for that platform, or users managers.
global level to maintain compliance specifically identified platform
Reviewers
Platform/Review Coordinators
GRC CoE
GRC Production Services Team captures the screenshots of each job variant which will be
used to generate reports for periodic review. The screenshots are sent to the Review
Coordinators to review and validate for completeness and accuracy.
Upon successful generation of the reports, the GRC Production Services Team will post the
result to the CoE SharePoint site, and inform the Review Coordinators.
It is the responsibility of each Review Coordinator to further distribute periodic review reports
to the appropriate reviewers, and to follow up to receive the necessary feedback.
The individual signed reviews should be sent to GRC COE for CIA audit
If there is still no response by 28 days, the GRC CoE will escalate the issue to site
management and leadership
After 45 days, any users for which a response has not been received are eligible to be
locked. Discussions with the Review Coordinators and site leadership will happen before the
access is locked.
All reviews, and remediation actions that come from the reviews, should be completed within
60 days of the report being provided for review.
The below reports are explained in slides 11 to 14. A live demo will be provided
to further understand each report.
Refer to the Quick Reference Guide and FAQ document for detailed
information on reviewing the reports.
Key Points
There should be very few risks in this report due to upfront controls that prevent access
violations during the user access request process . An open violation will exist due to
the following circumstances:
A role is changed which now causes a conflict with another role assigned to a user
The mitigating control assigned to user expires
A change in the rule set creates a new conflict for a user
Any unmitigated conflicts identified in this report must be remedied during the review
cycle
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 71
Sensitive Access Report: User Level
The User Level Sensitive Access report displays users in an organization and
their access to Sensitive Functions. If any user is found to have inappropriate or
excessive access, that access should be removed.
Key Points
This report will be generated based on the specific organizational access that a user has
in the system and will be split up based on organization and business process.
The report must be reviewed to determine if any users have inappropriate access to a
function/organization:
Determine if access to the sensitive function/transaction is required as part of the
users job responsibilities.
Recommend or confirm removal of access if it is deemed to be
inappropriate/excessive.
The User Level Mitigating Controls report displays the users who have SOD
violating access in an organization and the Mitigation Control assignments to
them.
Key Points
Mitigating Controls must be reviewed in detail to:
Validate if the users that are associated to mitigating controls are valid for their
organization
Review the period for which the Mitigation Controls are assigned to the user.
Analyze if the violating access needs to be retained or removed.
Unmitigated SOD conflicts and excessive sensitive access are not permitted in the
production system.
Report Coordinators are responsible for the remediation and review process of periodic
reports to ensure no open issues exist.
Validate that there are no unmitigated SOD conflicts in production
Validate that users do not have inappropriate access to sensitive functions
Validate if assigned Mitigating Control are valid for the organization
The GRC CoE is accountable for the global process, and for making sure that the
review is completed within the specified time period for the platform.
The Access Risk Analysis report can be viewed in different formats to display
different levels of information. The format can be changed using the drop down
list.
Format Features
Executive
Displays the unique Risk IDs and the number of associated conflicts
Summary
Management Displays the user or role and their associated unique Risk ID(s)
Summary (***Recommended starting format***)
Summary Displays the user or role, Risk ID, Risk Level and conflicting Action.
Displays all the information included in the summary format as well as the
conflicting functions, permissions, and Roles/Profiles (for users) where
Detail
the specific permissions are available. This is also where you can see
organizational rules when running sensitive access reports
Modify Role
Role Owner can provide additional
Who else is assigned to the role who
Design might get impacted?
information around the role and its
purposes. They can also recommend
Is there a need to create a separate
changes.
role?
Security can assist the Role Owner, if
Are there alternative roles available?
neededactivities listed to fully
Access violations may require a combination of the remediation
resolve
Modify theSet
Rule violation.
Is the false positive caused by The CoE can provide insights around
Utilize detailed information fromdecisions
systemic design the reports to determine
or a one thethe
rulebest remediation
set and coordinate options.
with SMR
Consult with theoff?users managers and role/function owners to suggest changes
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 79
Remediation Options: User Access
Modification
A user access modification should be performed if SOD or Sensitive Access risk
violations are found and the user does not require the access involved in the
conflict.
Next Steps
If a user modification is required, submit a New/Change Access request.
If a user modification should not be performed, refer to different remediation
options.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 80
Remediation Options: Mitigating Control
Assignment
Initiate a mitigating control assignment if the SOD risk violations found can not be
eliminated from the user due to a business requirement.
Next Steps
If a mitigating control assignment is required, submit a mitigating control
assignment request.
If a new mitigating control is required, submit a request to create a new
mitigating control.
If a mitigation control cannot be assigned, choose a different remediation
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 81
Remediation Options: Role Design
Change
Initiate a role design change if the SOD or Sensitive Access risk violations found
can be fragmented into multiple roles.
Next Steps
If a role design change is required, follow the change management process to
alter the Business or Technical role
If a role design change should not be performed, refer to different remediation
options.
Initiate a rule set update if inconsistencies are found in the risk definition or if
incorrect transaction codes or authorization objects are defined in the rule set.
Next Steps
If inconsistencies are found in risk definition or incorrect t-codes/authorization
objects are defined in rule set, submit a rule set change request.
There are functional and technical change request that will need to be raised
depending on the circumstance. Refer to the Work Instruction document for
the step by step process of rule set change
Utilize detailed information from the reports to determine the best option.
Change the format of the report to view different levels of information.
Click on the hyperlinked object name to view additional details.
If remediation activities are necessary, the Review Coordinator will list with
completion dates the necessary corrective actions based on the feedback of
the reviewers(i.e. create mitigating control or request removal of access). At
the time of signing off on the review, the review coordinator will submit CA list
After all actions are completed, GRC COE will provide an updated report.
The Review Coordinator will sign off on PDF report (with all remediation
activities completed).
1 3 4
Platform POC
Platform POC
Platform POC
Platform POC
verifies
verifies Platform POC
Platform POC split
split
signs off review
signs off review
completeness of
completeness of and distribute
and distribute to
to Signed copy or review reports,
report overall
report overall and
and
report variants
report variants Compliance
Compliance evidence of reviews, action plan
provides action
provides action
and approves
and approves thethe Managers
Managers are retained centrally
plan to
plan to COE
COE
reporting criteria
reporting criteria
Approve 4
Access certified
Access certified
Approve and retained
and retained
2
GRC Prod
GRC Prod Support
Support GRC Prod
GRC Prod
schedules automatic
schedules automatic Support team
Support team
jobs in
in GRC
GRC system
system toto Access removed
Access removed
jobs uploads the
uploads the report
report
generate the reports by GRC request,
by GRC request,
generate the reports in the
in the COE
COE Share
Share
and performs
performs Reject created by
created by
and point
point
completeness validation
completeness validation Business
Business oror
Platform
Platform
Security
Security
Periodic
Reporting Criteria For
The Platform Security Team is the most qualified to review the user groups &
organizational values used in the report criteria and platform security team will contact
local compliance team if required.
GRC Production Support team will perform a completeness check on the report generated and provide a
summary of the analysis performed on the report. The analysis covers aspects such as total users, unmitigated
users, users with deleted/blank user groups. The report will be uploaded in the COE share point folder.
GRC COE will ensure that the respective Platform POC/s has access to the COE share point folder
GRC Production Support team will notify the Platform POC/s regarding the successful updation of the reports
in the COE share point folder (including the report location in the folder)
How do I address
the SOD SA
Conflict??
Gather the review comments from users managers and role/function owners
Ensure the review is completed 30 days from the distribution of the broken down reports
In-case the review is not completed in 30 days (refer above), the POC/s will escalate non-compliance
and inform GRC COE regarding the delay
Detailed review of the report by the compliance managers may include but not limited to
Analyse each SOD SA scenario based on the degree of complexity and extent of conflict in a given
environment using the combination of Functions
Review and validate if the users that are associated to mitigating controls are valid for their organization
The period for which the mitigation control/s are assigned to the user whether the control assignment
must continue or be replaced
Platform POC will provide review evidences from compliance managers to COE. These evidences will be
stored centrally by GRC Production Support team in the COE Share point
Filter for Risk IDs that need to be remediated basis the report and analysis performed above
Retain columns for User ID, Access Risk ID, Rule ID, Function Description and Role/Profile; delete all
other columns.
Perform IF operation for columns User ID, Risk ID, Rule ID and lookup Function ID and Action
Add second IF condition formula to lookup and add values from consecutive row for Functions and
Role/Profile
Evaluate from a "functional" lens which side of the risk users should have access to and which side they
should not. Based on that decision, you can remediate risk by identifying which roles should be removed from
access.
Once appropriateness for a user/role, you move to reviewing t-codes within the access (leverage same method
to populate T-codes). This review would be to verify that no excessive access is assigned to the user. Using
statistics into the report can help to determine unused t-codes that may be removed from access
Removing a single transaction from access can result in a reduction of several violations
Where applicable a permission-level analysis may also include analyzing organization-level accesses to
determine whether the conflict is for accesses across multiple non-conflicting organizations. Such cases may
be classified as false-positives.
On a parallel basis, GRC Production Support team will follow up with the POC/s on the status of the review
(activity is undertaken on a fortnightly basis)
There should be zero unmitigated SOD conflicts in production environments, except for
non-High risks at the role level . Any conflicts that appear on this report must be addressed
before the review is completed.
The review is documented in the form of a sign off on the access reports provided. Review must be completed
within 30 days of start of review.
The POC/s review the action plan for accuracy prior to sending the report to COE.
Action plan if any, will be sent to the GRC Production Support team in the pre-defined format. Refer the
embedded file. GRC production team will implement the action plan in the next 30 days from the day the
action plan is received
Pre defined
Format
Review Initiation
Finalize the reporting variant and provide sign off Platform POC Email
Upload the sign off of reporting criteria form GRC Production Support Share Point
Sharing of SOD SA Report GRC Production Support Team Email, Share Point
Share evidence of SOD SA review reports to compliance managers Platform POC Email
Upload evidence of SOD SA review by compliance managers GRC Production Support Team Share point
Completion of Review(Sign off) and Action Plan Update Platform POC Email, Share Point
Upload the sign off on the periodic review reports GRC Production Support Team Share point
Completion of Implementation of Action Plan GRC Production Support Team Email, SharePoint
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 100
Questions
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 101
Appendix
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 102
Security relevant Ad-hoc reports
Where are the Ad-hoc Reports available to run?
Users can run different ad-hoc reports from Report and Analytics tab of the GRC
page.
Tabular Report
3 List Action in Roles Lists all T.Codes in a given role.
(downloadable)
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 103
Security relevant Ad-hoc reports
# Report Name Report Type Information provided in report
Tabular Report List of roles available per user. You can generate list for all
6 User to Role relationship
(downloadable) roles/users or selectively.
Role Relationship with Tabular Report
7 For condition rules where roles are linked to user groups
user/user group (downloadable)
Tabular Report Provides details of changes for roles with timestamp and Changed by
8 PFCG change history
(downloadable) details.
List Expired and Expiring Tabular Report Lists invalid/expired role assignments for users and also expiring
14
Roles for Users (downloadable) accesses in the current month.
List Actions in Roles but not Tabular Report Provides list of Tcodes in Roles, but not in rules. This data can be
16
in Rule (downloadable) used to enhance Rulebooks
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 104
Report Navigation
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 105
Report Formats
The GRC reports can be viewed in different formats to display different levels of
information. The format can be changed using the drop down list.
Format Features
Executive The executive summary lists each risk as a single line item and
Summary displays the total number of conflicting actions that produced the risk.
The management summary lists each risk as a single line item and
Management
displays the risk severity level. (***Recommended starting
Summary
format***)
The summary report lists all conflicting actions that produce the risk in
Summary
a one line item.
Displays all the information included in the summary format as well as
the conflicting functions, permissions, and Roles/Profiles (for users)
Detail
where the specific permissions are available. This is also where you
can see organizational rules when running sensitive access reports
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 106
Report criteria basics
Use the filtering criteria to input the desired values
1 3
4
2
1 Field items are changeable by selecting criteria from the drop-down listings.
2 Operators are changeable by selecting a different operator from the drop-down
3
listings.
4 Copy a search line by selecting the +. Adding a duplicate search line acts as an
5
OR.
Delete a search line by selecting the -.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 107
Report criteria basics
Use the filtering criteria to input the desired values
2
4
multiple values.
2
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 109
Security relevant reports
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 110
Access Requests
Access Requests dashboard provides drilldown statistics of requests that have been created
in a particular period using GRC Access Controls.
This dashboard can be useful to assess provisioning trends and volumes which can be
analysed to evaluate effectiveness of security design.
This dashboard is located at NWBC -> Report & Analytics Tab -> Access Dashboards.
Click on specific area of the
pie chart to drill down into
detailed information.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 111
Access Provisioning
The Access Provisioning dashboard gives drilldown information about the actions that were
taken as part of completion of requests in Access Request Approval Workflow. The information
includes:
Number of requests with objects assigned, removed or retained via New/Change access requests
workflow in GRC.
Number of users processed via GRC.
Click on
This dashboard is located at NWBC -> Report & Analytics Tab -> Access specific area of the
Dashboards.
chart to access detailed
information.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 112
List of actions in roles
This report provides the list of actions in roles.
The report is useful for security teams to analyze the actions with in roles
This report is located at NWBC -> Report & Analytics Tab -> Role Management Reports.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 113
Compare Action in Menu and Authorization
This report performs comparison between the transactions in Role menu and the S_TCODE
authorization object.
This report is useful to analyse security design and resolve inconsistencies in role Menu and
S_TCODE object.
This report is located at NWBC -> Report & Analytics Tab -> Role Management Reports.
Enter the
application type,
landscape and
role name.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 114
Compare User Roles
This report enables you to compare users with different roles to find differences in accesses
available to them.
This report is useful in troubleshooting authorization issues.
This report is located at NWBC -> Report & Analytics Tab -> Role Management Reports.
Enter System
Select Source
Type as User ID
and enter values
in Source Value
and Target value
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 115
User to Role relationship
This report gives you the list of users available per role or profile. The report lists only the
technical roles.
This is one of the key reports while performing periodic user access reviews.
This report is located at NWBC -> Report & Analytics Tab -> Role Management Reports.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 116
Role Relationship with user/user group
This report is used for condition rules where roles are linked to user groups.
This report is useful to review the role to user group mapping as it is one of the key ARM
features used at J&J.
This report is located at NWBC -> Report & Analytics Tab -> Role Management Reports.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 117
PFCG change history
This report provides details of changes for roles with timestamp and Changed by details.
This report is helpful for audit purposes to verify if there are any changes made to the roles in
the audit period.
This report is located at NWBC -> Report & Analytics Tab -> Role Management Reports.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 118
Master to Derived role relationship
This report give you the relations between master to derived roles.
The report helps analyze the role design for systems belonging to your platform.
This report is located at NWBC -> Report & Analytics Tab -> Role Management Reports.
Select Application
Type, System and
Role name
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 119
Single to Composite Role relationship
This report provides the lists of single roles in a composite role.
The report helps analyse the role design for systems belonging to your platform.
This report is located at NWBC -> Report & Analytics Tab -> Role Management Reports.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 120
Action usage by User, Role and Profile
This report gives you the lists of t-code usage for Users, in Roles and Profiles.
This report serves as a substitute for ST03N report.
This report is located at NWBC -> Report & Analytics Tab -> Security Reports.
Action usage by User
Select Report by as
User and enter User
ID
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 121
Action usage by User, Role and Profile
(Contd.)
The analysis can also be performed at the Role level.
Enter System
Select Report by
as Role and enter
role name
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 122
Count authorization in Roles
This report provides a complete list of accesses (actions and permissions) available in a role.
This report is useful for rationalizing roles and/or review authorizations on a periodic basis.
This report is located at NWBC -> Report & Analytics Tab -> Security Reports.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 123
Count authorization in Users
This report provides a complete list of accesses (actions and permissions) available for a user.
It is useful for user access rationalization, by removing redundant or excessive accesses
This report is located at NWBC -> Report & Analytics Tab -> Security Reports.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 124
List Expired and Expiring Roles for Users
This report provides the lists of invalid/expired role assignments for users along with the list of
accesses expiring in the current month
This information can be used for access clean-ups and user-role recertification.
This report is located at NWBC -> Report & Analytics Tab -> Security Reports.
Enter System,
User ID and check
expired or expiring
roles box
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 125
Embedded action calls in programs of SAP
systems
This report provides list of transaction codes being called by any program of SAP system.
This report is useful review of rule set completeness.
The report is located at NWBC -> Report & Analytics Tab -> Audit Reports.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 126
List Actions in roles but not in Rule
This report provides list of transaction codes that are present in roles but are not part of or
active in your rule set.
This data is useful in enhancing rule books, particularly while reviewing coverage of custom
transactions in your rule set.
The report is located at NWBC -> Report & Analytics Tab -> Audit Reports.
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 127
Process Workflow: New/Change Access Request
All new/change access requests are required to be approved by the users manager and the role
owner(s)
The Compliance Managers approval is only required if the New/Change access request
contains SoD risks.
If the request is approved, it will be sent for provisioning (automated or manual).
Request
Rejec Rejec Rejec
t t t rejected;
notification
User /
sent to user
Requester User
submits
Users Approv Role/Functi
Manager e on Owner Provisioni
Access
Request ng
Approv
e
Note: Requests with medium LE/Regio
Mitigation
and low level risks will be SoD nal
Control Approv
mitigated at the role level and will Foun Yes Complian
Assignme e
be done at the time of d ce
nt
rollout/implementation. Manager
No
| SAP GRC Compliance Manager - Introduction and Training (Module 1 of 4) Confidential | 128