Profiling For SAP - Compliance Management, Access Control and Segregation of Duties

Understand
Control
Improve
Profiling for SAP Compliance Management Access Control and Segregation of Duties
Understand, Optimize and Control your Business and IT
Subject Matter
Profiling for SAP supporting Security Compliance for SAP
Profiling for SAP Application Access Management and Segregation of Duties Optimization of Authorizations Project Support for SAP Blueprints
2
3 4
Page 2
SAP Services Partner delivering expertise for SAP Solution Manager and SAP NetWeaver technologies with ASAP, Run SAP and BPM methodologies
Profiling for SAP for Compliance and Access Control
Understand
Profiling your SAP Solution delivers our Clients all needed insights to understand, improve and control their Business and complex SAP Landscapes.
Control
Improve
Heinz-Jrgen Scherer, CEO TransWare AG
Page 3
Standard application with tight SAP integration, high automation and flexible configuration
PROFILING FOR SAP APPLICATION

Page 4
SoD Analysis and the Process for Compliance

1. Extract 2. Define 3. Analyze
Profiler
BI DB
Analyzer
Reports Dashboards
Predefined set of Risk Rules Auditors, IT Security Analytic reports and dashboards Conflicts and potential conflicts of Accounts and/or Roles, Profiles
Authorizations Usage (Transactions,

Reports, RFC Calls)
Define Risk Rules Critical activity groups Activities conflict matrix
Page 5
Profiling for SAP Product Components

Profiling for SAP application customizing for SoD (configuration)
Definition of Task groups, specifies a set of tasks with identifiers
Assignments of critical transactions to task groups Risk rules combining Task Groups with Financial Risk Values
Includes best practice for configuration settings
Analytic Reports (examples)

Charts plotting risks and SoD issues per e.g. SAP module
Role Compliance Check: Identifies roles that have SoD conflicts based upon the underlying transactions
User Compliance Check: Identifies SoD conflicts in users profile
SAP Solution Manager integration (optional)

Page 6
Profiling for SAP featuring SAP Compliance Management

Technical, Functional and Processual Analysis and Optimization of SAP
TransWares reengineering and optimization solution for SAP, compliance and performance assessment and process analysis on any SAP system or SAP Industry Solution highlights process risks in a system review and will lead to minimized project times with corresponding cost reduction. The solution reveals the quality of the implementation by analyzing transaction logs, document types, user authorizations with roles and profiles, SAP HR info types, SAP customizing and object modifications and other configuration items. It shows the overall picture of customizing and utilization of the current SAP system with business related KPIs. Complex ERP systems are potentially susceptible to segregation of duties (SoD) issues. By means of Profiling for SAP, the desired responsibilities of SAP users can be counterchecked against the real usage of SAP. Reporting of the results can be done per job role, so you know what each role entails in terms of process activities, SAP business blueprint process steps, SAP roles and transactions.
Page 7
Profiling for SAP smartly supports the Transition Phase from As-Is into an optimized SAP Landscape
As-Is Landscape
Run SAP Process IT Support
To-Be Transition
ASAP Project Methodology
Optimize Landscape
Run SAP Process IT Support
Business Reengineering Understand
Process Management Optimize
Compliance Management Control
Access Control and Segregation of Duty
Technical Analysis
Functional Analysis
Processual Analysis
Profiling for SAP SoD Compliance

Profiling for SAP SoD Compliance is based on the technical, functional and processual analysis tool components.
Page 8
Introduction of an cost efficient compliance management
ACCESS MANAGEMENT AND SEGREGATION OF DUTIES

Page 9
Increased Focus on Security and Control

Corporate scandals and fraud (Enron, Barings Bank, WorldCom, ...) Security breaches (UCs, BC, Stanford, ...)
Regulatory Compliance
Sarbanes-Oxley (SOX, EuroSOX) Family Educational Rights and Privacy Act (FERPA) Federal Information Security Management Act of 2002 (FISMA) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Joint Commission (TJC)
Page 10
Security Risks, Security Compliance and Internal Controls

Are there any SoD violations? Who has access to sensitive transactions?
Access Control
Do some users have too much access? Sufficient access restrictions to private information?
Control for Segregation of Duties (SoD)

Every time a user is added ensure his rights are not in conflict with SoD risk rules A user's profile is amended and the change must not cause any SoD conflict Review of the company SoD requirements on a periodic base Internal Controls are processes designed by management to provide reasonable assurance that the Institute will achieve its objectives.
(From MITs Guidelines For Financial Review and Control)
Page 11
Profiling for SAP and SAP Authorizations

Profiling for SAP combines information from different data sources like SAP usage, user authorization and SoD configuration with BI based reporting for a comprehensive security analysis.
Actions are subject to authorization checks that are performed before the start of a program or table maintenance and mandatory for the SAP applications : Starting SAP transactions
(authorization object S_TCODE) Starting reports (authorization object S_PROGRAM) Calling RFC function modules (authorization object S_RFC) Table maintenance with generic tools (authorization object S_TABU_DIS)
Page 12
Profiling for SAP Compliance Management

A Software Solution for SAP Project and Compliance Process Support Reduce time and efforts when providing ongoing information to internal and external auditors Remove access or assign mitigating controls
Used during implementation of new SAP modules and processes or optimizing SAP systems
Monitoring transaction and data access based on SAP background job for 24/7 security and compliance control Optionally runs on central SAP Solution Manager to manage complex SAP landscapes as a non-invasive solution Web based BI solution based on a Business Warehouse for Compliance Management
Page 13
Profiling for SAP Compliance Application

A solution for compliance management based on standard software
Profiling is a configurable custom application with integration into SAP that ensures all users authorizations are compliant with the companys compliance rules Useful during all phases of the deployment lifecycle Design Identify roles, build composite roles based upon team requirements
Implementation Test and verify SoD compliance of roles Production Ensure compliance of existing users and roles
Tight integration within SAP to manage complex SAP Landscapes and to leverage SAP standards Applicable to SAPs ERP, CRM, SCM and other ECC-based products Web based product, non-invasive, non-deployment solution regarding SAP production systems
Page 14
Set of Risk Rules based on SoD conflicts and critical actions

Risk Rules Set
Set of Risk Rules for different business domains like FI-GL, MM, SAP Basis, CRM or etc. Define SoD rules and critical actions and add standard or custom transactions to the rule set Define rules on Functional, Transactional or the most detailed Authorization-Object level
SoD Rule
Critical Actions
and Function Function Function
Transaction Transaction Transaction
Define critical rules with high financial risks or potential security risks
Modify predefined configuration with a set of rules for SoD best practice
Author.Object Author.Object Author.Object
Page 15
Procedure for the Definition of SoD Risk Rules on a Functional Level

Define Functions
1. Define SoD Functions (logical group of tasks) Example:

Function A: Process Sales Order Function B: Maintain credits master data
Assign Transactions
2. Assign Transactions to SoD Function Example:

Function A V-01, VA01, VA02, Function B FD24, FD32, FD37,
Define Conflicts and Risks
3. Define and Characterize the SoD Functions with Risk Rules Define a conflict: Function A & Group B Characterize the conflict with financial risk indicators:
High, Medium, Low
Exclude Rules from predefined configuration as N/A for your organization with a description
Page 16
Examples for SoD Activities and Transaction Groups

Description of Task Groups Group A: Process sales orders
Create sales order Create sales order Change sales order V-01 VA01 VA02
SAP Transactions
Group B: Maintain credit master data

Credit limit changes Change customer credit management Credit management mass change Credit management mass change Customers: Reset credit limit Credit Limit Data mass change Reset Credit Limit for Customers FD24 FD32 FD37 F.34 F.28 S_ALR_87009999 S_ALR_87012220
Page 17
SoD Conflict Matrix

Function
Maintain credit master data Separated Function AND
POTENTIAL RISK
RISK LEVEL (X, M, H) M
Maintain contract/schedu AND ling agreement Customer master data maintenance Process sales orders Process sales orders AND
AND
AND
User can increase a customer Process sales credit limit and then process sales orders orders for that customer leading to irrecoverable debt. User can create a fictitious Process sales contract and then create sales orders orders against that contract. User can create a fictitious Process sales customer and create orders for orders delivery to them thereby misappropriating goods. User can create/change sales Process outbound orders and deliveries to hide the deliveries misappropriation of goods. User can create sales orders and Maintain sales maintain pricing, therefore overdeal charging customers or giving then unauthorized discounts.
Page 18
Critical Transactions and assigned Risks

Transaction Description
FI12 PA30 SCCL Change House Banks/Bank Accounts Maintain HR Master Data Local Client Copy
Risk
Financial Risk
Access HR data System stability & integrity at risk
SE11
PFCG
Data Dictionary Maintenance

Role Maintenance
System stability & integrity at risk

Security Risk
SM49
Execute OS commands
System stability at risk
Page 19
Excel to define Risk-Rules for Business-Domains
Page 20
Configuration of Rules
SOD RULES
Page 21
SoD Rules on Functional Level
Page 22
SoD Conflict Matrix on Functional Level
X=Financial Risk Exists, M = Medium Risk, H = High Risk

Page 23
Critical Combinations on Functional Level with Details
Page 24
SoD Rules and SAP Authorizations
SAP CONFIGURATION
Page 25
Roles & Profiles with SoD Transactions included
Shows Transactions used for SoD rules assigned to Authorization Objects Identify all Authorizations Objects with potential risks.
Page 26
SoD Conflicts with Risks for specific Composite-Roles
Also available for specific Single-Roles and Profiles

Page 27
Standard or customized profiles and user assignment
CUSTOMIZED RISKS IN SAP
Page 28
Potential Risks with Accounts customized in SAP
ALL = * in Authorization 16 Conflicts for 21 Accounts
At least one high financial risk in 485 conflicts for 3 user
X=Financial Risk Exists, M = Medium Risk, H = High Risk

Page 29
Actual Risks in Execution of SAP
Page 30
SAP Objects, Usage and Authorizations
SAP USAGE
Page 31
SAP Modules, used Transactions and Authoritations
Page 32
Accounts, Authorizations and Transaction Usage
Page 33
and many analytic Reports more
Page 34
Benefits
Using the same kind of tools used by chartered accountants reduces service costs for external audit and advisory
Reduction of project efforts and establishment of SoD compliant authorizations from the start
Fully automated SoD analysis reduces TCO for the ongoing security control process
Auditors and IT security staff work on functional level even for complex authorization scenarios Avoidance of manual analysis and false positive assessments Flexible configuration includes custom Z transactions or external applications like Portals using BAPI or direct RFC calls Easy identification of users with access to sensitive data by internal security teams lowers costs of the compliance process
Page 35
Slimline authorization management of complex SAP landscapes
OPTIMIZATION OF AUTHORIZATIONS
Page 36
Slimline your SAP Authorization Management

Identify needless access rights by SAP Modules, Accounts, Transactions, Optimize your custom roles by identifying critical roles and access overlap Setup segregation of duties by best practice and company compliance
Example Report:
Assigned Role not relevant for execution of the custom Y YXPROC transaction
Page 37
Benefits
Efficient establishment of a tradeoff between Business Requirements and Company Compliance Substantial reduction of project efforts in company compliance initiatives Simplification of information access to complex SAP data for company auditors reduces costs for the compliance process Uniformed use of tools by chartered accountants reduces external audit and advisory services costs Allows the handling of complex SAP landscapes with automatic data retrieval and cross-SAP system analytics
Automatic monitoring of changes of user authorizations given by organizational requirements lowers costs for audits and security control
Page 38
Being compliant from the beginning
PROJECT SUPPORT FOR SAP BLUEPRINTS

Page 39
Blueprinting with ASAP and SAP Solution Manager

SAP Solution Manager (SSM) is the SAP tool that supports the plan, build and run aspects of ERP solutions based on SAP NetWeaver and covers all needs for ITIL-compliant application lifecycle management (ALM). SAP describes ALM by the Run SAP operational support methodology and the Accelerate SAP (ASAP) project methodology. SSM serves as an interface between technology and business processes. For SAP solution development like upgrades or implementations, the SAP solution is consistently documented in SSM by the Blueprint that describes the business processes and the resulting system configuration. An important part of the SAP solution development is the configuration of organizational structures and optimized business and security compliance requirements. Profiling for SAP supports this aspect of SAP ALM to lower development and maintenance costs and improve process and compliance quality
Page 40
SAP Blueprint Procedure for Compliant Authorizations

Support ASAP methodology and SAP Solution Manager Projects
Define Blueprint Define your functional Task Groups in SAP Solution Manger as Jobs or Org.-Units as End-User-Roles Setup the Blueprint Process Structure by Business Process Management Methodology including organizational assignments to End-User-Roles
Analyze Access Requirements

Define Roles and User Access
Assign Transactions manually or use predefined Reference Models with T-Codes assigned like the SAP Business Process Repository (BPR )
Run Reports to analyze organizational Access Requirements Automatically identify standard SAP right roles or profiles supported Customize Roles (PCFG) and assign users
Run analytic reports for SoD compliance and risk control
Page 41
SAP Solution Manager for SAP Blueprints

Optimized user authorizations from project start-up
SAP Blueprint with Masterdata, Org.-Unit Data, Scenarios, Processes, Process-Steps, Transactions and Documentation Assign End-UserRoles to ProcessSteps, Master-Data or Organizational-Unit Data
Process-Steps with Assigned Transactions
Page 42
SAP Solution Manager for SAP Blueprints

Export the Blueprint structure for analytic reporting
Cross-Reference between Objects (T-Code, Forms, Reports etc) and End-User-Roles
SAP Blueprint Structure (SAP Project)

Page 43
Assigned User, Jobs, Org.-Units
Benefits
Support of SAP Solution Manager improves the SAP Blueprint business process definition in terms of Compliance and Risk Management Synchronize organizational structures, functional access requirements, business processes and access control for slimline, fine tuned and fully SoD compliant SAP authorizations Leverage SAP tools, methodologies and best practice by a tight SAP integration with a BI based solution that reduces SAP project planning and implementation efforts Reduce SAP maintenance efforts by a consistent business process and security control documentation Ensure compliance through SAP improvements like ERP Enhancement Packages and organizational changes Define authorizations on functional level and support setup of technical roles and profiles.
Page 44
Solutions by TransWare
TransWare Software Solutions AG Fritz-Wunderlich-Str. 49 66869 Kusel Germany

Phone: +49-(0)6381-916-0 Email: info@transware.de Web: www.transware.de
All product, service and company names mentioned herein are for identification purposes only and may be trademarks or registered trademarks of their respective owners
Page 45

Profiling For SAP - Compliance Management, Access Control and Segregation of Duties

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Profiling For SAP - Compliance Management, Access Control and Segregation of Duties

Uploaded by

Copyright:

Available Formats

Understand

Profiling for SAP for Compliance and Access Control

Heinz-Jrgen Scherer, CEO TransWare AG

PROFILING FOR SAP APPLICATION

SoD Analysis and the Process for Compliance

Authorizations Usage (Transactions,

Define Risk Rules Critical activity groups Activities conflict matrix

Profiling for SAP Product Components

Includes best practice for configuration settings

Analytic Reports (examples)

SAP Solution Manager integration (optional)

Profiling for SAP featuring SAP Compliance Management

Business Reengineering Understand

Process Management Optimize

Compliance Management Control

Access Control and Segregation of Duty

Profiling for SAP SoD Compliance

Introduction of an cost efficient compliance management

ACCESS MANAGEMENT AND SEGREGATION OF DUTIES

Increased Focus on Security and Control

Security Risks, Security Compliance and Internal Controls

Control for Segregation of Duties (SoD)

Profiling for SAP and SAP Authorizations

Profiling for SAP Compliance Management

Profiling for SAP Compliance Application

Set of Risk Rules based on SoD conflicts and critical actions

and Function Function Function

Transaction Transaction Transaction

Author.Object Author.Object Author.Object

Procedure for the Definition of SoD Risk Rules on a Functional Level

1. Define SoD Functions (logical group of tasks) Example:

2. Assign Transactions to SoD Function Example:

Define Conflicts and Risks

Examples for SoD Activities and Transaction Groups

Group B: Maintain credit master data

SoD Conflict Matrix

RISK LEVEL (X, M, H) M

Critical Transactions and assigned Risks

Access HR data System stability & integrity at risk

Data Dictionary Maintenance

System stability & integrity at risk

System stability at risk

Excel to define Risk-Rules for Business-Domains

SoD Rules on Functional Level

SoD Conflict Matrix on Functional Level

X=Financial Risk Exists, M = Medium Risk, H = High Risk

Critical Combinations on Functional Level with Details

SoD Rules and SAP Authorizations

Roles & Profiles with SoD Transactions included

SoD Conflicts with Risks for specific Composite-Roles

Also available for specific Single-Roles and Profiles

Standard or customized profiles and user assignment

CUSTOMIZED RISKS IN SAP

Potential Risks with Accounts customized in SAP

ALL = * in Authorization 16 Conflicts for 21 Accounts

At least one high financial risk in 485 conflicts for 3 user

X=Financial Risk Exists, M = Medium Risk, H = High Risk

Actual Risks in Execution of SAP

SAP Objects, Usage and Authorizations

SAP Modules, used Transactions and Authoritations

Accounts, Authorizations and Transaction Usage

and many analytic Reports more

Slimline authorization management of complex SAP landscapes