Professional Documents
Culture Documents
Page 1 of 11
SAP governance, risk and compliance concepts, technology, and best practices
Perform Decentralized Periodic User Access Reviews with SAP BusinessObjects Access Control 5 !
by Frank Rambo, Director, Regional Implementation Group (RIG) EMEA, SAP GRC Augu!t "", #$$%
SAP BusinessObjects Access Control identifies and "revents access and authorization ris#s in cross$ enter"rise %& s'stems to "revent fraud and reduce the cost of continuous com"liance and control &he User Access Review (UAR) feature of SAP BusinessObjects Access Control 5 ! automates and documents the "eriodic decentralized user access review b' business mana*ers or role owners %t "rovides a wor#flow$based review and a""roval "rocess +ollow a "rocess flow durin* a UAR to see its business benefits, confi*uration, recommended usa*e of the feature, and wor#flow o"tions
Key Concept
&he User Access Review (UAR feature was first introduced in SAP BusinessObjects Access Control 5 ! and enhanced in some as"ects with Su""ort Pac#a*e - UAR re.uires confi*uration in multi"le SAP BusinessObjects Access Control "roduct ca"abilities, includin* Ris# Anal'sis and Remediation, /nter"rise Role 0ana*ement, and Com"liant User Provisionin* (CUP) A "rere.uisite for a mana*er$driven UAR is a user details data source available in CUP to "rovide the mana*er relationshi" for the users included in the review &his data source ma' be an SAP /RP 1uman Ca"ital 0ana*ement s'stem or a 2i*htwei*ht Director' Access Protocol (2DAP) director' &he User Access Review (UAR) feature enables com"anies to conduct a streamlined internal control "rocess on a "eriodic basis that includes collaboration amon* line mana*ers, internal control, and information securit' teams UAR im"roves visibilit' of access *ranted to business s'stems and im"roves overall information securit' &he #e' features of UAR in SAP BusinessObjects Access Control 5 ! are3 4 An automated re.uest$ and wor#flow$based "rocess for review and a""roval 4 A decentralized review of user access conducted b' res"onsible line mana*ers or role owners 4 Role usa*e information facilitates decision ta#in* for the reviewers 4 Automatic role de$"rovisionin*, if desired b' the user 4 Status and histor' re"orts to assist in monitorin* the review "ro*ress 4 Audit trail and re"orts for su""ortin* internal and e5ternal audits 4 Su""ort for bac#$end s'stems inte*rated with SAP BusinessObjects Access Control throu*h Real &ime A*ents (R&A) as well as le*ac' s'stems
!ote
SAP BusinessObjects Access Control is com"rised of four main "roduct ca"abilities3 Com"liant User Provisionin* (CUP), Ris# Anal'sis and Remediation (RAR), /nter"rise Role 0ana*ement (/R0), and Su"eruser Privile*e 0ana*ement (SP0) +or a detailed introduction into each one of these ca"abilities, *o to the 6nowled*ebase Overview tab of www 7RCe5"ertOnline com and clic# the SAP BusinessObjects Access Control lin# under the Cate*ories headin*
http://www.grcexpertonline.com/article_printable.cfm?id=4583
10/26/2011
GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 2 of 11
7eneration of wor#flow tas#s3 &he administrator schedules a bac#*round job, which *enerates the wor#flow tas#s for the reviewers Review sta*e3 Re.uests are reviewed and actions are noted b' the reviewers Additional wor#flow sta*es (o"tional)3 =ou can add a""roval sta*es (e * , a securit' sta*e) to the wor#flow "ath b' confi*uration Automatic de$"rovisionin*3 %f the user desires, SAP BusinessObjects Access Control can automaticall' de$"rovision roles mar#ed for removal b' the reviewers from the bac#$end s'stem 0ana*ement of rejected users3 %f the reviewers are the users9 direct mana*ers, then the' can reject users for whom the'9re not res"onsible durin* the review &he administrator has to follow u" rejected users and re*enerate re.uests to be sent to corrected mana*ers Re"ortin* and audit trails3 A status re"ort, histor' re"ort, and a detailed audit trail com"lete UAR
< 5
>
%nitialization
&he initialization "rocess ste" contains the followin* tas#s that the administrator e5ecutes ("ig#re %)3
http://www.grcexpertonline.com/article_printable.cfm?id=4583
10/26/2011
GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 3 of 11
4 %f role owners are confi*ured to be reviewers3 &he role master data in CUP also contains a Role A""rover tab, which lists the role owners 0a#e sure that this information is u" to date Otherwise, the s'stem sends re.uests to the wron* role owners &he re.uests sent to reviewers also contain information on how often transactions from a "articular role assi*ned to the user were actuall' e5ecuted in the bac#$end s'stem durin* the chosen review "eriod of t'"icall' the last si5 or :; months &he "re"aration of the role usa*e information re.uires several tas#s e5ecuted in multi"le "roduct ca"abilities of SAP BusinessObjects Access Control3 4 Alert *eneration job3 Schedule the alert *eneration job in RAR A Confi*uration A Bac#*round Bob with all o"tions selected 4 Pur*e usa*e information3 %f more transaction usa*e information is stored in RAR than is desired for UAR re.uests, then 'ou should archive the data +or e5am"le, if 'our UAR "rocess states that the "rior :; months9 usa*e information should be "rovided in UAR re.uests and RAR has :5 months available, then 'ou should "ur*e the oldest three months9 information in RAR via menu "ath Confi*uration A Utilities A Pur*e Action Usa*e %t is im"ortant to note that usa*e information "ur*ed in RAR is still accessible to RAR from the flat file that is "roduced but is not accessible b' /R0 or CUP 4 Retrieve role usa*e information3 +or bac#$end s'stems with R&A, follow menu "ath /R0 A Confi*uration A Bac#*round Bobs to schedule the tas# Role Usa*e S'nchronization or u"load Role Usa*e %nformation via flat file for le*ac' s'stems without R&A +or details about the u"load "rocedure and re.uired file formats, refer to the standard documentation &o com"lete the initialization "rocess ste", the administrator schedules the tas# UAR Review 2oad Data as a bac#*round job in CUP &his creates the re.uests, but does not 'et create the wor#flow tas#s nor the notification emails that are sent to reviewers &he s'stem does not create re.uests for users that are loc#ed in the bac#$end s'stems Consider unloc#in* loc#ed users before 'ou start the UAR "rocess, if 'ou want to include them
Administrator Review
&he administrator review is an o"tional "rocess ste" that, if 'ou choose to ta#e it, 'ou need to activate durin* confi*uration of the UAR scenario %ts "ur"ose is to have the administrator chec#in* the com"leteness and accurac' of the *enerated re.uests with res"ect to the reviewers "rior to *eneration of wor#flow tas#s and notification emails =ou can start the administrator review b' followin* menu "ath CUP A Confi*uration A User Review A Re.uest Review &he s'stem dis"la's to the administrator the list of all re.uests *enerated for the current UAR c'cle 1e can ta#e action on each re.uest in one of the followin* wa's ("ig#re &)3
http://www.grcexpertonline.com/article_printable.cfm?id=4583
10/26/2011
GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 4 of 11
"ig#re '
Administrator Review C Cancellation of re.uests "ig#re ( 7eneration of Dor#flow &as#s &he administrator schedules the tas# UAR Review U"date Dor#flow as a bac#*round job in CUP &he s'stem sends email notifications to reviewers with the ne5t e5ecution of the "eriodic /mail Dis"atcher job in CUP
Review Sta*e
&he re.uests are first sent to the reviewers =ou can "rovide detailed instructions for reviewers to su""lement the content of the notification emails &he level of instruction for a""roval of "eriodic access reviews mi*ht be more e5tensive because it is an infre.uent "rocess and ma' involve reviewers who do not "erform routine a""roval of re.uests to create or chan*e accounts &he %nstructions area of the UAR re.uests is an 1&02 viewer An e5am"le of a UAR re.uest with an 1&02 "a*e "rovided in the re.uest is shown in "ig#re )
"ig#re )
Durin* confi*uration 'ou can select whether reviewers are the mana*ers of the users or role owners 0ana*ers have the additional o"tion to reject users for whom the' don9t feel res"onsible ("ig#re *) &he' can mar# the users in the User "ane for rejection, select from one of the "reconfi*ured rejection reasons, and "rovide a comment as shown in "ig#re + &hese users then enter the 0ana*ement of Rejected Users "rocess ste"
http://www.grcexpertonline.com/article_printable.cfm?id=4583
10/26/2011
GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 5 of 11
"ig#re *
"ig#re +
All reviewers can find multi"le line items "er re.uest ("ig#re ,) in the User Access tab of each re.uest ("ig#re )) &he number of line items "er re.uest is confi*urable /ach line item re"resents a role assi*ned to a "articular user in a "articular s'stem and can be mar#ed for a""roval or removal b' the reviewer &he role name is dis"la'ed as a h'"erlin# that 'ou can use to view the details of the role Ee5t to the role name is a role usa*e counter %t tells the reviewer how often transactions from the role were e5ecuted b' the user durin* the review "eriod &his information facilitates decision ma#in* for the reviewer considerabl' &he line items in a re.uest can belon* to multi"le users and multi"le s'stems A reviewer can receive multi"le re.uests includin* all user$to$role assi*nments within the res"onsibilit' of the reviewer
"ig#re ,
A""roval and removal of roles from users su""orted b' role usa*e information
&he reviewer ma' choose to save the re.uest multi"le times to ensure wor# is saved in the re.uest &he re.uest is not forwarded to the ne5t wor#flow sta*e until the reviewer com"letes all line items of the re.uest and clic#s the Submit button
!ote
http://www.grcexpertonline.com/article_printable.cfm?id=4583
10/26/2011
GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 6 of 11
&his article can onl' "rovide an overview on the re.uired confi*uration ste"s, but % hi*hli*ht the ste"s and o"tions that are s"ecific to the UAR scenario +or more details, refer to the SAP BusinessObjects Access Control 5 ! Confi*uration 7uide available in htt"3FFservice sa" comFinst*uides and to the *uide Access Control 5 ! C User Access Review that 'ou can download from the SAP Communit' Eetwor#3 htt"s3FFsdn sa" comFirjFscnFarticles$*rc$all =ou can confi*ure each sta*e to dis"la' in re.uests onl' roles "reviousl' mar#ed for removal to focus the attention of the additional a""rovers on these roles onl' Another confi*uration o"tion is to allow or disallow chan*es to the re.uest content %f chan*es aren9t allowed for a sta*e, then the buttons A""rove and Pro"ose Removal aren9t available to the a""rovers in this sta*e %f chan*es to the re.uest content aren9t allowed, a""rovers can onl' su**est chan*es to the re.uest content "er comment and forward the re.uest to the reviewer in the "revious sta*e ("ig#re $-) &he reviewer would then ta#e the decision, chan*e the re.uest content accordin*l', and resubmit the re.uest %f the sta*e confi*uration allows for chan*es, a""rovers can turn a""rovals into the removals and vice versa before the' submit the re.uest
"ig#re $-
Automatic De$"rovisionin*
=ou can define whether roles a""roved for removal are de$"rovisioned from the user manuall' or automaticall' &he confi*uration settin* for auto$"rovisionin* is a *lobal settin* for all re.uest t'"es that 'ou can confi*ure for each s'stem connected via R&A to CUP individuall' See the SAP BusinessObjects Access Control 5 ! Confi*uration 7uide for more instructions on confi*urin* auto$"rovisionin* %f 'ou o"t for manual de$"rovisionin*, then a securit' sta*e is mandator' Securit' receives the re.uests and manuall' removes the roles as indicated in the tar*et s'stems before it submits the re.uest to close it
http://www.grcexpertonline.com/article_printable.cfm?id=4583
10/26/2011
GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 7 of 11
"ig#re $%
&he status column contains the current status of each user &he followin* statuses are "ossible3 4 Eew3 &hese are re.uests submitted b' the reviewer 4 &o 7enerate3 &he user is mar#ed for re*eneration, but the *eneration bac#*round job has not started =ou can clic# Cancel 7eneration to cancel the re.uest *eneration 4 %n Process3 &he bac#*round *eneration job has started but has com"leted Re.uests with this status cannot be cancelled, because the bac#*round job has started 4 /rror3 &he *eneration bac#*round job has encountered an error 4 Com"leted3 &he *eneration bac#*round job has com"leted &he new re.uest number is u"dated in the Eew Re.uest column &he administrator selects the users for whom he wants to *enerate new re.uests and clic#s the 7enerate Re.uests button ("ig#re $%) &his onl' mar#s the users +or the actual re.uest *eneration the administrator has to schedule the tas# UAR Review Process Rejected as bac#*round job in CUP &he new re.uests then re$enter the administrator review "rocess ste" before the corres"ondin* wor#flow tas#s are *enerated and sent to the correct mana*ers for review
"ig#re $&
&he UAR histor' re"ort shows the a""roval decisions ta#en for each item in UAR re.uests &his re"ort is hel"ful after a "ortion of the review "rocess or the entire review "rocess is com"lete %t dis"la's actions indicated b' the a""rovers for each line item re"resentin* a user$role assi*nment in a s"ecific s'stem ("ig#re $') &hese actions can be set to A""roved, Removal, or Rejection G the latter refers to rejected users
"ig#re $'
http://www.grcexpertonline.com/article_printable.cfm?id=4583
10/26/2011
GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 8 of 11
=ou can view the UAR audit trail of a "articular re.uest to see the detailed activit' durin* the lifetime of the re.uest Eavi*ate to 0' Dor# A Re.uest Audit &rail and enter 'our selection criteria for the re.uest for which 'ou are searchin* &he audit trail shows the histor' of the re"ort from re.uest creation to closure ("ig#re $() =ou can "rint or download it and send it to internal or e5ternal auditors
http://www.grcexpertonline.com/article_printable.cfm?id=4583
10/26/2011
GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 9 of 11
su""orted b' an R&A or from a s"readsheet file /nsure that each role is assi*ned a role owner, if role owners act as reviewers or a""rovers in an additional wor#flow sta*e durin* 'our UAR 4 Securit' lead3 %f 'ou "lan to involve 'our securit' team in the UAR wor#flow, maintain 'our securit' lead information b' followin* menu "ath CUP A Confi*uration A A""rovers A Securit' 2ead 4 S0&P server3 Sendin* notifications and reminders "er email to users, reviewers, and a""rovers re.uires the confi*uration of a S0&P server +ollow menu "ath CUP A Confi*uration A Dor#flow A S0&P server Also chec# whether the /mail Dis"atcher and /mail Reminder tas#s are scheduled in CUP as recurrin* bac#*round jobs Otherwise, email notification won9t be sent out 4 Eumber ran*e3 /nsure there is an active number ran*e in CUP &he number ran*e is a""licable to all CUP re.uests and is not s"ecific to an' re.uest t'"e +ollow Confi*uration A Eumber Ran*es to maintain number ran*es 4 Connectors3 0a#e sure that connectors (that all have the same name) have been created in CUP, RAR, and /R0 for each bac#$end s'stem in sco"e for UAR &his is re.uired for *eneration of role usa*e information 4 Auto$"rovisionin*3 %f 'ou want to de$"rovision roles automaticall' from the bac#$end s'stems that were mar#ed for removal b' the a""rovers, then 'ou need to confi*ure auto$"rovisionin* =ou can do this b' followin* menu "ath CUP A Confi*uration A Dor#flow A Auto Provisionin* choosin* either *loball' in the 7lobal tab or "er s'stem in the B' S'stem tab, if 'ou want to activate auto$ "rovisionin* onl' for a subset of 'our s'stems 4 U0/ securit'3 Dith Su""ort Pac#a*e -, 'ou can assi*n to administrators and reviewers new U0/ actions for rejectin* and mana*in* the rejected users as well as for accessin* the UAR re"orts &hese actions are "rovided in the initial data files
6ork/low
A wor#flow in CUP alwa's consists of an initiator, one or multi"le sta*es, and a "ath lin#in* the se.uence of sta*es to*ether &his allows for a ver' fle5ible confi*uration of UAR wor#flows accordin* to 'our or*anization9s re.uirements +or this reason the e5am"le %9ll "resent is a ver' common one, but not the onl' wa' of doin* it &he wor#flow contains the followin* features3 4 &he first sta*e of the wor#flow is the review sta*e 4 %f the reviewer mar#s line items in a re.uest for removal, then the re.uest is sent to a securit' sta*e 4 %f all line items of a *iven re.uest are a""roved, then the re.uest is closed without bein* sent to the securit' sta*e 4 &he securit' administrator sees all line items of the re.uest, not onl' those mar#ed for removal
http://www.grcexpertonline.com/article_printable.cfm?id=4583
10/26/2011
GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP Busines... Page 10 of 11
4 &he securit' administrator has "ermission to chan*e the re.uest content in terms of a""rovals and removals 4 After the securit' administrator re.uests submission, de$"rovisionin* of mar#ed roles ha""ens automaticall' &o im"lement this wor#flow, 'ou have to define the followin* characteristics3 4 %nitiator 4 Review sta*e 4 Securit' sta*e 4 Primar' "ath containin* the review sta*e 4 Detour "ath containin* the securit' sta*e 4 Detour lin#in* the two "aths to*ether +ollow menu "ath CUP A Confi*uration A Dor#flow A %nitiator to define an initiator 0a#e sure that 'ou select User Access Review as the wor#flow t'"e first =ou9ll need to select this wor#flow t'"e for all other wor#flow elements such as sta*es, "aths, and detours +or this e5am"le, it is sufficient to add the attribute Re.uest &'"e with value User Access Review to the initiator 1owever, for the wor#flow t'"e User Access Review, 'ou also have the attributes A""lication and UAR Review Role available to build more com"le5 Boolean conditions to su""ort multi"le wor#flow "aths in "arallel for 'our UAR scenario +ollow menu "ath CUP A Confi*uration A Dor#flow A Sta*e to define the review sta*e Select Reviewer as the a""rover determinator =ou can define a re.uest wait time and an escalation confi*uration, which defines which t'"e of escalation action should be ta#en if the UAR re.uest isn9t submitted in this sta*e durin* the re.uest wait time &he followin* o"tions are available3 4 +orward to ne5t sta*e 4 +orward to administrator 4 DeactivateJ +orward to ne5t sta*e3 &he role assi*nments for users on the re.uest are deactivated with the validit' date set to the current date and the re.uest is forwarded to the ne5t sta*e 4 DeactivateJ 2oc#, +orward &o Ee5t Sta*e3 &he users on the re.uest are loc#ed in addition to the measures ta#en in the "revious o"tion 4 2oc#, +orward &o Ee5t Sta*e3 &he users on the re.uest are onl' loc#ed and the re.uest is forwarded to the ne5t sta*e &hen, confi*ure the notification o"tions similar as for an' other sta*e in CUP %n the additional Confi*uration "ane, 'ou can confi*ure a number of "arameters ("ig#re $*) Some of them are of s"ecific interest for the UAR wor#flow3 4 Chan*e Re.uest Content3 Controls whether the a""rover is "ermitted to chan*e the re.uest content in terms of a""roval or removal of line items re"resentin* role$to$user assi*nments 4 Reject Users3 &he abilit' to reject users is re.uired in the reviewer sta*e, if the reviewers were confi*ured to be the user9s mana*ers 4 A""roval &'"e3 Determines whether all line items of the re.uest are visible to the a""rover of this sta*e or onl' items mar#ed for removal
"ig#re $*
=ou can define the securit' sta*e in the same wa' as the review sta*e Select Securit' as the a""rover determinator &hen a""l' the same Additional Confi*uration settin*s as for the review sta*e with the e5ce"tion of Reject Users to be set to Eo ("ig#re $*) +ollow CUP A Confi*uration A Dor#flow A Path to define the "rimar' "ath, includin* the review sta*e ("ig#re $+) Select the initiator and the review sta*e "reviousl' created and chec# the Active chec# bo5
"ig#re $+
Create the "rimar' "ath for the UAR wor#flow containin* the review sta*e
Because % onl' want those re.uests to be sent throu*h the wor#flow to the securit' sta*e that contains line items for removal, % need to use the more advanced Detour feature in CUP Detours are standalone wor#flows that are en*a*ed throu*h a "rimar' wor#flow if certain conditions are encountered at a
http://www.grcexpertonline.com/article_printable.cfm?id=4583
10/26/2011
GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP Busines... Page 11 of 11
"articular sta*e of the "rimar' wor#flow +or this reason, % need to create a second "ath that has no initiator included, but the detour fla* chec#ed and the securit' sta*e selected as the sin*le sta*e &hen, follow menu "ath CUP A Confi*uration A Dor#flow A DetourF+or# and ma#e the selections shown in "ig#re $,
Detour definition "ig#re $, Re2ection Reasons 0ana*ers actin* as reviewers in the review sta*e need to select a reason from a dro"$down list when rejectin* users &hese reasons have to be u"loaded in the menu "ath CUP A Confi*uration A User Review A Reason for Rejection =ou can download the re.uired s"readsheet tem"late from there, fill it with data, and then u"load it a*ain ("ig#re %-)
U"loadin* reasons for rejection "ig#re %Coordinators =ou identif' a coordinator for each reviewer, re*ardless of whether the reviewer is a user9s mana*er or a role owner SAP BusinessObjects Access Control uses the coordinator information to *enerate re"orts that 'ou can use while mana*in* the review "rocess %f 'ou are not usin* Administrator Review, then 'ou must have a coordinator associated with the reviewer to *et a UAR re.uest *enerated =ou associate coordinators with reviewers in menu "ath CUP A Confi*uration A User Review A Coordinators =ou have to clic# Search before 'ou reach the maintenance screen ("ig#re %$) =ou enter this data either manuall' or download the tem"late, maintain the data in the s"readsheet, and u"load it a*ain when com"leted
"ig#re %$
"rank Rambo, Ph D, is director of SAP 7RC Re*ional %m"lementation 7rou" (R%7) in the /0/A re*ion Prior to this "osition, he wor#ed ei*ht 'ears for SAP 7erman' as a senior consultant focusin* on SAP securit', identit' mana*ement, and the SAP EetDeaver Portal Before he joined SAP in :KKK, +ran# wor#ed as "h'sicist in an international research team +ran# lives in 1ambur*, 7erman' =ou ma' reach him at fran# ramboLsa" com
http://www.grcexpertonline.com/article_printable.cfm?id=4583
10/26/2011