Scribd Logo
Upload

Welcome to Scribd!

  • Segregation of Duties Review (SOD Review) Description and Workflow Configuration

    Uploaded by

    Douglas Cruz
    1K views26 pages
    SAP GRC Access Control 10.0 - SOD Review process

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    SAP GRC Access Control 10.0 - SOD Review process

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1K views26 pages

    Segregation of Duties Review (SOD Review) Description and Workflow Configuration

    Uploaded by

    Douglas Cruz
    SAP GRC Access Control 10.0 - SOD Review process

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    GettingStarted Newsletters

    Welcome,Guest

    Login

    Register

    Store

    SearchtheCommunity

    Products

    Services&Support

    AboutSCN

    Downloads

    Industries

    Training&Education

    Partnership

    DeveloperCenter

    LinesofBusiness

    UniversityAlliances

    Events&Webinars

    Innovation

    Governance,RiskandCompliance / / AccessRequest(ARQ)

    SegregationofDutiesReview(SODReview)DescriptionandWorkflowConfiguration
    AddedbyShailyKulshreshtha,lasteditedbyShailyKulshreshthaonNov28,2014

    SegregationofDutiesReview(SODReview)
    SegregationofDutiesReviewisaprocesswherethesystemchecksperiodicallyforanyriskandviolationsassociatedwithauserorfunctions.Thisfunctionalitycanbeusedduringtheinitialcleanupof
    riskviolationsaswellasalongtermstrategytoreviewandaffirmpreviousMitigationassignments.
    WhenSODreviewisperformed,itgeneratesrequestsautomatically,basedonorganizationsinternalpolicy.SODreviewprovidesWorkflowBasedreviewandapprovalprocess.

    Purpose
    ThisdocumentwillexplaincompetefunctionalityofSODreview.

    SODReviewOverview
    KeyfeatureofSOSReview:
    DecentralizedreviewofSegregationofDutiesviolation.
    WorkflowrequestforAccessReviewandapproval
    ReaffirmationofMitigationControlassignment
    AudittrailandReportforAudits

    SODReviewProcess
    ThereisabackgroundjobwhichgeneratesSODReviewrequest.
    ThesystemsendsSODreviewnotificationtoreviewers.
    Thereviewerreviewtherequestandperformthefollowingoption.
    RejectRequestItems
    MitigateRiskbyassigningMitigationControl.
    RemoveAccessforitemsthatarecreatingviolations.
    ThereisonemoreoptionalstepwherewecaninvolveAdminforAdminreviewbeforesendingrequesttoreviewers

    SODReviewProcessExplanation
    AdminReview.
    ThereisanoptionforAdminReviewwhichprovidesadministratortovalidaterequestdataafterrequestaregenerated(bySODreviewjob)butbeforegeneratingWorkflowtask(butpriorSOD
    ReviewupdateWorkflowjob).IfanyreviewerinformationismissionorneedtobemodifythenAdmincandosobeforegeneratingworkflow,orcanalsodeleterequestsifrequired
    ReviewStage
    WecanspecifywhetherReviewerstageisaddressedbyusersManagerorRoleOwner.
    SecurityStage:WecanalsoincludeSecuritystageifrequired.

    WorkflowStageConfigurations
    AfterdecidingwhichstagetoincludeintheSODreviewworkflow,weneedtodeterminethespecificbehaviorforeachstagetoreflectthereviewprocess.Like
    EmailNotification
    Firstofallweneedtodeterminethecontentoftheemailnotificationtobesendtoapproverofeachstage.Recipientalsoneedstobedetermined.
    Reminder
    WecanalsosetEmailreminderinthiscase.Wecanspecifytheintervalofremindernotification.
    Escalation
    YoucanspecifyEscalationoneachstagebasedontimespentinaparticularstage.IfaReviewerdoesnotcompletehisreviewwithinthetimespecifiedinthedateparameterdefinedinconfiguration,
    thentherequestwillbeescalated.TheAuditlogwillshowthisescalation.Wecanalsospecifywhetherescalationautomaticallyremovestheaccessthatisnotapprovedbyacertaindate.

    RolesinSODReview
    ThefollowingrolecanappearinSODReviewRequest

    Administrator
    AdministratorsperformSoDReviewspecificadministrativetaskssuchasperforminganAdminReviewbeforegeneratingaworkflowfortherequest
    Reviewer
    ReviewersareapproversattheReviewerstage.AReviewercanbeaUsersManagerortheRiskOwner
    UsersManager
    UsersManageristhedirectmanagerofaparticularuser,asdefinedintheUserDetailsDataSource.
    RiskOwner
    RiskOwneristheownerspecifiedinyourRiskAnalysisandRemediation(RAR)masterdata.
    Coordinator
    CoordinatorsareusersassignedtooneormoreReviewers.CoordinatorsmonitortheSoDReviewprocessandcoordinateactivitiestoensurethattheprocessiscompletedinatimelymanner

    Prerequisites

    ThefollowingjobsshouldbeexecutedinthebelowsequencebeforerunningSODreviewJobs.

    RepositorysyncforUser,Role,Profile(SPRO>GRC>AccessControl>SynchronizationJobs>RepositorySync)
    BatchRiskAnalysisJob(SPRO>GRC>AccessControl>AccessRiskAnalysis>BatchRiskanalysis>ExecuteBatchRiskAnalysis)
    ActionUsageReport(SPRO>GRC>AccessControl>SynchronizationJobs>ActionUsageSync)
    RoleUsageSync(SPRO>GRC>AccessControl>SynchronizationJobs>RoleUsageSync)
    AlsomakesurethatRiskOwnersaremaintained.

    ConfigurationSettings
    ThissectionwillexplainsyouSODReviewConfigurationsettings

    IMGConfiguration
    BeforerunningSODreviewjobtherearesomeIMSsettingsthatneedstobedone
    GotoIMG>GRC>AccessControl.>MaintainConfigurationSettings>
    1. ForPARAMRiskAnalysis:SetParameter1027EnableOfflineRiskAnalysistoYES
    2. ForPARAMSODReview:SetthebelowParameters

    a. 2016RequestTypeforSOD:ChooseDefaultRequesttypeforSOD
    b. 2017DefaultPriorityforSOD:ChooseDefaultPriorityforSOD
    c. 2018WhoAreReviewers:ChooseRoleOwner/Managers
    d. 2019AdminReviewrequiredbeforesendingtasktoReviewer:ChooseYES/No
    e. 2020NumberofuniquelineitemsperSODrequest:Maximumvalueofthisparametercanbe9999.Beyond9999,therequestwillgetsplitandallitemswillbemovedtoanewrequest.
    ThisparameterisintroducedinGRC10.0SP17(SAPNote#1994429)
    f. 2021Isactualremovalofroleallowed:ChooseYes/No

    ManagingCoordinators
    GoToNWBC>AccessManagement>ComplianceCertificationReview>ManageCoordinators


    Screenwillopen.Nowselectanylineitemtochangeorcreateanewone.

    SpecifyingEscalations
    GoToSPRO>GRC>AccessControl>UserProvisioning>MaintainServiceLevelAgreement

    HereyoucancreateSLAforSODreviewprocess.YoucanspecifythisviatypeFixedbyDateorFixedbynumberofdaysandFormula.

    GeneratingdataforRequest

    ForgeneratingdataforSODreviewyouneedtoscheduleajobfromNWBC>AccessManagement>Scheduling>BackgroundScheduler

    YoucangiveJobNameandselectGeneratedataforAccessRequestSODReviewandclickonnext.
    AfterclickingonNextscreenyoucangivetheparametersforwhichyouwanttorunthisjob.

    Now,onclickingNextandthenFinishthejobwillbescheduled

    YoucancheckthisjobunderNWBC>AccessManagement>Scheduling>BackgroundJobs

    RequestReview
    ThisstepisonlyrequiredifyouhaveenabledAdminReviewoption.
    TheadministratorreviewstherequeststoensurecompletenessandaccuracyoftherequestinformationpriortosendingtoReviewers.
    GotoAccessManagement>ComplianceCertificationReview>RequestReview

    OntheRequestReviewscreen,searchfortheSoDReviewrequestsbyselectingtheSoDRiskReviewWorkflowandthenreviewthedatatoconfirmtheReviewerandCoordinatorinformationis
    accurate.

    Onthisscreenyoucanenterinformationaboutthereviewertotherequestsifnotavailable.
    AnAdministratorcanalsocanceltherequestifSoDReviewsarenotrequiredorifthereisincorrectdata.

    UpdateWorkflowJob
    ThisstepisonlyrequiredifyouhaveenabledAdminReviewandtheAdminReviewhasbeencompleted.
    ExecutetheSoDReviewUpdateWorkflowJobtopushtheworkflowtaskstotheReviewers.
    GotoAccessManagement>Scheduling>BackgroundScheduler.
    ClickBackgroundscheduler.
    TheScheduleAccessManagementScreenwillappear.
    ChooseCreatetocreateanewrequestforUpdateWorkflow.
    TheCreateSchedulescreenwillappear.
    EnterScheduleName.
    SelectScheduleActivityfromthedropdownlist.ForSoDRequests,selectUpdateWorkflowforSoDRequest.

    ChooseFinish.
    GotoRequestReview,andcheckthestatusoftherequestifithasbeencompleted.
    Aftercompletingalloftheabovementionedsteps,therequestswillnowcometotheReviewersWorkInboxtoworkonit.
    NowyoucanviewthatrequestintheWorkinbox.Onopeningtherequestitwilllookasbelow.

    SinceYESwasselectedforActualremovalofRolesduringtheconfigurationprocess,theACTUALREMOVALpushbuttonappearsonthescreen.IfNOwasselected,thenthePROPOSEREMOVAL
    pushbuttonappearsinstead.
    ByselectingRiskandthenchoosingtheActualRemovalpushbutton,youcanremovetheactualroleassociatedwiththisRisk.BychoosingtheProposeRemovalpushbuttonyoucanonlyproposethe
    removal,noactualremovalisdoneonanyroles.ChooseSubmittocompletetheReviewprocess.

    WorkflowConfiguration
    ToprocessSODreview,youneedtosettheworkflowsettingsfromMSMP.
    ProcessID:SAP_GRAC_SOD_RISK_REVIEW

    YoucanmaintainRuleatthe2ndstep.YoucanconfigureFunctionModulerules,BRFplusrules,ABAPclassbasedrules,andBRFplusflatrules.

    Therulescanbeoneofthefollowingtypes:
    InitiatorRule:Tocheckwhichpathyourrequestwilltake
    RoutingRule:Todirectyourrequesttotakeadetour
    AgentRule:Tocheckforagents(Reviewers)fortherequestinaparticularstage
    NotificationRule:Usedfornotificationpurposesonly
    Atthe3rdstepyoucandefineAgent
    Thepossibleagenttypesare:
    DirectlyMappedUsersAgroupofuserscreatedwithintheworkflowconfiguration
    PFCGRolesAlluserswhohavespecifiedPFCGroleassignments
    PFCGUserGroupAlluserswhoarepartofthespecifiedPFCGgroup
    GRCAPIRulesAllusersreturnedbytheconfiguredruleforagents

    Oncetheagentsaremaintained,choosetheNEXTpushbuttontomaintaintheVARIABLESANDTEMPLATES.
    Inthisscreen,youcanmaintaincustomnotificationtemplatesaswellastheirvariablesandreminders.

    Nextstepistomaintainpaths

    SelectapathandchoosetheADDorMODIFYpushbuttonstodefinethepathstages.
    IntheMaintainStagestable,choosetheMODIFYTASKSETTINGSbuttontochangethestagesettings.
    IntheApprovalTypecolumn,selectAllApproversorAnyOneApproverfromthedropdownlist.Thisdeterminesifallapproversoranyoneapproverisrequiredtoapprovethestage.
    IfyouchooseYesforEscalation,specifytheescalationsettingbyenteringtheidletimeinminutes.Idletimeistheamountoftimebywhich,ifthestageisnotapprovedorrejected,thetaskiseithersentto
    thespecifiedagentortheworkflowmovestothenextstage.

    ChoosetheNEXTpushbuttontogototheMaintainRouteMapppingscreen.Inthisstepyoucanmaintainroutemappingsbetweentheinitiatorrulesresultandtheactualpathfortheresult.

    NowGenerateMSMPversion

    CheckingSODReviewRequests
    Afterarequestisgenerated,itissenttothereviewersWorkInboxandcanbeaccessedbyperformingthefollowingsteps:

    YoucanalsosearchthisrequestunderSearchRequest>SelectProcessIDasSODRiskReviewWorkflow

    ManagingRejection
    ThelineitemsthatarerejectedbyanapprovercanbeaccessedandreworkedfromtheManagingRejectionsscreen.
    GoToAccessManagement>ComplianceCertificationReviews>ManageRejections.

    SelecttheProcessTypeandclickonSearch

    Youcanfindtherejectionsonthisscreen.

    RelatedDocuments
    TherearemanymajorSODreviewfixesafterSP14GRC10.0
    BelowaretheimportantSAPNoteregardingthis.

    1994429UAM:RunningBatchRiskAnalysisismandatoryforSODReviewRequestcreation
    2057848UAM:IncorrectvalueisdisplayedfortheVariableREQUESTER_NAMEintheSODNotifications
    2058766Removalofreviewernotpossiblefromrequestreviewer
    1888260UAM:IssueswithSODReviewrequest
    1973155ProvidingtablesortingoptioninSODReviewrequestandmitigationsnotsavedonsavingSODrequest

    Nolabels
    ContactUs
    Privacy

    SAPHelpPortal
    TermsofUse

    LegalDisclosure

    Copyright

    FollowSCN

    You might also like