Access Risk Analysis

VIRSA 4.0 ----- > Compliance Calibrator

GRC AC 5.3 ------ > Risk Analysis & Remediation
GRC AC 10, 10.1 ----- > Access Risk Analysis

Global Rule Set It is group of Risks faced by reputed

companies in the last 100 years and it has divided
process wise (Finance, HR, Sales)
Risk: Something which impacts your business Financial
or Reputational
Probability Chances of its occurance
Risk is not universal
Reliance Power
Maharashtra 5th Supplies power to 10000 industry
MP 10th
Gujarat 15th
Risk Remove or Avoid Risk Remediation
Risk Reduce its impact Risk Mitigation
Risk Identification:
To identify a Risk Experience Self or Others
SAP has studied famous companies in the world, domain
wise Banking, Automobile, Retail Gathered the risks

faced by this companies and that has been documented

Global Rule Set
Risk Types:
1)
2)
3)
4)

Low
Medium
High
Critical

SOD Risk Creation:

Ex,, Business Process ----- > BASIS
Functions --------- > GE_SEC : SU01, SU10, PFCG
GE_CLAD : SCC4, SCC5, SCCL
& SCC9

EX,,
User Client admin Role SCC4, SCC5, SCC7, SCC1
- Sec Admin role SU01, PFCG
Risk Analysis Report Formats:

Detail
Summary
Management Summary
Executive Summary

SOD at Action Level

SU01 Create User
SCC4 Create Client
SOD at Permission Level
Below access is not a risk
Su01 User Creation Access
Scc4 Display Client

SOD Risk:
M002 : Production order processing and confirming
production orders
Above risk is causing due to below 2 functions which are
conflicting in nature.
PP02 - Production order processing
PP01 - Confirming production orders
Action Level SOD Risk ----- > CO01 + CO11

Permission Level SOD risk ----- > AO1 With Activity 01

+ AO2 with activity 16
User
Role 1: CO01 ----- > AO1 with Activity 01
Role 2: CO11 ------- > AO2 with Activity 03

A Tcode will be part of one function only. Tcode cannot be

part of Multiple Functions.

Critical Action Risk:

Under BASIS Business process, creating a function with
critical Tcodes
GE_BS_CAF
SPRO
SE38
SCC5
SCC4

SM36
Critical Permission Risk:
Under BASIS business process, creating a function with
critical Auth Values
GE_BS_CPF
S_DEVELOP with Activity 01 or 02
S_TABU_CLI with ClientMaint value X
S_TABU_DIS with Activity: 01 or 02
S_USER_AGR with Activity 01 (create) or 02(change) or
22(assign)
S_CTS_ADMI
S_BATCH_ADMI

Risk Remediation:
It means removing risk by removing access.
How to remove access?
1)Remove role Single user
2)Remove Tcode from Role Multiple users

Risk Mitigation:
Reducing the probability or impact of the risk.

How? By monitoring mechanism

Mitigation Controls Specific to Business Process
Mitigation Approver Responsible for assigning
Mitigation Controls for Users and also approving changes
to Mitigation Control Definition
Mitigation Monitor Resposnisble for monitoring the
users who have risks

Normal User (access is needed on permanent basis)-----> Risk ----- > Risk Owner ------ > Mitigation Approver ------> Mitigation Monitor

FFID (Access is temporary) ---- > Risk ----- > FF ID

Controller

Mitigation Control:
Steps
1)Create user ids in SU01 for Mitigation Approver and
Monitors in the GRC system.
2)Define/Declare them in GRC system as Mitigation
Approver and Monitor in NWBC ----- > Set up ------ >
Access Control Owners
3)Create Root Org in SPRO ---- > GRC ----- > Shared
Master Data

4)Define OWNERS for the ORG

5)Create Mitigation Control NWBC ---- > SET UP ---- >
Mitigation Controls
BS_MIT1
BS_Risk1
BS_Risk2
BS_Risk3
BS_MIT2
BS_Risk4
BS_Risk5
BS_Risk6
FI_MIT1
FI_RISK1
FI_RISK2
FI_RSK3
FI_RISK4
Example created in the system:
BS_MIT1 (Mitigation Control)
GE_BS_R1(RISK)
BS_MIT2(Mitigation Control)
GE_BS_R2(RISK)
1)User has a risk
2)Risk report is sent to Risk owner or Mitigation
Approver

3)If they decide to mitigate, we need to link the risk

id with appropriate mitigation control.
4)If Mitigation control is not available for that
particular risk, its Security/GRC team duty to
create a Mitigation Control.
5)Ensure that every risk id is associated with some
Mitigation Control otherwise that risk cannot be
Mitigated

Risk Simulation:
Whenever User asks for extra access
Whenever role has to be modified (adding more
tcodes or authorization)
Risks from Simulation Only ?
Exclude Values ?

Role 1: SU01, PFCG

Role 2: SCC4, SCC5

User 1: Role 1 + Role 2

User Level risk analysis is the Preferable one.

What is difference between Offline Risk Analysis and

Online Risk Analysis?
Online Risk Analysis:
GRC pulls the data from backend ECE and run risk
analysis.
Accurate Data and updated
System performance would be affected
If RFC error is there, this fails
Offline Risk Analysis:

 GRC pulls the risk analysis data stored in Local GRC

Tables These tables get updated by BATCH RISK
ANALYSIS job.
It is not Accurate data and updated
System performance is not affected

Parameter ID : 1027 controls the enabling the Offline

Risk Analysis

What do you mean False Positives?

There is no risk ideally, but GRC system shows as a Risk.

Example,,
Finance SOD Risk
Action Level : Create Invoice (FB01) & Approve Invoice
(FBV0)
Permission Level: FB01 ---- >AO1 with Activity:01

FBV0 ----- > AO2 with Activity:16

User
Role1: FB01 --- > AO1 with Activity 01, Plant:100
Role 2: FBV0 ---- > AO2 with Activity 16, Plant: 200

How to avoid FALSE POSITIVES?

Org rules need to be defined
System becomes slow when running risk analysis as it
has to consider extra rules like Org Rules.