GR2 - Access Risk Management

Process Diagram

© 2014 SAP AG. All rights reserved. 2

Purpose, Benefits, and Key Process Steps

Purpose This scenario describes effective collaboration between business users in Access Risk Management

Process .

Benefits Real time access risk analysis to monitor latest user access risks Batch jobs scheduled for Dashboard update per business needs Detecting violation/risks triggers remediation actions (Mitigation Control, Removing role) quickly in a very

straightforward way Deep integration of Segregation of Duty (SoD) and User Access Review (UAR)

Key Process Steps Regular access risk analysis and remediation Periodic access analysis and remediation : SoD review Periodic access analysis and remediation : UAR review

© 2014 SAP AG. All rights reserved. 3

Required SAP Applications and Company Roles

Required SAP Applications SAP Access Control 10.1

Company Roles Compliance Officer Manager Risk Owner Role Owner Mitigating Control Owner Mitigation Control Monitor

© 2014 SAP AG. All rights reserved. 4

Detailed Process Description (1/2)

GR2 - Access Risk Management

Regular access risk analysis and remediation:

•Compliance Officer Review High-level Access Violation Report

•Risk Owner Perform Real-time Risk Analysis

•Perform Remediation Activities:

• Risk Owner Assign Existing Mitigation Control

• Risk Owner Assign Newly Created Mitigation Control:

-Risk Owner Create New Mitigation Control

- Mitigation Control Owner Approve new Mitigation Control

- Risk Owner Assign New Mitigation Control

• Mitigation Control Owner Review Mitigated User List

• Remove Role via User Level Risk Violation Report

• - Risk Owner Create De-provision Request

• - Manager Approve De-provision Request

© 2014 SAP AG. All rights reserved. 5

Detailed Process Description (2/2)

• Perform

• - Role Owner Approve De-provision Request

• Compliance Officer Review High-level Violation Report

Periodic access analysis and remediation:

• Segregation of Duty Review

• Schedule Segregation of Duty(SoD) Review

• Preview and Check SoD Review Request

• Update Workflow Job

• Review and Remediate SoD Issues

• User Access Review

• Schedule User Access Request (UAR) Review

• Preview and Check UAR Review Request

• Update Workflow Job

• Review and Remediate UAR Issues

© 2014 SAP AG. All rights reserved. 6

GR2 Access Risk Management(Regular Access Risk Analysis and Remediation 1/1 )

SAP Access Control

Compliance Officer Mitigating Control OwnerRisk Owner Manager Role Owner

Reviewing High-Level Access Violation Reports

A

Reviewing High-Level Access Violation Reports – (Technical/Business/Remediation View)

B

Remediation – Assign Existing

Mitigation Control

CRemediation – Assign Newly

Created Mitigation Control

Create New Mitigation Control

D

Assign Existing or New Created

Mitigation Control

F

Approve New Mitigation Control

E

Review Mitigated Users List

G

Reviewing High-Level Violation

Reports

K

Approve De-provision Request

I

Approve De-

provision Request

J

Relevant Role

Removed for User

Remediation – Remove Role via Use Risk Violation

Report

1

2

SAP ERP

3

Create De-provision Request (via

Remediation View)

H

1 Regular Access Risk Analysis and Remediation

© 2014 SAP AG. All rights reserved. 7

GR2 Access Risk Management(Periodic Access Analysis and Remediation) 1/1

SAP Access Control

Reviewer (Risk Owner) Reviewer (Manager) SAP ERP

Scheduling SoD Review

L

Previewing and Checking Requests

M

Updating Workflow Job for SoD Review

N

Reviewing and Remediating SoD Issues

O

Scheduling UAR Review

P

Previewing and Checking Requests

Q

Updating Workflow Job for UAR Review

R

Reviewing and Remediating UAR Issues

S

5

4

Compliance Officer

Relevant Role Removed for User

2

2

Periodic Access Risk Analysis and Remediation – SoD Review

Periodic Access Risk Analysis and Remediation – UAR Review

© 2014 SAP AG. All rights reserved. 8

GR2 – Access Risk Management Regular Access Risk Analysis and Remediation

Icon Legend

Icon Name

Regular Access Analysis and Remediation

Log on as Compliance Officer.SAP GRC AC NWBC: Reports and Analytics -> Access Dashboards -> Risk ViolationsLog on as Risk Owner.SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User LevelLog on as Risk Owner.SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User LevelLog on as Risk Owner.SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User LevelLog on as MC Owner. SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox Log on as Risk Owner.SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User LevelLog on as MC Owner.SAP GRC AC NWBC: Access Management -> Mitigated Access -> Mitigated Users Log on as Risk Owner. Must choose Remediation View.SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User Level Log on as Manager. SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox

Log on as Role Owner. SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox Log on Compliance Officer.SAP GRC AC NWBC: Reports and Analytics -> Access Dashboards -> User Analysis

A

B

C

D

E

F

G

H

I

J

1

K

© 2014 SAP AG. All rights reserved. 9

GR2 – Access Risk Management Periodic Access Risk Analysis and Remediation

Icon Legend

Icon Name

Periodic Access Analysis and Remediation

Log on as Compliance Officer.SAP GRC AC NWBC: Access Management -> Scheduling -> Background SchedulerLog on as Compliance Officer.SAP GRC AC NWBC: Access Management -> Compliance Certification Reviews -> Request Review Log on as Compliance Officer.SAP GRC AC NWBC: Access Management -> Scheduling -> Background SchedulerLog on as Risk Owner.SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox Log on as Compliance Officer.SAP GRC AC NWBC: Access Management -> Scheduling -> Background SchedulerLog on as Compliance Officer.SAP GRC AC NWBC: Access Management -> Compliance Certification Reviews -> Request Review Log on as Compliance Officer.SAP GRC AC NWBC: Access Management -> Scheduling -> Background SchedulerLog on as Manager.SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox

L

M

N

O

P

Q

R

S

2

© 2014 SAP AG. All rights reserved. 10

GR2 - Access Risk Management

Icon Legend

Icon Name

Mitigation Control Owner receives an Email that there is a new mitigation control request needs to be approved

Manager receives an Email that that there is a de-provision request needs to be approved or rejected after review.

Role Owner receives an Email that that there is a de-provision request needs to be approved or rejected after review.

Risk Owner receives an Email notifying risk review request.

Manager receives an email notifying user access review request.

Email 1

Email 2

Email 3

Email 4

Email 5

Appendix

© 2014 SAP AG. All rights reserved. 12

Process Diagram Legend

User Role

<name>*

≈≈

* <name>: SAP System (PPMS name), or non-SAP System, or lane for steps outside software

Lane Process Step

Process Step Outside Software

Optional Process Step Outside Software

Optional Automatic Process Step

1

Automatic Process Step

1

Process Step (manual or automatic)

1A

Optional Process Step (manual or automatic)

1A

Optional Manual Process Step

A

Manual Process Step

AProcess Step Outside

Scope Item ScopeA

Interface

User Interface (UI)

Batch Script

Interface (like A2A/B2B Message)

1

A

1

Sequence flow

Connection Documents GatewaysEvents

Data flow

Inline / Standalone

Output Document

1

1

1

1

Accounting Document

A

Link to SAP Best Practice Processes or scope items

Page Link

(<BBID>) Link to SAP Best

Practice Process

Link

Incoming Link

Outgoing Link

Timer Event

Message

XOR

OR

AND

Complex

Thank you

© 2014 SAP AG. All rights reserved. 14

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG (or an SAP affiliate company) in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP AG or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP AG or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP AG or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP AG’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP AG or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

© 2014 SAP AG or an SAP affiliate company.  All rights reserved.