grc nordic sap user management · grc nordic sap user management webinar. team today. matti...
TRANSCRIPT
GRC Nordic SAP User Management webinar
Team today
Matti Halonen Mikko Syrjänen
Manage and control users with wide access rights
Manage and control users with wide access rights
We have divided the presentation into six blocks
Focus will be on available solutions
Personal experienceCustomerimplementations
Several areas of expertise not discussed today but we hope to get your feedback !
Take home from this presentation understanding of possibilities!
Wide Accesses
Governance
Processes
Monitoring
Review
To Do List
Definition and the issue
Wide Accesses
Governance
Processes
Monitoring
Review
To Do List
Business
IT
Externals
Emergency
Job RolePosition
Access Rights
PreventiveStrategy
Wide Access Rights
PreventiveStrategy
DetectiveStrategy
Importance
Wide Accesses
Governance
Processes
Monitoring
Review
To Do List
“Do we have users in our system with extra wide accesses…?”
“Yes”
“Do we know who they are, and we limit the number ?”
“Erh…yes…we try”
“Do we know what they have done…? “Theoretically speaking…yes”
“Theoretically speaking…? “Actually, we have no idea..we do not monitor them at all….”
“How serious problem is this…? “Do not know really…potentially very serious”
Awareness Risk Probability
Description of how everything should work
• Wide Access riskapproach
• Users / accesses• Process descriptions• Access risk tools, details,
procedures• Technical approach
SAP AuthorisationConcept
Processes MonitoringReview
• Approvals• Strong prevention• Enhanced User
Access review
• Review processes
• Monitoringapproach
• Log vs. Real time• Solution• Review
responsibility• Review
completeness
Understanding the Audit
Governance
Processes
Monitoring
Review
To Do List
Real life comments…
Earlier we had no approach or monitoring solution to wide accesses. Eventually this lead to a serious audit remark.
Now we have everything defined and auditors have approved our wide accessmonitoring/reviewing approach !
Basic processes
Process based on request – one time / emergencyUnderstanding the Audit
Governance
Processes
Monitoring
Review
To Do List
Request Approval Use Log ReviewProvisioning
Permanent account
PreApproved Use Log
ReviewProvisioning
“Removal”
Use Log Review
Monitoring / Reviewing in SAP
Understanding the Audit
Governance
Processes
Monitoring
Review
To Do List
When this is clearly something we should all do…why is it not done ?
Issue #1: How to get the informationAdditional solution needed
Issue #2: How to review high # of log information
Monitoring in SAP: information challenge
Understanding the Audit
Governance
Processes
Monitoring
Review
To Do List
User actions
Date, time, systemUser, Tcode, etc.
Table
Create, changeDelete etc
Combined ViewUser mhalo MM01 167778890 ….
Chronological order Business content
What are the options ?
Option 1: SAP GRC Access Control Firefighter
Understanding the Audit
Governance
Processes
Monitoring
Review
To Do List
RequestApproval process
Logging of activities Review process
• Proven and comprehensive tool• 3-6 months to implement• Combined with SoD management functionality
• Cost• Does not solve the review problem
Option 2: GRCN Emergency User service
Understanding the Audit
Governance
Processes
Monitoring
Review
To Do List
RequestApproval process
Logging of activities
AutomatedReview
• Proven / audited service• 1 week to implement• Follows monthly log review cycle with automation
How to review ? Competence issue
Understanding the Audit
Governance
Processes
Monitoring
Review
To Do List
What to look for ?
Know your tcodes Know your tables
Who can read this ?
How to review ? Volume issue
Understanding the Audit
Governance
Processes
Monitoring
Review
To Do List
nn-nnn
Business
IT
Externals
Emergency
Wide Access Rights
xuserslogs
per user = #### logsto review
Resistance ### logs not reviewed
Automated review
Understanding the Audit
Governance
Processes
Monitoring
Review
To Do List
Logging of activities
AutomatedReview
No risk
ManualReview
Risk
Monetarychange
75 % - 95 %Auto approval
rate
ImprovedInterface
Demo
Our recommendation
Software
GRCN Automated FireFighterlog analysis service
SAP GRC Firefighter
Service
+
GRCN Emergency User Service
To Do List
• Users / Accesses• Processes• Auth concept
Define yourapproach
Select solutionor service
Manage
• Implement• Communicate
• Adapt when changes to SAP landscape
• Monitor constantly
Understanding the Audit
Governance
Processes
Monitoring
Review
To Do List