process diagram template - sap service marketplacesapidp/012002523100011033272015e/... · sap grc...
TRANSCRIPT
GR2 - Access Risk Management
Process Diagram
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 2
Purpose, Benefits, and Key Process Steps
Purpose This scenario describes effective collaboration between business users in Access Risk Management
Process .
Benefits Real time access risk analysis to monitor latest user access risks
Batch jobs scheduled for Dashboard update per business needs
Detecting violation/risks triggers remediation actions (Mitigation Control, Removing role) quickly in a very straightforward way
Deep integration of Segregation of Duty (SoD) and User Access Review (UAR)
Key Process Steps Regular access risk analysis and remediation
Periodic access analysis and remediation : SoD review
Periodic access analysis and remediation : UAR review
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 3
Required SAP Applications and Company Roles
Required SAP Applications
SAP Access Control 10.1
Company Roles
Compliance Officer
Manager
Risk Owner
Role Owner
Mitigating Control Owner
Mitigation Control Monitor
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 4
Detailed Process Description (1/2)
GR2 - Access Risk Management
Regular access risk analysis and remediation:
•Compliance Officer Review High-level Access Violation Report
•Risk Owner Perform Real-time Risk Analysis
•Perform Remediation Activities:
• Risk Owner Assign Existing Mitigation Control
• Risk Owner Assign Newly Created Mitigation Control:
-Risk Owner Create New Mitigation Control
- Mitigation Control Owner Approve new Mitigation Control
- Risk Owner Assign New Mitigation Control
• Mitigation Control Owner Review Mitigated User List
• Remove Role via User Level Risk Violation Report
• - Risk Owner Create De-provision Request
• - Manager Approve De-provision Request
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 5
Detailed Process Description (2/2)
• Perform
• - Role Owner Approve De-provision Request
• Compliance Officer Review High-level Violation Report
Periodic access analysis and remediation:
• Segregation of Duty Review
• Schedule Segregation of Duty(SoD) Review
• Preview and Check SoD Review Request
• Update Workflow Job
• Review and Remediate SoD Issues
• User Access Review
• Schedule User Access Request (UAR) Review
• Preview and Check UAR Review Request
• Update Workflow Job
• Review and Remediate UAR Issues
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 6
GR2 Access Risk Management
(Regular Access Risk Analysis and Remediation 1/1 )
SAP Access Control
Compliance OfficerMitigating Control
OwnerRisk Owner Manager Role Owner
Reviewing High-Level Access Violation Reports
A
Reviewing High-Level Access Violation Reports –(Technical/Business/Remediation View)
B
Remediation –Assign Existing
Mitigation Control
CRemediation –Assign Newly
Created Mitigation Control
Create New Mitigation Control
D
Assign Existing or New Created
Mitigation Control
F
Approve New Mitigation Control
E
Review Mitigated Users List
G
Reviewing High-Level Violation
Reports
K
Approve De-provision Request
I
Approve De-
provision Request
J
Relevant Role
Removed for User
Remediation –Remove Role via Use Risk Violation
Report
1
2
SAP ERP
3
Create De-provision Request (via
Remediation View)
H
1 Regular Access Risk Analysis
and Remediation
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 7
GR2 Access Risk Management
(Periodic Access Analysis and Remediation) 1/1
SAP Access Control
Reviewer (Risk Owner) Reviewer (Manager) SAP ERP
Scheduling SoD Review
L
Previewing and Checking Requests
M
Updating Workflow Job for SoD Review
N
Reviewing and Remediating SoD Issues
O
Scheduling UAR Review
P
Previewing and Checking Requests
Q
Updating Workflow Job for UAR Review
R
Reviewing and Remediating UAR Issues
S
5
4
Compliance Officer
Relevant Role Removed for User
2
2
Periodic Access Risk Analysis
and Remediation – SoD Review
Periodic Access Risk Analysis and
Remediation – UAR Review
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 8
GR2 – Access Risk Management
Regular Access Risk Analysis and Remediation
Icon Legend
Icon Name
Regular Access Analysis and Remediation
Log on as Compliance Officer.
SAP GRC AC NWBC: Reports and Analytics -> Access Dashboards -> Risk Violations
Log on as Risk Owner.
SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User Level
Log on as Risk Owner.
SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User Level
Log on as Risk Owner.
SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User Level
Log on as MC Owner.
SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox
Log on as Risk Owner.
SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User Level
Log on as MC Owner.
SAP GRC AC NWBC: Access Management -> Mitigated Access -> Mitigated Users
Log on as Risk Owner. Must choose Remediation View.
SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User Level
Log on as Manager.
SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox
Log on as Role Owner.
SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox
Log on Compliance Officer.
SAP GRC AC NWBC: Reports and Analytics -> Access Dashboards -> User Analysis
A
B
C
D
E
F
G
H
I
J
1
K
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 9
GR2 – Access Risk Management
Periodic Access Risk Analysis and Remediation
Icon Legend
Icon Name
Periodic Access Analysis and Remediation
Log on as Compliance Officer.
SAP GRC AC NWBC: Access Management -> Scheduling -> Background Scheduler
Log on as Compliance Officer.
SAP GRC AC NWBC: Access Management -> Compliance Certification Reviews -> Request Review
Log on as Compliance Officer.
SAP GRC AC NWBC: Access Management -> Scheduling -> Background Scheduler
Log on as Risk Owner.
SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox
Log on as Compliance Officer.
SAP GRC AC NWBC: Access Management -> Scheduling -> Background Scheduler
Log on as Compliance Officer.
SAP GRC AC NWBC: Access Management -> Compliance Certification Reviews -> Request Review
Log on as Compliance Officer.
SAP GRC AC NWBC: Access Management -> Scheduling -> Background Scheduler
Log on as Manager.
SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox
L
M
N
O
P
Q
R
S
2
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 10
GR2 - Access Risk Management
Icon Legend
Icon Name
Mitigation Control Owner receives an Email that there is a new mitigation control request needs to be approved
Manager receives an Email that that there is a de-provision request needs to be approved or rejected after review.
Role Owner receives an Email that that there is a de-provision request needs to be approved or rejected after review.
Risk Owner receives an Email notifying risk review request.
Manager receives an email notifying user access review request.
Email 1
Email 2
Email 3
Email 4
Email 5
Appendix
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 12
Process Diagram Legend
User Role
<name>*
≈≈
* <name>: SAP System (PPMS name), or non-SAP System, or lane for steps outside software
Lane Process Step
Process Step Outside Software
Optional Process Step Outside Software
Optional Automatic Process Step
1
Automatic Process Step
1
Process Step (manual or automatic)
1A
Optional Process Step (manual or automatic)
1A
Optional Manual Process Step
A
Manual Process Step
A
Process Step Outside Scope Item Scope
A
Interface
User Interface (UI)
Batch Script
Interface (like A2A/
B2B Message)
1
A
1
Sequence flow
Connection Documents GatewaysEvents
Data flow
Inline / Standalone
Output Document
1
1
1
1
AccountingDocument
A
Link to SAP Best
Practice Processes
or scope items
Page Link
(<BBID>) Link to SAP Best
Practice Process
Link
Incoming Link
Outgoing Link
Timer Event
Message
XOR
OR
AND
Complex
Thank you
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 14
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an
SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE
(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional
trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,
and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or
SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated
companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,
promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties
that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking
statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.