sap businessobjects risk management 3 · september, 2009 regional implementation group document...
TRANSCRIPT
September, 2009
Regional Implementation Group
Document Version 2.0
SAP BusinessObjects Risk Management 3.0
Security Concepts
Intended Audience and Purpose
© SAP 2008 / Page 2
This document is intended for use by
Technical Consultants, Solution
Consultants and System Administrators
It‟s purpose is to give a general
overview of the various roles in the
frontend, the backend and the
application, showing how they interact
with each other to enable employees to
perform their daily duties and to form
security for the Risk Management
application
Roles in Risk Management 3.0
© SAP 2008 / Page 3
Risk Management 3.0 has three places where roles are defined to form the
authorizations necessary for the users to perform their functions.
The Back-end
The backend roles enable the user to perform basic tasks in the Portal front-
end. The back-end roles also allow power users to perform any configuration
changes needed. The back-end roles are defined in the ABAP back-end
system
The Front-end
As with all applications that use the Portal, there needs to be a user created on
the Portal and this user needs to have a role assigned to them. The Front-end
user ID and Back-end user ID‟s must be identical unless the UME is shared (in
which case they are by nature)
The Application
A new concept for Risk Management is the introduction of the application role.
This role is defined on the organization structure or on the Risk or Activity itself
and controls what the users can and cannot see in the application. This is
done in the application on the Portal
Back-end: ABAP Specific Roles
© SAP 2008 / Page 4
The following roles must be used for every business user. Without them, the users will
see a basic menu structure in the Portal and nothing more
SAP_GRC_FN_BASE
SAP_GRC_FN_BUSINESS_USER
© SAP 2009 / Page 5
Back-end: Other ABAP Roles
SAP_GRC_FN_ALL
This is the power user role. The role can access both the front end and back
end. It does not use entity‒level security and therefore bypasses the
authorizations from the SAP_GRC_FN_BUSINESS_USER role
SAP_GRC_FN_DISPLAY
This role is used for entity-level authorization to grant display access for all
entities without a role assignment on the org. structure
SAP_GRC_RM_CUSTOMIZING
This role can access the NetWeaver ABAP Server. This role contains all
necessary authorizations in order to perform the customizing settings for the
application
Front-end: Portal Specific Role
© SAP 2008 / Page 6
The following role must be used for every Portal user. Without it, there will be nothing
for the users to see in the Portal, not even a menu.
GRC Risk Management -
pcd:portal_content/com.sap.pct/com.sap.grc.rm.Enterprise_Risk_Management/com.sa
p.grc.rm.roles/com.sap.grc.rm.Role_All
Front-end: Portal Content Permissions
© SAP 2008 / Page 7
Content Administration -> Portal Content -> Portal Content
Right click on Enterprise Risk Management
Open -> Permissions
The User or Group should be assigned no administrator rights (ie “none”) and the
“End User” flag should be set
Once the User has been maintained here, they will have the ability to access the
Portal content.
Users have to be
given permission to
view the Portal content.
This is a security feature
at the Portal level
Application Specific Roles
© SAP 2008 / Page 8
The Application Roles are created using transaction PFCG in the ABAP Back-
end. Their usage is defined in the IMG and assigned in the application
Application Roles – Definition This is done in the IMG by the implementation team in the Back-end system.
The path for this transaction is: GRC Risk Management -> General Settings ->
Maintain Entity Role Assignment
This transaction defines where the application roles appear in the Risk
Management application
Application Roles - Assignment
This done by the Business Users on the Front-end in the application itself. Roles
can be assigned to users on the Organization Structure or on the Risk / Activity /
Opportunity
Users assigned to roles on the Org. Structure are able to see the node they
have been assigned to and perform the tasks associated with the roles at that
node. They are also able to display the nodes above the one they are assigned to
Users not defined on the Org. Structure are not entitled to view the Org.
Structure, but are able to view Risks, Opportunities or activities they are assigned
to
Application Specific Roles: Definition
© SAP 2008 / Page 9
Corporate roles are defined at the root node and roles assigned to users here are
valid through the whole org structure. These roles do not appear in lower level nodes
Orgunit roles appear in the nodes below the root node. Roles assigned to users here
are valid for that node, and as of SP04, subsequent lower nodes
The Activity, Opp and Risk
roles are not assigned on the
Organization Structure, but on
the Activity, Opportunity and
Risk respectively
Setting the „Unique‟ flag
restricts the role to a single
user per entity – this means,
for example, if the flag was set
for „Risk Owner‟, that each risk
has only one „Risk Owner‟. Of
course, there are as many risk
owners as there are risks
Application Specific Roles: Assignment
© SAP 2008 / Page 10
Certain roles are defined
on the Organization Structure
Others are defined on the
Risk / Opportunity / Activity
Portal Navigation: What can users see?
© SAP 2009 / Page 11
4
1
3
2
1 – Navigation Menu Always visible (determined by Portal role)
2 – Work Centers Always visible (determined by Portal role)
3 – Menu Groups Visible depending on the Application Role assigned to the
user and the back-end role SAP_GRC_FN_BASE
4 – Menu Items Visible depending on the Application Role assigned to the
user and the back-end role SAP_GRC_FN_BASE
Note – The Menu
Group and Menu Items
are configurable in the
IMG
What Users Can Do
© SAP 2008 / Page 12
The following slides illustrate what functions users can perform with the various
application roles delivered with Risk Management 3.0
The following slides show the standard delivered functions of each role. These
roles can be customized to reflect customers interpretations of each role
Risk Owner, Activity Owner and Opportunity Owner have been grouped together
as they are very similar in nature
Note
These slides do not show what the user can and cannot do within the
transactions, just which transactions they have access to
Note 1356150 needs to be applied in order for the roles to behave as
described in this document
What Users Can Do:
My Home
© SAP 2008 / Page 13
Menu Item CRM URM AuditorOrganization
OwnerCEO / CFO
System
Admin
Risk Owner
Activity Owner
Opportunity Owner
Work Inbox
Analytics Dashboard
Top Risks
Propose Risk
Report Incident
Search Documents
CRM – Central Risk Manager
URM – Unit Risk Manager
Auditor – Internal Auditor
What Users Can Do:
Risk Structure
© SAP 2008 / Page 14
Menu Item CRM URM AuditorOrganization
OwnerCEO / CFO
System
Admin
Risk Owner
Activity Owner
Opportunity Owner
Organizations
Risk Classification
Consistency Check
Activity Hierarchy
Opportunity Classification
Objectives Hierarchy
What users can do:
Risk Assessment
© SAP 2008 / Page 15
Menu Item CRM URM AuditorOrganization
OwnerCEO / CFO
System
Admin
Risk Owner
Activity Owner
Opportunity Owner
Risk and Opportunity
Management
Response and Enhancement
Plan Management
Incident Management
Top Risks
Incident Report
Scenario Analysis
Scenario Analysis using Monte
Carlo
Activity Management
Questions Library
Survey Library
Survey Results
What users can do:
Risk Monitoring
© SAP 2008 / Page 16
Menu Item CRM URM AuditorOrganization
OwnerCEO / CFO
System
Admin
Risk Owner
Activity Owner
Opportunity Owner
Key Risk Indicator Template
Key Risk Indicator
Implementation
Planner
What Users Can Do:
User Access
© SAP 2008 / Page 17
Menu Item CRM URM AuditorOrganization
OwnerCEO / CFO
System
Admin
Risk Owner
Activity Owner
Opportunity Owner
Mass Role Assignment for
Risks, Opportunities and
Activities
Mass Role Assignment for
Orgunits
Replacement / Removal
Central Delegation
Own Delegation
What Users Can Do:
Reporting
© SAP 2008 / Page 18
Menu Item CRM URM AuditorOrganization
OwnerCEO / CFO
System
Admin
Risk Owner
Activity Owner
Opportunity Owner
Risk Reporting
Risks per Risk Category
Risks per Activity
Category
Risks per Objective
Risks per Organizational
Unit
Top Risks
Risk Impact Details
Risk Mitigation Details
Risk Summary
What Users Can Do:
Reporting II
© SAP 2008 / Page 19
Menu Item CRM URM AuditorOrganization
OwnerCEO / CFO
System
Admin
Risk Owner
Activity Owner
Opportunity Owner
Opportunity Reports
Opportunity per
Opportunity Category
Opportunity Benefit
Opportunities &
Enhancement Plans
Audit and Analysis
Activity History
Risk History
Influence Factors
Incident Management
Incident Overview
What Users Can Do:
Reporting III
© SAP 2008 / Page 20
Menu Item CRM URM AuditorOrganization
OwnerCEO / CFO
System
Admin
Risk Owner
Activity Owner
Opportunity Owner
Opportunity Reports
Opportunity per
Opportunity Category
Opportunity Benefit
Opportunities &
Enhancement Plans
Audit and Analysis
Activity History
Risk History
Influence Factors
Incident Management
Incident Overview
What Users Can Do:
Reporting IV
© SAP 2008 / Page 21
Menu Item CRM URM AuditorOrganization
OwnerCEO / CFO
System
Admin
Risk Owner
Activity Owner
Opportunity Owner
Authorization Reports
User Authorization
Analysis
Entity Authorization
Analysis
Role Authorization
Analysis
Object Authorization
Analysis
Key Risk Indicator
KRI for Risk
KRI History
Print Reports
Print Reports
What Users Can Do:
Reporting V
© SAP 2008 / Page 22
Menu Item CRM URM AuditorOrganization
OwnerCEO / CFO
System
Admin
Risk Owner
Activity Owner
Opportunity Owner
Dashboards
Heatmap
Overview
© SAP 2008 / Page 23
Contact and more Information
Regional Implementation GroupSAP Business Objects Governance, Risk, and Compliance Solutions
SDN/BPX: https://www.sdn.sap.com/irj/bpx/grc
Email: [email protected]
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POW ER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services , if any. Nothing herein should be construed as constituting an additional warrant.
Copyright 2009 SAP AG
All Rights Reserved