uam terminology - wikileaks · web viewlogin to the abap grc 10 production client and enter...
TRANSCRIPT
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Information TechnologyUser Access Management
SAP GRC 10
SAP GRC UAMApprover guide
Integrated approach to SAP SecuritySONY PICTURES ENTERTAINMENT
1
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Document History
Rev No.
Description By Date Approved By
1.0 Draft version Karolina DrzewieckaRafał Storta
05/28/2014 Beata Okaj
2. 0 Input from Beata Okaj Filip Nowak 06/12/2014 Beata Okaj
2
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Contents1. UAM Terminology....................................................................................................................42. Notifications..............................................................................................................................53. Logon to the NetWeaver Business Client (NWBC).................................................................94. Opening request from e-mail notification...............................................................................125. Request view...........................................................................................................................136. Make decisions on access request...........................................................................................15
6.1. Changing approval status for request and roles...............................................................156.2. Add new roles to the request............................................................................................176.3. Performing risk analysis..................................................................................................186.4. Forwarding request..........................................................................................................216.5. User details......................................................................................................................226.6. Audit log..........................................................................................................................236.7. Comments........................................................................................................................246.8. Attachments.....................................................................................................................25
7. Delegating authority................................................................................................................278. Typical questions....................................................................................................................289. User interface elements...........................................................................................................2910. Appendix.............................................................................................................................32
3
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
1. UAM Terminology
UAM – User Access Management process. Objective of the process is to grant new, extend or remove user access in SAP systems in a controlled way, ensuring all compliance and security requirements are met.
ARM – Access Request Management (ARM) module of Access Control automates and documents the user access management proces. Solution provides a workflow-based review and approval process.
Access requestor – person who initiates User Access Management process by creating user access request directly in SAP GRC.
Administrator – person who maintains the configuration of UAM and performs maintenance activities. Administrator can perform UAM - specific tasks, such as cancelling UAM requests.
User direct supervisor – person who executes first level of User Access Management process by making decision in respect to user access request directly in SAP GRC.
Role owner – person who executes second level of User Access Management process by approving user access request for each corresponding role directly in SAP GRC.
Compliance SoD champion – person who supports User Access Management process from Segregation of duties risks perspective. This role actively participates in approving access request when new SoD risk is identyfied during the course of access requesting procses.
NWBC – NetWeaver Business Client (accessible via Internet browser or dedicated software client NWBC) is a User Interface client that offers a single point of entry to SAP applications, especially harmonized access to existing SAP GUI transactions and newly developed applications based on Web Dynpro.
4
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
2. Notifications
ARM application is sending eight types of notifications: When request is submitted,
When approver receives new UAM request,
5
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
When approver receives forward with user(s) from other approver,
When request return from forward (forwarding with return),
6
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
When request is approved on specified stage,
When approver receives reminder after long time no decision making on UAM request,
7
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
When request is escalated,
When request is closed.
E-mail notifications contain useful links for Reviewer: Direct link to the request, Direct link to the SAP GRC application, Direct link to the training materials for User Access Management.
8
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
3. Logon to the NetWeaver Business Client (NWBC)
Logon using web interface
Use direct link to GRC Production environment (GPR) in IE web browser (Mozilla Firefox is recommended):https://sppgrc01.spe.sony.com:8081/nwbc
Enter your user name and password, and choose Log On.
9
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Logon using NetWeaver Business ClientLogin to selected system in NetWeaver Business Client.
Logon using SAP GUI
Login to the ABAP GRC 10 production client and enter Username and Password. If you are missing SAP GUI logon data please contact SAP Security team.
Next to work with SAP GRC ARM data enter NWBC in the transaction field, then click the System OK icon. To open the request go to the My Home tab, open Work Inbox and click on the request subject.
10
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
11
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
4. Opening request from e-mail notification
To open request from e-mail notification user must click on direct link to request.
In next step user will be asked to login to the system using SAP username and password.
Request will be displayed automatically after login.
12
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
5. Request view
Access request consists of header, with general request information and six tabs:
User access - information on line items,
Risk Violations - information on risks arising from roles in access request,
Users - users for whom request is created,
Audit log - detailed information on request,
Comments - comments added to the request,
Attachments - files attached to the request.
13
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Roles (line items) used in access request are described in User Access tab by following
attributes:
Approval status - approve or remove on selected stage in approval path,
Assignment - name of the role in access request,
System in which role will be assigned,
Risk violation - result of risk analysis,
Role type,
Requested role validity,
Role owner,
Comments,
Provisioning actions - determines if role will be assigned, removed or retained.
14
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
6. Make decisions on access request
User can made various decisions on the request:
Approve selected role by clicking on button,
Reject selected role by clicking on button,
Approve all decisions contained in the User Access tab by clicking on the button,
Reject whole request by clicking button and selecting Reject action,
Forward request by clicking button and selecting Forward Request action,
Show all roles currently assigned to the user by clicking on button,
Add new role using the button,
IMPORTANT: Only user direct supervisor can add or remove roles to the request.
Remove role from the request by clicking button,
IMPORTANT: Only roles added by supervisor can be removed from request.
Perform risk analysis by clicking button.
6.1. Changing approval status for request and roles
Approver has ability to change approval status for selected roles. Every role can be approved or
rejected. To change approval status select role and click or button in User Access
tab to make decision. Decision can be also made by selecting appropriate action from drop-
down list located in Approval Status column. Selected decisions can be approved by clicking on
button. User can also reject whole request using button and selecting
Reject option. User has possibility to check role details by clicking on role name.
15
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
In new window system will display detailed information on selected roles.
List of transactions contained in role can be found in Actions tab.
16
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
6.2. Add new roles to the request
User direct supervisor has ability to add roles to the request. To add new roles:
Click on button and select Roles option, new selection window will pop-up on the screen,
IMPORTANT: Only user direct supervisor can add or remove roles to the request.
Role search criteria can be adjusted to your needs. For each role search you can extend (using
) or limit (using ) search criteria. To see list of available search criteria click on first drop-
down field and select appropriate filter,
Click on button. System will provide list of all roles available for selected criteria.
Using role selection buttons you can select one, all or multiple roles (using CRTL + mouse click).
Role selection buttons:
- Single
- All
17
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Click on button to add selected roles to the request.
Added roles can be removed by button.
IMPORTANT: Only roles added by supervisor can be removed from request.
6.3. Performing risk analysis
Approver has possibility to perform risk analysis to check how new roles will impact on user
access. Executing risk analysis is optional step for request approval.
IMPORTANT: Performing risk analysis is mandatory in case when new roles are added to the request. After risk analysis on role tab roles causing risk will be red lighted and if you need additional input to find out which transactions causing conflict you can also contact SAP Security team.
To run Risk Analysis:
Select System: RPR500 – SAP ECC production system
Select Result Options:
Executive summary – to list the SoD risks (recommended)
Management summary – to list the SoD risks and users
Summary – provides information about transaction code
Detail – most detailed result option -provides information about SAP roles which is
causing the conflict
Click on to see if any SoD risks exists
18
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Risk Analysis - Executive Summary view
IMPORTANT: If you need additional input to find out which transactions are causing conflict, you can also contact SAP Security team.
19
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Risk Analysis - Management summary view
Risk Analysis - Summary view
20
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Risk Analysis - Detail view
IMPORTANT: If you need additional input to find out which transactions/authorization are causing conflict, you can also contact SAP Security team.
6.4.6.4.6.4.6.4.6.4.6.4.6.4.6.4.6.4.
Forwarding request
User has ability to forward request to other approver for making decision. To forward request
click on button and select Forward Request option. After choosing alternative
approver application proposes two types of forwarding:
Forwarding with return (check box selected),
Forwarding without return (check box not selected).
21
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Forward with return sends user to second approver for draft decision to be made, after this user
is forwarded back to the first approver. The final decision is always taken by the first approver,
regardless to the decision of the second, which is supporting information only.
Forward without return sends user to second approver. The decision of second approver is final.
6.5. User details
User Details tab provides information on user for whom the request is submitted.
22
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
User details tab provides detailed information on user for which request is created. Tab is
divided on 5 areas:
Personal section provides general information on selected user
Communication section provides user contact data
Organization data provides user basic HR data such as manager or personnel number
Location section provides information on place where user is working
Company section provides information on users company and function
IMPORTANT: User Details are imported by LDAP from HR system. If they are incorrect or
incomplete you can raise IDM incident in Global Service Desk.
6.6. Audit log
Audit log tab contain full request history. It presents for example: approval path, current and
previous approvers, forwards, roles master data and administrative tasks executed on request.
23
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
6.7. Comments
Comments tab gives ability to provide additional information on request.
24
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
6.8. Attachments
Attachments tab gives possibility to preview previously added attachments and add new ones.
Approver has possibility to add files or links to the request. To add attachment:
Go to Attachment tab
Press button to add attachment to the request
Choose Add file or Add link
Add link or file
Press button to insert attachment in the request
Important: When SoD risks are identified SoD compensating control worksheet (See: Appendix) need to be attached by supervisor to the request to facilitate Compliance request review. Document is stored on dedicated GRC training page: link
25
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Attachment tab consists of following elements:
26
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
7. Delegating authority
Approver can delegate his authority to approve requests to other user. To delegate authority:
Go to My Home Approver Delegation,
Click on button,
Select user to whom you will be delegating requests,
Enter delegation validity and status.
IMPORTANT: Selected user will have access to all requests in approver Work Inbox.
27
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
8. Typical questions
Question Action Section linkWhat steps I should do as supervisor if request was submitted with SoD violations?
1. Ensure what transactions are needed by user.2. Check if there is possibility to reject role with SoD violations or replace it with role without SoD violations.3. If risk cannot be mitigated attach SoD compensating control worksheet document and submit the request. It'll be routed to the SoD compliance team.
Performing risk analysis
Attachments
I have received request in supervisor stage. I'm not supervisor of user in request. What should I do?
Supervisor should not approve requests for users that he doesn't know. Request with incorrect approver should be rejected with appropriate comment.
Changing approval status for request and roles
Comments
How to ensure what transactions are in requested role?
Clicking on role name in request will open new window with role details. Transactions can be found in the Actions tab in this window.
Changing approval status for request and roles
How much time I have to make decisions on the request?
Approver has 14 days for making decisions on the request. The due date is displayed in request header. If no decision will be made within 14 days request will be escalated to ARM administrator.
I will not have access to computer for longer time. What should I do?
In case when user knows that he will be offline for longer time it's required to delegate authority to approve requests to other user.
Delegating authority
Where SOD Compensating Control Work Sheet document is stored?
See hyperlink to GRC main training page:link
28
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
9. User interface elements
Filtering
Query results can be filtered.
29
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Sorting
The column can be sorted in ascending or descending order by clicking the column name.
Active Query
Check if the entered information is displayed. If the information does not display, click Refresh at the bottom of the query.
30
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
Hide and Rearrange Columns
Columns can be hidden and the sequence can be changed. To change the presentation, click on Settings.
To hide, display or change the order of the columns, select the name of the header, and then use the appropriate button.
The Sorting, Calculation, Filter, Display, and Print Settings can be maintained and saved as user specific view.
31
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
10. Appendix
Sony SOD Compensating Control Work Sheet
Document Purpose: This worksheet will document management’s reliance on compensating internal controls where conflicts have been identified and either cannot or will not be remediated.
SPE Division:
Location:Business Process:
Applications(s):User(s):
Duration:
Conflict MatrixSOD Conflict #1: Risk
Statement Functions Tcodes
SOD Conflict #2: Risk
Statement Functions Tcodes
SOD Conflict #3 Risk
Statement Functions Tcodes
Compensating Controls
32
SONY PICTURES ENTERTAINMENT
SAP GRC UAM Approver guide
ID Control Name
Control Description Frequency
Management
Assertions
Who Performs Control
1 23
Sign-Off
Prepared By: Date: Reviewed By: Date: Reference(s):
33