uam terminology - wikileaks · web viewlogin to the abap grc 10 production client and enter...

SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Information TechnologyUser Access Management

SAP GRC 10

SAP GRC UAMApprover guide

Integrated approach to SAP SecuritySONY PICTURES ENTERTAINMENT

1



Document History

Rev No.

Description By Date Approved By

1.0 Draft version Karolina DrzewieckaRafał Storta

05/28/2014 Beata Okaj

2. 0 Input from Beata Okaj Filip Nowak 06/12/2014 Beata Okaj

2



Contents1. UAM Terminology....................................................................................................................42. Notifications..............................................................................................................................53. Logon to the NetWeaver Business Client (NWBC).................................................................94. Opening request from e-mail notification...............................................................................125. Request view...........................................................................................................................136. Make decisions on access request...........................................................................................15

6.1. Changing approval status for request and roles...............................................................156.2. Add new roles to the request............................................................................................176.3. Performing risk analysis..................................................................................................186.4. Forwarding request..........................................................................................................216.5. User details......................................................................................................................226.6. Audit log..........................................................................................................................236.7. Comments........................................................................................................................246.8. Attachments.....................................................................................................................25

7. Delegating authority................................................................................................................278. Typical questions....................................................................................................................289. User interface elements...........................................................................................................2910. Appendix.............................................................................................................................32

3



1. UAM Terminology

UAM – User Access Management process. Objective of the process is to grant new, extend or remove user access in SAP systems in a controlled way, ensuring all compliance and security requirements are met.

ARM – Access Request Management (ARM) module of Access Control automates and documents the user access management proces. Solution provides a workflow-based review and approval process.

Access requestor – person who initiates User Access Management process by creating user access request directly in SAP GRC.

Administrator – person who maintains the configuration of UAM and performs maintenance activities. Administrator can perform UAM - specific tasks, such as cancelling UAM requests.

User direct supervisor – person who executes first level of User Access Management process by making decision in respect to user access request directly in SAP GRC.

Role owner – person who executes second level of User Access Management process by approving user access request for each corresponding role directly in SAP GRC.

Compliance SoD champion – person who supports User Access Management process from Segregation of duties risks perspective. This role actively participates in approving access request when new SoD risk is identyfied during the course of access requesting procses.

NWBC – NetWeaver Business Client (accessible via Internet browser or dedicated software client NWBC) is a User Interface client that offers a single point of entry to SAP applications, especially harmonized access to existing SAP GUI transactions and newly developed applications based on Web Dynpro.

4



2. Notifications

ARM application is sending eight types of notifications: When request is submitted,

When approver receives new UAM request,

5



When approver receives forward with user(s) from other approver,

When request return from forward (forwarding with return),

6



When request is approved on specified stage,

When approver receives reminder after long time no decision making on UAM request,

7



When request is escalated,

When request is closed.

E-mail notifications contain useful links for Reviewer: Direct link to the request, Direct link to the SAP GRC application, Direct link to the training materials for User Access Management.

8



3. Logon to the NetWeaver Business Client (NWBC)

Logon using web interface

Use direct link to GRC Production environment (GPR) in IE web browser (Mozilla Firefox is recommended):https://sppgrc01.spe.sony.com:8081/nwbc

Enter your user name and password, and choose Log On.

9

https://sppgrc01.spe.sony.com:8081/nwbc



Logon using NetWeaver Business ClientLogin to selected system in NetWeaver Business Client.

Logon using SAP GUI

Login to the ABAP GRC 10 production client and enter Username and Password. If you are missing SAP GUI logon data please contact SAP Security team.

Next to work with SAP GRC ARM data enter NWBC in the transaction field, then click the System OK icon. To open the request go to the My Home tab, open Work Inbox and click on the request subject.

10



11



4. Opening request from e-mail notification

To open request from e-mail notification user must click on direct link to request.

In next step user will be asked to login to the system using SAP username and password.

Request will be displayed automatically after login.

12



5. Request view

Access request consists of header, with general request information and six tabs:

User access - information on line items,

Risk Violations - information on risks arising from roles in access request,

Users - users for whom request is created,

Audit log - detailed information on request,

Comments - comments added to the request,

Attachments - files attached to the request.

13



Roles (line items) used in access request are described in User Access tab by following

attributes:

Approval status - approve or remove on selected stage in approval path,

Assignment - name of the role in access request,

System in which role will be assigned,

Risk violation - result of risk analysis,

Role type,

Requested role validity,

Role owner,

Comments,

Provisioning actions - determines if role will be assigned, removed or retained.

14



6. Make decisions on access request

User can made various decisions on the request:

Approve selected role by clicking on button,

Reject selected role by clicking on button,

Approve all decisions contained in the User Access tab by clicking on the button,

Reject whole request by clicking button and selecting Reject action,

Forward request by clicking button and selecting Forward Request action,

Show all roles currently assigned to the user by clicking on button,

Add new role using the button,

IMPORTANT: Only user direct supervisor can add or remove roles to the request.

Remove role from the request by clicking button,

IMPORTANT: Only roles added by supervisor can be removed from request.

Perform risk analysis by clicking button.

6.1. Changing approval status for request and roles

Approver has ability to change approval status for selected roles. Every role can be approved or

rejected. To change approval status select role and click or button in User Access

tab to make decision. Decision can be also made by selecting appropriate action from drop-

down list located in Approval Status column. Selected decisions can be approved by clicking on

button. User can also reject whole request using button and selecting

Reject option. User has possibility to check role details by clicking on role name.

15



In new window system will display detailed information on selected roles.

List of transactions contained in role can be found in Actions tab.

16



6.2. Add new roles to the request

User direct supervisor has ability to add roles to the request. To add new roles:

Click on button and select Roles option, new selection window will pop-up on the screen,

IMPORTANT: Only user direct supervisor can add or remove roles to the request.

Role search criteria can be adjusted to your needs. For each role search you can extend (using

) or limit (using ) search criteria. To see list of available search criteria click on first drop-

down field and select appropriate filter,

Click on button. System will provide list of all roles available for selected criteria.

Using role selection buttons you can select one, all or multiple roles (using CRTL + mouse click).

Role selection buttons:

- Single

- All

17



Click on button to add selected roles to the request.

Added roles can be removed by button.

IMPORTANT: Only roles added by supervisor can be removed from request.

6.3. Performing risk analysis

Approver has possibility to perform risk analysis to check how new roles will impact on user

access. Executing risk analysis is optional step for request approval.

IMPORTANT: Performing risk analysis is mandatory in case when new roles are added to the request. After risk analysis on role tab roles causing risk will be red lighted and if you need additional input to find out which transactions causing conflict you can also contact SAP Security team.

To run Risk Analysis:

Select System: RPR500 – SAP ECC production system

Select Result Options:

Executive summary – to list the SoD risks (recommended)

Management summary – to list the SoD risks and users

Summary – provides information about transaction code

Detail – most detailed result option -provides information about SAP roles which is

causing the conflict

Click on to see if any SoD risks exists

18



Risk Analysis - Executive Summary view

IMPORTANT: If you need additional input to find out which transactions are causing conflict, you can also contact SAP Security team.

19



Risk Analysis - Management summary view

Risk Analysis - Summary view

20



Risk Analysis - Detail view

IMPORTANT: If you need additional input to find out which transactions/authorization are causing conflict, you can also contact SAP Security team.

6.4.6.4.6.4.6.4.6.4.6.4.6.4.6.4.6.4.

Forwarding request

User has ability to forward request to other approver for making decision. To forward request

click on button and select Forward Request option. After choosing alternative

approver application proposes two types of forwarding:

Forwarding with return (check box selected),

Forwarding without return (check box not selected).

21



Forward with return sends user to second approver for draft decision to be made, after this user

is forwarded back to the first approver. The final decision is always taken by the first approver,

regardless to the decision of the second, which is supporting information only.

Forward without return sends user to second approver. The decision of second approver is final.

6.5. User details

User Details tab provides information on user for whom the request is submitted.

22



User details tab provides detailed information on user for which request is created. Tab is

divided on 5 areas:

Personal section provides general information on selected user

Communication section provides user contact data

Organization data provides user basic HR data such as manager or personnel number

Location section provides information on place where user is working

Company section provides information on users company and function

IMPORTANT: User Details are imported by LDAP from HR system. If they are incorrect or

incomplete you can raise IDM incident in Global Service Desk.

6.6. Audit log

Audit log tab contain full request history. It presents for example: approval path, current and

previous approvers, forwards, roles master data and administrative tasks executed on request.

23



6.7. Comments

Comments tab gives ability to provide additional information on request.

24



6.8. Attachments

Attachments tab gives possibility to preview previously added attachments and add new ones.

Approver has possibility to add files or links to the request. To add attachment:

Go to Attachment tab

Press button to add attachment to the request

Choose Add file or Add link

Add link or file

Press button to insert attachment in the request

Important: When SoD risks are identified SoD compensating control worksheet (See: Appendix) need to be attached by supervisor to the request to facilitate Compliance request review. Document is stored on dedicated GRC training page: link

25

https://my.spe.sony.com/mySpeWeb/deptcontent/link/WCM217515.html



Attachment tab consists of following elements:

26



7. Delegating authority

Approver can delegate his authority to approve requests to other user. To delegate authority:

Go to My Home Approver Delegation,

Click on button,

Select user to whom you will be delegating requests,

Enter delegation validity and status.

IMPORTANT: Selected user will have access to all requests in approver Work Inbox.

27



8. Typical questions

Question Action Section linkWhat steps I should do as supervisor if request was submitted with SoD violations?

1. Ensure what transactions are needed by user.2. Check if there is possibility to reject role with SoD violations or replace it with role without SoD violations.3. If risk cannot be mitigated attach SoD compensating control worksheet document and submit the request. It'll be routed to the SoD compliance team.

Performing risk analysis

Attachments

I have received request in supervisor stage. I'm not supervisor of user in request. What should I do?

Supervisor should not approve requests for users that he doesn't know. Request with incorrect approver should be rejected with appropriate comment.

Changing approval status for request and roles

Comments

How to ensure what transactions are in requested role?

Clicking on role name in request will open new window with role details. Transactions can be found in the Actions tab in this window.

Changing approval status for request and roles

How much time I have to make decisions on the request?

Approver has 14 days for making decisions on the request. The due date is displayed in request header. If no decision will be made within 14 days request will be escalated to ARM administrator.

I will not have access to computer for longer time. What should I do?

In case when user knows that he will be offline for longer time it's required to delegate authority to approve requests to other user.

Delegating authority

Where SOD Compensating Control Work Sheet document is stored?

See hyperlink to GRC main training page:link

28

https://my.spe.sony.com/mySpeWeb/deptcontent/link/WCM217515.html



9. User interface elements

Filtering

Query results can be filtered.

29



Sorting

The column can be sorted in ascending or descending order by clicking the column name.

Active Query

Check if the entered information is displayed. If the information does not display, click Refresh at the bottom of the query.

30



Hide and Rearrange Columns

Columns can be hidden and the sequence can be changed. To change the presentation, click on Settings.

To hide, display or change the order of the columns, select the name of the header, and then use the appropriate button.

The Sorting, Calculation, Filter, Display, and Print Settings can be maintained and saved as user specific view.

31



10. Appendix

Sony SOD Compensating Control Work Sheet

Document Purpose: This worksheet will document management’s reliance on compensating internal controls where conflicts have been identified and either cannot or will not be remediated.

SPE Division:

Location:Business Process:

Applications(s):User(s):

Duration:

Conflict MatrixSOD Conflict #1: Risk

Statement Functions Tcodes

SOD Conflict #2: Risk


SOD Conflict #3 Risk


Compensating Controls

32



ID Control Name

Control Description Frequency

Management

Assertions

Who Performs Control

1 23

Sign-Off

Prepared By: Date: Reviewed By: Date: Reference(s):

33

uam terminology - wikileaks · web viewlogin to the abap grc 10 production client and enter...

Documents