View
1.070
Download
5
Category
Preview:
DESCRIPTION
Complex ERP systems are potentially susceptible to segregation of duties (SoD) issues. By means of Profiling for SAP®, the desired responsibilities of SAP® users can be counterchecked against the real usage of SAP®
Citation preview
Profiling for SAP® Compliance Management Access Control and Segregation of Duties
Understand, Optimize and Control your Business and IT
Understand
ImproveControl
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Subject Matter
Page 2
Access Management and Segregation of Duties
Project Support for SAP Blueprints
2
3
4
Optimization of Authorizations
Profiling for SAP supporting Security Compliance for SAP®
Profiling for SAP® Application1
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Profiling for SAP for Compliance and Access Control
Page 3
“Profiling your SAP® Solution delivers our Clients all needed insights to understand, improve and control their Business and complex SAP® Landscapes.”
Heinz-Jürgen Scherer, CEO TransWare AG
Understand
ImproveControl
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
PROFILING FOR SAP APPLICATION
Standard application with tight SAP® integration, high automation
and flexible configuration
Page 4
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
SoD Analysis and the Process for Compliance
Page 5
1. Extract 2. Define 3. Analyze
Profiler BI DB AnalyzerReports
Dashboards
Authorizations
Usage (Transactions,
Reports, RFC Calls)
Define Risk Rules
Critical activity groups
Activities conflict matrix
Auditors, IT Security
Analytic reports and
dashboards
Conflicts and potential
conflicts of Accounts
and/or Roles, Profiles
Predefined set of Risk Rules
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Profiling for SAP Product Components
Page 6
Profiling for SAP application customizing for SoD (configuration)
Definition of Task groups, specifies a set of tasks with identifiers
Assignments of critical transactions to task groups
Risk rules combining Task Groups with Financial Risk Values
Includes best practice for configuration settings
Analytic Reports (examples)
Charts plotting risks and SoD issues per e.g. SAP module
Role Compliance Check: Identifies roles that have SoD conflicts based upon the
underlying transactions
User Compliance Check: Identifies SoD conflicts in user’s profile
SAP Solution Manager integration (optional)
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Profiling for SAP® featuring SAP Compliance Management
Page 7
TransWare’s reengineering and optimization solution for SAP®, compliance and
performance assessment and process analysis on any SAP® system or SAP®
Industry Solution highlights process risks in a system review and will lead to
minimized project times with corresponding cost reduction.
The solution reveals the quality of the implementation by analyzing transaction logs,
document types, user authorizations with roles and profiles, SAP® HR info types,
SAP® customizing and object modifications and other configuration items.
It shows the overall picture of customizing and utilization of the current SAP® system
with business related KPIs.
Complex ERP systems are potentially susceptible to segregation of duties (SoD)
issues. By means of Profiling for SAP®, the desired responsibilities of SAP® users
can be counterchecked against the real usage of SAP®. Reporting of the results can
be done per job role, so you know what each role entails in terms of process
activities, SAP® business blueprint process steps, SAP® roles and transactions.
Technical, Functional and Processual Analysis and Optimization of SAP
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Access Control and Segregation of Duty
To-Be Transition Optimize LandscapeAs-Is Landscape
Profiling for SAP® smartly supports the Transition Phase from As-Is into an optimized SAP® Landscape
Page 8
Technical
AnalysisFunctional
Analysis
Processual
Analysis
Business
Reengineering
Understand
Process
Management
Optimize
Compliance
Management
Control
ASAP
Project Methodology
Run SAP
Process IT Support
Run SAP
Process IT Support
Profiling for SAP® SoD Compliance is based on the technical, functional
and processual analysis tool components.
Profiling for SAP® SoD Compliance
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
ACCESS MANAGEMENT AND SEGREGATION OF DUTIES
Introduction of an cost efficient compliance management
Page 9
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Increased Focus on Security and Control
Page 10
Corporate scandals and fraud (Enron, Barings Bank, WorldCom, ...)
Security breaches (UCs, BC, Stanford, ...)
Regulatory Compliance
• Sarbanes-Oxley (SOX, EuroSOX)
• Family Educational Rights and Privacy Act (FERPA)
• Federal Information Security Management Act of 2002 (FISMA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Joint Commission (TJC)
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Security Risks, Security Compliance and Internal Controls
Page 11
Access Control
Do some users have too much access?
Sufficient access restrictions to private information?
Control for Segregation of Duties (SoD)
Every time a user is added ensure his rights are
not in conflict with SoD risk rules
A user's profile is amended and the change must
not cause any SoD conflict
Review of the company SoD requirements on a
periodic base
“Internal Controls are processes designed by management to provide reasonable
assurance that the Institute will achieve its objectives.”
(From MIT’s Guidelines For Financial Review and Control)
Who has access
to sensitive
transactions?
Are there any
SoD
violations?
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Profiling for SAP® and SAP® Authorizations
Page 12
Profiling for SAP combines information from
different data sources like SAP usage, user
authorization and SoD configuration with BI
based reporting for a comprehensive security
analysis.
Actions are subject to authorization checks
that are performed before the start of a
program or table maintenance and mandatory
for the SAP applications :
· Starting SAP transactions
(authorization object S_TCODE)
· Starting reports
(authorization object S_PROGRAM)
· Calling RFC function modules
(authorization object S_RFC)
· Table maintenance with generic tools
(authorization object S_TABU_DIS)
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Profiling for SAP® Compliance Management
Page 13
Reduce time and efforts when providing ongoing information to
internal and external auditors
Remove access or assign mitigating controls
Used during implementation of new SAP modules and processes or
optimizing SAP systems
Monitoring transaction and data access based on SAP background job
for 24/7 security and compliance control
Optionally runs on central SAP Solution Manager to manage complex
SAP landscapes as a non-invasive solution
Web based BI solution based on a Business Warehouse for
Compliance Management
A Software Solution for SAP Project and Compliance Process Support
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Profiling for SAP® Compliance Application
Page 14
Useful during all phases of the deployment lifecycle
Design – Identify roles, build composite roles based upon team requirements
Implementation – Test and verify SoD compliance of roles
Production – Ensure compliance of existing users and roles
Tight integration within SAP to manage complex SAP Landscapes and
to leverage SAP standards
Applicable to SAP’s ERP, CRM, SCM and other ECC-based products
Web based product, non-invasive, non-deployment solution regarding
SAP production systems
A solution for compliance management based on standard software
Profiling is a configurable custom application with integration into SAP that
ensures all user’s authorizations are compliant with the company’s
compliance rules
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Set of Risk Rules based on SoD conflicts and critical actions
Page 15
Set of Risk Rules for different business
domains like FI-GL, MM, SAP Basis,
CRM or etc.
Define SoD rules and critical actions
and add standard or custom
transactions to the rule set
Define rules on Functional,
Transactional or the most detailed
Authorization-Object level
Define critical rules with high financial
risks or potential security risks
Modify predefined configuration with a
set of rules for SoD best practice
Risk
Rules Set
SoD
Rule
Critical
Actions
Function
and
Transaction
Author.-
Object
Function
Transaction
Author.-
Object
Function
Transaction
Author.-
Object
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Procedure for the Definition of SoD Risk Rules on a Functional Level
Page 16
1. Define SoD Functions (logical group of tasks)
Example:
Function A: – Process Sales Order
Function B: – Maintain credits master data
2. Assign Transactions to SoD Function
Example:
Function A – V-01, VA01, VA02, …
Function B – FD24, FD32, FD37, …
3. Define and Characterize the SoD Functions
with Risk Rules
Define a conflict: Function A & Group B
Characterize the conflict with financial risk indicators:
• High, Medium, Low
Exclude Rules from predefined configuration
as N/A for your organization with a description
Define
Functions
Assign
Transactions
Define Conflicts
and Risks
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Examples for SoD Activities and Transaction Groups
Page 17
Description of Task Groups SAP Transactions
Group A: Process sales orders
Create sales order V-01
Create sales order VA01
Change sales order VA02
Group B: Maintain credit master data
Credit limit changes FD24
Change customer credit management FD32
Credit management mass change FD37
Credit management mass change F.34
Customers: Reset credit limit F.28
Credit Limit Data mass change S_ALR_87009999
Reset Credit Limit for Customers S_ALR_87012220
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
SoD Conflict Matrix
Page 18
FunctionSeparated Function
POTENTIAL RISKRISK LEVEL
(X, M, H)
Maintain credit master data
ANDProcess sales
orders
User can increase a customer credit limit and then process sales orders for that customer leading
to irrecoverable debt.
M
Maintain contract/scheduling agreement
ANDProcess sales
orders
User can create a fictitious contract and then create sales orders against that contract.
M
Customer master data
maintenanceAND
Process sales orders
User can create a fictitious customer and create orders for
delivery to them thereby misappropriating goods.
M
Process sales orders
ANDProcess outbound
deliveries
User can create/change sales orders and deliveries to hide the
misappropriation of goods.H
Process sales orders
ANDMaintain sales
deal
User can create sales orders and maintain pricing, therefore over-
charging customers or giving then unauthorized discounts.
M
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Critical Transactions and assigned Risks
Page 19
Transaction Description Risk
FI12 Change House Banks/Bank Accounts Financial Risk
PA30 Maintain HR Master Data Access HR data
SCCL Local Client Copy System stability &
integrity at risk
SE11 Data Dictionary Maintenance System stability &
integrity at risk
PFCG Role Maintenance Security Risk
SM49 Execute OS commands System stability at risk
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Excel to define Risk-Rules for Business-Domains
Page 20
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
SOD RULES
Configuration of Rules
Page 21
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
SoD Rules on Functional Level
Page 22
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
SoD Conflict Matrix on Functional Level
Page 23
X=Financial Risk Exists, M = Medium Risk, H = High Risk
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Critical Combinations on Functional Level with Details
Page 24
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
SAP CONFIGURATION
SoD Rules and SAP® Authorizations
Page 25
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Roles & Profiles with SoD Transactions included
Page 26
Shows Transactions used for SoD rules assigned to Authorization Objects
Identify all Authorizations Objects with potential risks.
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
SoD Conflicts with Risks for specific Composite-Roles
Page 27
Also available for specific Single-Roles and Profiles
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
CUSTOMIZED RISKS IN SAP
Standard or customized profiles and user assignment
Page 28
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Potential Risks with Accounts customized in SAP
Page 29
X=Financial Risk Exists, M = Medium Risk, H = High Risk
ALL = ‘*’ in Authorization
16 Conflicts for 21 Accounts
At least one high financial risk in 485 conflicts for3 user
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Actual Risks in Execution of SAP
Page 30
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
SAP USAGE
SAP Objects, Usage and Authorizations
Page 31
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
SAP Modules, used Transactions and Authoritations
Page 32
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Accounts, Authorizations and Transaction Usage
Page 33
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
…and many analytic Reports more
Page 34
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Benefits
Page 35
Using the same kind of tools used by chartered accountants reduces
service costs for external audit and advisory
Reduction of project efforts and establishment of SoD compliant
authorizations from the start
Fully automated SoD analysis reduces TCO for the ongoing security
control process
Auditors and IT security staff work on functional level even for complex
authorization scenarios
Avoidance of manual analysis and false positive assessments
Flexible configuration includes custom “Z” transactions or external
applications like Portals using BAPI or direct RFC calls
Easy identification of users with access to sensitive data by internal
security teams lowers costs of the compliance process
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
OPTIMIZATION OF AUTHORIZATIONS
Slimline authorization management of complex SAP®
landscapes
Page 36
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Slimline your SAP® Authorization Management
Page 37
Assigned Role not
relevant for execution
of the custom “Y”
YXPROC transaction
Identify needless access rights by SAP Modules, Accounts, Transactions, …
Optimize your custom roles by identifying critical roles and access overlap
Setup segregation of duties by best practice and company compliance
Example Report:
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Benefits
Page 38
Efficient establishment of a tradeoff between Business Requirements and
Company Compliance
Substantial reduction of project efforts in company compliance initiatives
Simplification of information access to complex SAP data for company
auditors reduces costs for the compliance process
Uniformed use of tools by chartered accountants reduces external
audit and advisory services costs
Allows the handling of complex SAP landscapes with automatic data
retrieval and cross-SAP system analytics
Automatic monitoring of changes of user authorizations given by
organizational requirements lowers costs for audits and security control
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
PROJECT SUPPORT FOR SAP BLUEPRINTS
Being compliant from the beginning
Page 39
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Blueprinting with ASAP and SAP Solution Manager
Page 40
SAP® Solution Manager (SSM) is the SAP® tool that supports the plan, build
and run aspects of ERP solutions based on SAP® NetWeaver and covers
all needs for ITIL-compliant application lifecycle management (ALM).
SAP® describes ALM by the Run SAP® operational support methodology and
the Accelerate SAP® (ASAP) project methodology. SSM serves as an
interface between technology and business processes.
For SAP solution development like upgrades or implementations, the SAP
solution is consistently documented in SSM by the Blueprint that describes
the business processes and the resulting system configuration.
An important part of the SAP solution development is the configuration of
organizational structures and optimized business and security compliance
requirements.
Profiling for SAP® supports this aspect of SAP ALM to lower development
and maintenance costs and improve process and compliance quality
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
SAP Blueprint Procedure for Compliant Authorizations
Page 41
Support ASAP methodology and SAP Solution Manager Projects
Define your functional Task Groups in SAP Solution
Manger as Jobs or Org.-Units as End-User-Roles
Setup the Blueprint Process Structure by Business
Process Management Methodology including
organizational assignments to End-User-Roles
Assign Transactions manually or use predefined
Reference Models with T-Codes assigned like the SAP
Business Process Repository (BPR )
Run Reports to analyze organizational Access
Requirements
Automatically identify standard SAP right roles or
profiles supported
Customize Roles (PCFG) and assign users
Run analytic reports for SoD compliance and risk
control
Define
Blueprint
Analyze Access
Requirements
Define Roles
and User Access
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
SAP Solution Manager for SAP Blueprints
Page 42
Optimized user authorizations from project start-up
Assign End-User-
Roles to Process-
Steps, Master-Data or
Organizational-Unit
Data
SAP Blueprint with Masterdata,
Org.-Unit Data, Scenarios,
Processes, Process-Steps,
Transactions and Documentation
Process-Steps with
Assigned Transactions
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
SAP Solution Manager for SAP Blueprints
Page 43
Export the Blueprint structure for analytic reporting
SAP Blueprint Structure (SAP Project) Assigned User, Jobs, Org.-Units
Cross-Reference
between Objects
(T-Code, Forms,
Reports etc) and
End-User-Roles
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Benefits
Page 44
Support of SAP Solution Manager improves the SAP Blueprint
business process definition in terms of Compliance and Risk Management
Synchronize organizational structures, functional access requirements,
business processes and access control for slimline, fine tuned and fully
SoD compliant SAP authorizations
Leverage SAP tools, methodologies and best practice by a tight SAP
integration with a BI based solution that reduces SAP® project planning
and implementation efforts
Reduce SAP maintenance efforts by a consistent business process
and security control documentation
Ensure compliance through SAP improvements like ERP Enhancement
Packages and organizational changes
Define authorizations on functional level and support setup of technical
roles and profiles.
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
Solutions by TransWare
Page 45
TransWare Software Solutions AG
Fritz-Wunderlich-Str. 49
66869 Kusel
Germany
Phone: +49-(0)6381-916-0
Email: info@transware.de
Web: www.transware.de
All product, service and company names mentioned herein are for identification purposes only and may be
trademarks or registered trademarks of their respective owners
Recommended