View
518
Download
9
Category
Preview:
Citation preview
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 1/98
1 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
S") "uthori*ations and
+R,
B%- Ra#i B .emanth
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 2/98
2
becti#es
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
earn ho' a role is built up in S")$ 'hat rolebased access isand 'h% it is important!
nderstand 'h% securit% and Segregation o( Duties 3SoD isimportant in S")!
nderstand the business #alue and usage o( the applicationsin the S") +R, "ccess ,ontrol Suite!
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 3/98
5 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
6h% is securit% important in S")7
Data the(t and espionage is a gro'ing crime se#erale&les 'here millions ha#e been lost in damages!
ntruders target user pro9les 'ith e&tended authori*ations! ongterm damages include 9nancial damages$ image loss
declined stoc:$ la' suits and compliance #iolations!
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 4/98
4
;igures
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
U.S fraud cost were $52.6 billion in 2005
Intellectual property theft costs U.S.companies between $200 billion and $250billion a year in sales
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 5/98
<
;amous scandals
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
6orldcom ost =12> billion in mar:et #alue! 24 000 people lost their obs! Share #alue =?2 to =0!20 in less than 5 %ears!
Enron ost = 1@ billion in mar:et #alue! <<00 people lost their obs!
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 6/98
? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
6ho are the%7
Paul Sarbanes Michael !ley
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 7/98
>
Sarbanes&le% 3SA
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
n 2001/2002 large S companies li:e Enron or 6orld,om'ent ban:rupt!
heir management had hidden and changed 9nancial dataand betra%ed in#estors!
n 2002 he Sarbanes&le% "ct 'as made la' to establishbetter controlling and accounting transparenc%!
he strongest (ocus is on nternal ,ontrols!
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 8/98
10 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
6h% SA7
"ll companies that are registred on the CSE/C"SD" stoc:mar:et$ must be compliant 'ith SA!
Fassi#e impact (or large enterprises 'ho had to ta:emeasures to ensure internal control!
SA has generated thousands and thousands o( hours o(
consultant 'or:G here 'ill be a similar la' 'ithin E HEuro SAH!
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 9/98
11 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Segregation o( Duties
De9nition-
IJe% duties and responsibilities in authori*ing$ processing$recording and re#ie'ing oKcial business transactions mustbe separated among indi#iduals to reduce the ris: o( error or(raudL!
"pplied on our client-
Ine person should not control all stages o( a process$ asituation in 'hich error or irregularities could occur 'ithoutdetectionL!
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 10/9812 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
S") Securit% ,oncept (or Roles and "uthori*ations
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 11/9815 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
ProductionPlanning
MaterialsManagement
Finance andControlling
Sales andDistribution
HumanResources
As a Financial Accountant, Mr. Smith probably has jobduties that inole accessing components o! the Finance andControlling module "F#$C%&.
Mr. Smith
S") e&le
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 12/9814 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
ransactions
" user per(orms tas:s in S") b% entering transaction codes! " transaction code is a command that ta:es the user to a
certain program in the S") s%stem! he term LtransactionL is usuall% used to re(er to the
program that is run 'hen the corresponding transaction
code has been entered! ;or e&le$ the user enters the transaction code ;B02 to
run the transaction/program that is used to changedocuments in the general ledger!
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 13/981< Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
E&le- ;B02
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 14/981? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
;B02
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 15/981> Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
;B02
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 16/9818 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
;B02
S") S i d l i
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 17/981@ Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
S") Securit% model o#er#ie'
or 'ser Master Record
Authori(ation
Authori(ation !ield
Authori(ation %bject
Simple Pro!ile
Composite Pro!ile
Authori(ation Pro!iles
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 18/9821 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
ser Faster Record
'ser )ame #nitialPass*ord
'ser+roup
'ser ype -alid Dates Authori(ationPro!iles
/ample o! a 'ser Master Record
) 9l
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 19/9822 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
)ro9les
Composite Pro!ile
Simple Pro!ile 0
Allo* Change access to documents
Allo* Display access to documents
Simple Pro!ile A
" th i ti b t
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 20/9825 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
"uthori*ation bect
Authori(ation %bject
" th i ti 9 ld
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 21/9824 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
"uthori*ation 9eld
Authori(ation !ield
Data Dictionary
Data lement
Authori(ation %bject
" th i ti
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 22/982< Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
"uthori*ations
Authori(ationAuthori(ation
Authori(ation !ields
Authori(ation %bject
1AMP23 S4C%D
1AMP23 CD
1AMP23 F056 1AMP23 F057
Object Field
name
Value
SM,DE ,D ;B02
SM,DE ,D ;B05
" th b t h : d t ti
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 23/982? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
"uth! bect chec: under transactions
Maintain
Display
Company Code alueransaction
%bject
Actiity
Company Code
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 24/9828 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
;B02
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 25/982@ Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
"uthori*ation chec:
A0AP$8 Code
A'H%R#9:CHC; %0<C =F40;PF40';=
#D =0';RS= F#2D s4bu>rs #D =AC-= F#2D =56=.
#F sy:subrc ?@ 5. MSSA+ 556"#& B#H te/t:655 s4bu>rs )D#F.
Authori(ation %bject
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 26/9850 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
S01- race Displa%
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 27/9851Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
S") "ccess Role concept .istoricall%$ users 'ere gi#en S") access b% direct
assignment o( )ro9les$ but to (acilitate a more businessoriented access management$ the role la%er 'as added!
Roles 'ere added as an additional abstraction le#el$ in orderto (acilitate authori*ation design!
,ompare to obectoriented programming instead o(
programming in machine language!
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 28/9852Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
"ccess .ierarch%
CD F056CD F057
........... $........... ……
$......... ……
$....... ……
$......... ……
$........ ……
-A
A
A
A
A
A
A
A
F -
A
S4C%D
F056
-
-
-
-
P
P
P'ser
C S
C
S
S
P
' E 'ser
C E Composite role
S E Single role
P E Pro!ile
A E Authori(ation object
F E Field
- E -alue
MR. SM#H
F#)A)C#A2 ACC%')A)
+)RA2 2D+R <%'R)A2S MA#)A#)
F
F
F
F
F
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 29/9855Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
)ro9les
Single roles hold a 1-1 mapping to'ards )ro9les!
P
P
P
'ser C S
MR. SM#H
C
S
SF#)A)C#A2 ACC%')A)
+)RA2 2D+R <%'R)A2S MA#)A#)
P
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 30/9854Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Single roles " Single Role corresponds to a Nob tas: in the s%stem$ (or
e&le +eneral edger Nournals Faintain!
'ser C S
C
S
S
MR. SM#H
F#)A)C#A2 ACC%')A)
+)RA2 2D+R <%'R)A2S MA#)A#)
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 31/985<Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
,omposite roles
" ,omposite Role corresponds to a Nob role in realit%$ (or e&le;inancial "ccountant!
"ll users in the S") s%stems ha#e at least one and usuall% se#eral,omposite Roles assigned to them!
" ,omposite Role is a prede9ned collection o( Single Roles that ha#e a
relation to each other$ and that together gi#e the necessar% access (orthe user to (ul9ll a certain ob role!
'ser Compositerole
Compositerole
MR. SM#H
F#)A)C#A2 ACC%')A)"CH)#CA2 )AM3 RM'S454CCC54F#)3557&
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 32/985?Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
);,+- Role Faintenance
he technical name !or FinancialAccountant.
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 33/985>
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Single roles
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 34/9858
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Displa% "uthori*ation Data
Displa% "uthori*ation obects and #alues
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 35/985@
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Displa% "uthori*ation obects and #alues
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 36/9840
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Summar% ser master records$ pro9les$ transactions$ obects etc!
generic technical design in all S") s%stems! ,omposite role/Single role concept builtin possibilities in
S") that is used as best practice!
.o' can the role concept be used to per(orm Segregation o(
duties7 O to be SA compliant7
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 37/9841
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Sarbanes&le% 3SA compliance and Segregation o( Duties
3SoD
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 38/9842
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Sarbanes&le% andSegregation o( Duties he Sarbanes&le% act 3SA
is intended to ensure thecorrectness o( S companiesPaccounting
ne eQect o( SA is re(erred
to as the Segregation o(Duties 3SoD directi#e
he SoD directi#e stipulatesthat no person must controlse#eral :e% steps in a
connected process "ppro#e
Purchase rder ecei#e%oods
&lear 'endor
(nter %oodseceipt
"uthori*ation
,ustod%
Record ,ontrol
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 39/9845
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
6hat is the impact o( SA and SoD on Roles and "uthori*ations
in S")7
"ccess ,ontrol S%stems
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 40/9844
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
"ccess ,ontrol S%stems
Fandator% "ccess,ontrol 3F",
Discretionar% "ccess,ontrol 3D",
Role Based "ccess,ontrol 3RB",
"ccess obects andusers classi9ed on alinear securit% scale3E!g! e#el 1$ e#el2$ !!!
( the userPs securit%permission Lle#elLe&ceeds that o( theobectPs the user isgranted access to
that obect
Each user is able topass on thepermissions he or shehas to other users
" user is gi#en access
to an obect i( he orshe has been gi#enaccess to it b%another user
here is commonl%
one user 'ithirre#ocable access toall access obects3E!g! root$administrator$ !!!
"ccess is granted b%assigning each userone or more accessroles
Each user is gi#en
access to the obectsthat his or her rolesspeci(%
" user ma% be gi#enaccess either b% ne'
roles or b% changing arole that the useralread% has
High ersatility2o* maintenance
Role Based "ccess
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 41/98
4<Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role Based "ccess
Role "rchitecture " librar% o( roles must be built
and maintained )rinciples must be established
and (ollo'ed (or the role
librar% to remain consistent
Role )ro#isioning )ro#isioning is the process b%
'hich users are gi#en ne'roles
Slo' pro#isioning costs
mone% in lost producti#it%
SOX directives
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 42/98
4?Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role "rchitecture
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 43/98
4>Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role "rchitecture
PermissionsEnter Goods Receipt
Access Role
) *o role must contain internal So+ ris,s- &ontrol o#er se#eral steps in a process would mean that
no user could ha#e this role
PermissionsClear Vendor
Role "rchitecture
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 44/98
48Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role "rchitecture
Role Based "ccess Design )rinciples
Each access role mapped to a ob role+lobal template roles de9ne action le#el securit% L'hatL
ocall% deri#ed roles de9ne data le#el securit% L'hereL
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 45/98
4@Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
"ccess Roles #s! Nob Roles
Role "rchitecture
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 46/98
<0Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role "rchitecture
) "n access role is a role defined in the system a /ob
role is a real-world role- "n access role contains all permissions needed toperform the tas,s needed to complete the /ob role
- Permissions "ctions 1 +ata "ccess
) enefit3 "ccess roles are free from internal So+ ris,s4as lon as /ob roles are
User (e.g. a financial accountant)
Access roleSales Assistant
Permissionse.g. change G/ document! post G/ document
Access role"inancial Accountant
Permissionse.g. create sales orders! change sales ordersUser (e.g. a sales assistant)
Role "rchitecture
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 47/98
<1Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role "rchitecture
"ction le#el securit%7
Data le#el securit%7
Role "rchitecture
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 48/98
<2Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role "rchitecture
Permissions#C$%E& "'
Access role template"inancial Accountant
) "ction le#el security defines access to acti#ities
- In S"P7 actions le#el security can be thouht of asaccess to transactions
) "ction le#el security is specified on a lobal le#el- " financial accountant has the same access irrespecti#ely
of in which country he or she wor,s
Role "rchitecture
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 49/98
<5Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role "rchitecture
Data le#el securit%
Role "rchitecture
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 50/98
<4Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role "rchitecture
) +ata le#el security defines access to data-
"ccess to display8maintain certain companycodes7 sales orani9ations7 plants7 etc.
) :ocally deri#ed roles define data access
Glo*al #emplate Role
e.g. "inancial Accountant+#emplate
#C$%E& "'
AC#V#& ,
'U-RS& ,
ocal Role
e.g. "inancial Accountant+Seden
#C$%E& "'
AC#V#&
'U-RS& 0
ocal Role
e.g. "inancial Accountant+China
#C$%E& "'AC#V#&
'U-RS& 10
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 51/98
<<Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role )ro#isioning
Role )ro#isioning
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 52/98
<? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role )ro#isioning
Co person must be gi#en roles that gi#e access to se#eral
steps in a connected process Segregation is possible b% process or geograph%
Access role"inancial Accountant Seden
Mr. Smith
Access role'illing Administrator Seden
Access roleSecurit2 Ad3isor Seden
Access role
'illing Administrator 4ora2
%;
%;
Process
separation
+eographicseparation
SoD Ris>
Role )ro#isioning
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 53/98
<> Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role )ro#isioning
raditional Role Based "ccessser admin team grants
access based on line managerdemands
"ccess applied (or on an as
needed basisser admin team responsible
(or securit% 'hile business istr%ing to operate
Role pro#isioning o'controlled entirel% b%business
"ccess applied (or on a ob
role basisBusiness is responsible (or
maintaining securit% andoperational eQecti#eness
Role )ro#isioning
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 54/98
<8 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
o e o s o g
Role pro#isioning process
Role )ro#isioning
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 55/98
<@ Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
g
Role pro#isioning o' controlled entirel% b% business Business is responsible (or maintaining both securit% and
operational eQecti#eness "ccess applied (or on a ob role basis
"pplication usiness appro#al "ssinmentSecurityappro#al
Role )ro#isioning
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 56/98
?0 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
g
6h% is a business appro#al needed7
Role )ro#isioning
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 57/98
?1 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
g
SA reTuires that a #alid business reason (or the order must
e&ist Ueri(% that the reTuested role match actual personal
identit% and ob role Ueri(% that the enduser has a need to :no' o( the
in(ormation that 'ill be a#ailable #ia the role
usiness appro#al
Role )ro#isioning
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 58/98
?2 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
g
Securit% appro#al
Role )ro#isioning
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 59/98
?5 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
g
he securit% appro#al chec:s that no SoD ris:s appear (orthe user Ueri(% that no SoD ris:s appear (or the user Ueri(% that user is not gi#en access to unnecessar% critical
actions 3create users$ change roles$ etc!
Ueri(% that user is not gi#en access to displa% sensiti#edata 39nancial statements etc!
Securityappro#al
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 60/98
?4 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
SA audits
SA "udits
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 61/98
?< Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
6hat SoD ris:s do %ou ha#e7 Do %ou ha#e proo( that all access is properl% authori*ed7 .o' do %ou ensure the consistenc% o( %our roles7 .o' are sensiti#e acti#ities monitored7
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 62/98
?? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
S") +R, Suite
URS" s%stems
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 63/98
?> Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
%
n "pril 200?$ S") bought URS" s%stems and started trans(orming the
URS" suite into S") +R, URS" stands (or IUersatile nno#ati#e Ris: and Securit% "dministrationL S compan%$ (ounded in 1@@? oda% more than one million end users are subect to compliance at
more than 1>0 customers 'orld'ide Faor re(erences 3Uoda(one$ BF$ nile#er$ )anasonic$ B"S;$ Boeing$
Burger Jing$ Son%$ Cortel$ Siemens$ +illette Uirsa pro#ides the onl% solutions that monitor and en(orce businesscontrols in real time across enterprise s%stems
Uirsa is the global leader in crossenterprise compliance solutions he compan% is pri#atel% (unded 'ith #enture in#estment (rom S")
Uentures$ Jleiner )er:ins ,au9eld V B%ers$ and ightspeed Uenture
)artners!
+R, Suite
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 64/98
?8 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
S") +R, Suite o#er#ie'
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 65/98
?@ Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
"ccess (nforcer
S"PCompliance Calibrator
Access in FireFighter
FireFighter logs
ole (!pert
connection is
possible
nline orderin tool
+R, Suite
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 66/98
>0 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
;ail-safe ris,
pre#ention
Access Enforcer
So+ analysis7 critical transaction monitorin7 < pre#enti#e simulation
SAP Compliance Calibrator by Virsa Systems
ole
manaement
Role Expert
Superuser
access control
Firefighter
Pro#isionin
Risk Terminator
&ross (nterprise is, Manaement
Enterprise Portals Risk Manager
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 67/98
>1 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
,ompliance ,alibrator
,ompliance ,alibrator
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 68/98
>2 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
8'IS"8='">
,ompliance ,alibrator
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 69/98
>5 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
)art o( the S") +R, Suite ,ore application o( the suite ses the ER) Ris: ;rame'or: 3'ithin LRule "rchitectL (or
SoD ris: anal%sis o( users S")gui based 34!0$ current #ersion 6eb based Cet6ea#er 3<!2$ release 5 200>
,ompliance ,alibrator
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 70/98
>4 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
,ompliance ,alibrator Source o( ER) ris: (rame'or: used (or all SD anal%sis s used to monitor users$ roles$ ris:s and mitigation
controls
,ompliance ,alibrator increases #isibilit% regarding SoDand assists in managing ris:s and users
,ompliance ,alibrator
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 71/98
>< Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
Ris> De!inition
,ompliance ,alibrator
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 72/98
>? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
Rule Architect
,ompliance ,alibrator
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 73/98
>> Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
Selection Screen "Coc>pit&
,ompliance ,alibrator
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 74/98
>8 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
is, definition ? is, definition 2
;unction " ;unction ;unction &
>ransaction>ransaction
.
.
>ransaction>ransaction
.
.
>ransaction>ransaction
.
.
User @ User A
is, *oris,
'ser Analysis
,ompliance ,alibrator
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 75/98
>@ Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
Ris> Report
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 76/98
80 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
"ccess En(orcer
"ccess En(orcer-
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 77/98
81 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
)urpose
sed primaril% to per(orm segregation o( dut% 3SoDanal%sis be(ore roles are appro#ed and allocated to users!
Reduction o( leadtimes (or roles allocation leads tosigni9cant business impro#ements! he user administration'ill be (ull% automated!
he tool 'ill en(orce the role appro#al process$ secure thatSoD chec:s are per(ormed and that potential ris:s aremitigated all prior to role allocation!
"ccess En(orcer-
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 78/98
82 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
Business #alue
;acilitate the SA compliance (rom an S") securit%perspecti#e!
ncrease the accurac% o( S") user authori*ations and adherethe +", principles!
Reduce maintenance costs (or the S") user administration! Reduce leadtimes (or roles allocation leads to signi9cant
business impro#ements! Reduce securit% audit costs (or S") en#ironments!
"ccess En(orcer-
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 79/98
85 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
ser administration process
he purpose o( a ser "dministration )rocess is toassign/remo#e roles (rom S") user accounts!
"n online ordering tool and "ccess En(orcer ensure that theproper appro#al (or e#er% reTuest is done and that all
assigned roles are compliant to the securit% polic%!
"ccess En(orcer-
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 80/98
84 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
rder process
"ll orders for access to I> applications are manaed #iaa tool for orderin online.
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 81/98
8<
"ccess En(orcer-
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
ReTuests (or appro#al
he 9rst appro#er in the 'or:o' recei#es the reTuests that'as ordered in the online ordering tool!
(
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 82/98
8? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
Roles included in the order"ccess En(orcer-
(
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 83/98
8> Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights
Ris: "nal%sis
6hen the appro#er clic:s Ris: "nal%sis$ "ccess En(orcer runsan anal%sis on the userWs current roles in combination 'iththe ne' roles that 'ere ordered!
n (act$ "ccess En(orcer ma:es a call to ,ompliance,alibrator$ 'here the SoD ris: (rame'or: is stored!
,ompliance ,alibrator runs the anal%sis and returns theresult!
"ccess En(orcer-
"ccess En(orcer-Ris: "nal%sis result
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 84/98
88 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
di l l it ti d ti diti di t ib ti ll i th t ( li ti ( i d t i l t i ht
Ris: "nal%sis result
>he ris,s are listed with ais, I+7 is, +escriptionand Status.
SoD ris:- ;B01 and FE21
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 85/98
8@ Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
di l l it ti d ti diti di t ib ti ll i th t ( li ti ( i d t i l t i ht
"ccess En(orcer-
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 86/98
@0 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding
di l l it ti d ti diti di t ib ti ll i th t ( li ti ( i d t i l t i ht
Ris: simulation
Co' 'e can unchec: ;inancial "ccountant and Simulate theris:s 'ithout that role!
"ccess En(orcer-
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 87/98
@1
"ccess En(orcer-
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Ris: "nal%sis result
Role E&pert-
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 88/98
@5
Role E&pert-
Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
;irst appro#al step 9nished
6hat is Role E&pert7
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 89/98
@4 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
ool (or documenting roles and authori*ations!
6eb based application! "utomates creation and management o( role de9nitions! RE en(orces 3s#e! upprXtthYller$ genomdri#er best practice
to ensure that role de9nitions$ de#elopment$ testing andmaintenance is consistent through the implementation!
Role E&pert (unctionalit%
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 90/98
@< Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
rac: progress during role implementation!
Fonitor the o#erall Tualit% o( the implementation! )er(orm ris: anal%sis at role design time! Set up a 'or:o' (or role appro#al! )ro#ide an audit trail (or all role modi9cations! Faintain roles a(ter the% are generated to :eep role
in(ormation current!
R l E t
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 91/98
@? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role E&pert-Search screen
nter M'SG. "echnical
name !or single roles inthe system called M'S&.
R l E t
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 92/98
@> Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role E&pert-Search results
Role E&pert
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 93/98
@8 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role E&pert-Role de9nition
Role E&pert-
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 94/98
@@ Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role E&pert-"dd transactions
Role E&pert-
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 95/98
100 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Role E&pert-,ompan% mapping
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 96/98
101 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
;ire;ighter
;ire;ighter
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 97/98
102 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!
Summar%
7/26/2019 SAP Roles and Authorizations
http://slidepdf.com/reader/full/sap-roles-and-authorizations 98/98
Summar%S") uses a comple& structure
to manage authori*ations-
;ieldsbects)ro9lesRoles
he Sarbanes&le% act 3SAimposes reTuirements on
companiesP management o(roles and authori*ations-
Segregation o( Duties 3SoDBusiness appro#als"udit trails
Role Based "ccess 3RB", isreTuired to (ul9l the rolesand authori*ationreTuirements o( largeorgani*ations-
+loball% go#erned rolearchitecture
Business controlled role
o manage compliance S")oQers the +R, Suite-
,ompliance ,alibrator 3SoD"ccess En(orcer 3Role
pro#isioning
;ire;ighter 3,ritical accessRole E&pert 3Role
architecture
Recommended