Upload
hector-oterod
View
21
Download
5
Tags:
Embed Size (px)
Citation preview
Expert Guidelines for Implementing and Integrating the Four Components of SAP BusinessObjects Access Control
© 2012 Wellesley Information Services. All rights reserved.
Simon PersinTurnkey Consulting
In This Session ...
• Understand the main purpose of individual components in the SAP BusinessObjects Access Control suite
• Look at the integration points in the SAP BusinessObjects Access Control componentsControl components
• Put SAP BusinessObjects Access Control in context of your wider application architecture
• Understand the benefits of using ARA in conjunction with ARM, EAM, and BRM to ensure that your organisation “stays clean”
• Investigate the wider use of EAM in a business environment
1
SAP BusinessObjects Access Control as an integrated tool for operational use
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What We’ll Cover …
• SAP BusinessObjects GRC application components in isolation• Integration of the SAP BusinessObjects GRC ARM and EAM
components Th i t t d l f ARA• The integrated role of ARA
• Beyond SAP BusinessObjects Access Control• Wrap-up
2
VIRSA (2005) GRC 5.3 (2008) GRC 10.0 (2011)
Access Control Terminology
Compliance Calibrator Risk Analysis & Remediation (RAR)
Access Risk Analysis (ARA)
Firefighter Superuser Privilege Management (SPM)
Emergency Access Management (EAM)
Access Enforcer Compliant User Access Request Access Enforcer pProvisioning (CUP)
qManagement (ARM)
Role Expert Enterprise Role Management (ERM)
Business Role Management (BRM)
3
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
ARA — Access Risk Analysis Overview
• Segregation of Duties management toolContains the rulebook for your organisationAble to run analytical reports to identify conflicts
• Remediation and mitigation supportSimulation of risk remediationRecord of mitigation controlsAssignment of mitigations to users, roles, or risks
4
ARM — Access Request Management Overview
• Workflow engineAllows administrators throughout the organization to be involved with user provisioningAbl t t li th d i i t ti Able to streamline the user administration processesAssists in standardization of the provisioning processes
“Hire to retire”
5
RequestGenerated
ManagementApproval
AutomatedProvisioning
Workflow path determines Approvers
Approval via email links
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
BRM — Business Role Management Overview
• Development engine for roles and authorisationsAllows administrators throughout the organization to be involved with role build processesA i t i t d di ti f l b ildAssists in standardization of role build
Defined naming conventionStandard process and methodologySingle repository of role documentation
6
EAM — Emergency Access Management Overview
• The use of superusers in SAP ERPProvides access to authorisations outside of normal business rolesP l f f i Pre-approval of superuser access for use in emergency scenariosAutomated log reporting and monitoring ensures compliant use of elevated access
7
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Integration Diagram
ARM
…ARA
8
EAMBRM
RT
Integration Points Summary
PrimaryComponent
SecondaryComponent
Integration Description
ARM ARA Risk analysis of requests for user access at the point ofprovisioning
ARA ARM Change management for approval of risks andmitigations
ARM BRM Get newly created roles for use in user provisioningBRM ARM Initiate approval workflow for role developmentBRM ARA Risk analysis of role and authorisation changesRT ARA Risk analysis of role and authorisation changes via
9
y gPFCG/SU01 directly in the ERP system
EAM ARA Check for critical transactions as defined in the ARA rules
ARM EAM Use ARM to request the assignment of EAM superusers
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Integration Challenges in Previous GRC Versions
• Each component accessed separately• Reliance on Web services to connect applications• Detailed configuration required to integrate• Different programming languages between applications
JavaWeb Dynpro ABAP
• Connectors defined in multiple placesConnectors’ names must be identical in each application to be identified togetheridentified together
10
Integration in SAP BusinessObjects GRC 10.0
• Single enterprise GRC system based in ABAP• Connectors defined centrally using Remote Function Calls (RFCs)
Assigned to each module as an “integration scenario”• Single user interface using SAP NetWeaver® Business Client
(NWBC)• Shared data elements simplify the integration of applications• Central configuration of all modules allows for effortless
integrationNo need for inter-application Web servicesNo need for inter application Web servicesMore stable connection reduces connectivity failures
11
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Connectors as Integration Scenarios
12
What We’ll Cover …
• SAP BusinessObjects GRC application components in isolation• Integration of the SAP BusinessObjects GRC ARM and EAM
components Th i t t d l f ARA• The integrated role of ARA
• Beyond SAP BusinessObjects Access Control• Wrap-up
13
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Integration of ARM and EAM
• Use ARM to request EAM superusersStandardize the full user provisioning process
Including superuser requestsFull end-to-end audit trail for superuser requestsUse EAM configuration for ARM approval
EAMARM
14
Use ARM configuration settings delivered as standard to simplify the implementation
EAM
ARM to EAM Configuration — Request Types
Superuser Access action allows for synchronisation into
15
The Superuser Access request type is delivered as standard with GRC AC 10.0
synchronisation into EAM
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
EAM Workflow Configuration via ARM
• Two different MSMP processes applicable to EAM Access Request Approval Firefighter Log Report Review Manage the approval and
assignment of superuser access
Manage the review and
16
Manage the review and approval of the access used
Use ARM configuration settings delivered as standard to simplify the implementation
MSMP Standard EAM Agent Rules — Access Request
• MSMP Access Request Approval Workflow contains standard agents
Firefighter owners are available as standard for use within Access RequestsAccess Requests
17
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
MSMP Standard EAM Agent Rules — Log Review
• MSMP Firefighter Log Report Review Workflow contains standard agents
Firefighter controllers are available as standard for use within workflowworkflowEscalation Manager also available for use in Log review
18
Requesting Superuser Access
• Request access to a superuser account using the same form as a standard user access request
Configurable approval mechanism like any other access request processrequest process
19
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
EAM Automated Assignment
• Once approved, the access is provisioned to the Firefighter user • The Access Request reference is quoted in the FFID description
Allows for centralised audit logging of the approval and i tassignment
20
Following Approval in ARM, access is automatically provisioned into EAM
Automated Firefighter Assignment
21
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What We’ll Cover …
• SAP BusinessObjects GRC application components in isolation• Integration of the SAP BusinessObjects GRC ARM and EAM
components Th i t t d l f ARA• The integrated role of ARA
• Beyond SAP BusinessObjects Access Control• Wrap-up
22
The Integrated Role of ARA
• In isolation, ARA is treated as the abstract rulebook for the organisation
• Integrating ARA with the other GRC components allows more interaction with the toolinteraction with the tool
• Allows greater consistency of the risks and rules• Single location for risk definition, yet multiple access points to it
ARA
23
ARM
EAMBRM
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
The Integrated Role of ARA (cont.)
• ARA in EAM• ARA in ARM• ARA in BRM
24
Integration of ARA and EAM
• Use ARA as the definition of Critical access for EAM superusersStreamlined master data maintenance
No need to maintain a separate list of critical transactions i EAMin EAM
Now that EAM is located within GRC, no need to use risk terminator to connect EAM to ARAAble to define a criticality level for Firefighter IDsSoD checks on Firefighter IDs
25
EAMARA
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
The Integrated Role of ARA
• ARA in EAM• ARA in ARM• ARA in BRM
26
Integration of ARA and ARM
• Use ARA as the rulebook for assessing ARM requestsPart of the “stay clean” phase of implementationUse ARA to ensure that requests continue to drive compliance
Risk analysis at Request Submission/Approval stagesAssign mitigation controls at the point of user assignmentsUse ARM to manage the approval of changes to Risks and Mitigations in ARA
27
ARMARA
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Request Types in ARM
• Ensure that the relevant request types are activated in the ARM Request Type configuration nodeRequest Type configuration node
28
Automated Risk Analysis
• Risk analysis can be triggered automatically upon request submission
Parameter 1071
Will only run against the default rule set and the default report type
• Use MSMP Stage configuration and parameter 1072 to control approval behaviours
29
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Risk Analysis in Workflow
30
If you have multiple stages, make sure you consider where risk analysis will actually add value
Risk Analysis in Access Requests
• The risk analysis results are summarised on the User Access tab within Access requests
This improves the usability, as risk analysis is integrated into the processesthe processesSeamless to users, as all activities are centralised into a single screen
31
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Risk Analysis in ARM
• Details of risk analysis results are available on the Risk Violations tab
• Able to mitigate directly within the Access Request processes
32
MSMP to Manage ARA Changes
• You can trigger workflow from ARA using the SAP BusinessObjects Access Control configuration settings
Ensure that all changes are subsequently approved
• Set Configuration parametersSPRO Governance Risk and Compliance Access Control
Maintain Configuration Settings
33
Parameter IDs 1035, 1062, 1063, and 1064
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
MSMP to Manage ARA Changes (cont.)
• Configure workflow behaviour using the standard process IDs SAP_GRAC_CONTROL_ASGNSAP_GRAC_CONTROL_MAINTSAP_GRAC_RISK_APPRSAP_GRAC_FUNC_APPR
34
This will be dependent on there being a relevant ARM workflow path configured
The Integrated Role of ARA
• ARA in EAM• ARA in ARM• ARA in BRM
35
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Integration of ARA and BRM
• Use ARA as the rulebook for assessing BRM developmentsPart of the “stay clean” phase of implementationUse ARA to ensure that role or authorisations changes
ti t d i licontinue to drive complianceRisk analysis at the point of development/generation
Assign mitigation controls to roles/profiles at the point of creation
36
BRMARA
BRM Risk Analysis Configuration
• Configure the required Risk Analysis settings in standard configuration settings
Parameter 3011Thi ill t i th l i l d l tThis will trigger the analysis on role development
• Or use Risk Terminator from your development system• Use simulation functionality to identify upfront impacts of role
change on risk profileschange on risk profiles
37
Consider amending your landscape to connect GRC Production to target system development for role-based risk analysis
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Integrated Risk Analysis
• Able to access risk analysis and mitigation functionality directly from the Business Role Management screens
38
BRM and ARM Integration
• ARM as the workflow engine for role and profile developmentsConfigure workflow approval paths for role development
• BRM as the repository for role and profile informationSynchronise roles into ARM for use in requests
ARM
39
BRM
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
MSMP to Manage BRM Changes
• Define Approval as a step in the methodologyAllows for connection into ARM
• Configure workflow behaviour using the standard process ID SAP_GRAC_ROLE_APPR
40
Initiate Approval from BRM
• Use the approval function to trigger MSMP workflow for role changes
41
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Approving Role Changes in ARM
• Role content approver can then approve or reject the proposed changes to the roles via workflow
42
What We’ll Cover …
• SAP BusinessObjects GRC application components in isolation• Integration of the SAP BusinessObjects GRC ARM and EAM
components Th i t t d l f ARA• The integrated role of ARA
• Beyond SAP BusinessObjects Access Control• Wrap-up
43
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Access Control into Enterprise GRC
• SAP BusinessObjects GRC 10.0 architecture allows Access Control, Process Control, and Risk Management to share the same systemAble to share master data elements• Able to share master data elements
Shared risk organization hierarchyShared mitigating controlsStandard data source structure for use in Process Controls
44
Connecting to LDAP
• Using standard SAP ABAP technology, you can connect to LDAP systems to act as a data source or to act as a full provisioning systemConfigure connector in the normal manner• Configure connector in the normal manner
Use SM59 to create the RFC destination (TCP/IP)
Configure as a connector in SPRO GRC Common
Store the Registered Server Program as the same as the RFC name in the services file
45
Configure as a connector in SPRO GRC Common Component Settings Integration FrameworkConfigure the connection in transaction LDAP
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Connecting to LDAP (cont.)
• Configure the data source configuration, and assign field mappings to use it for user search and detail lookup only
• For provisioning, you need to configure and assign the appropriate integration scenariosappropriate integration scenarios
SPRO GRC Access Controls Common Component Settings Maintain Connector Settings
• Also able to use standard SAP protocols to configure single sign-on and encryption between applications
SAP logon tickets
46
STRUSTSAPCRYPTOLIB
Connecting to SAP IDM
• Configure the connector and assign the attributes for Web services
• Configure and activate the standard Web services for IDM actions A il bl i SPRO GRC C C t S tti Available in SPRO GRC Common Component Settings Integration Framework Event-Based Monitoring Release/Test Web Service
• Inbound and outbound Web services allow you to choose which application is the master
• Able to integrate the schema using synchronization jobs back into
47
SAP BusinessObjects Access ControlSPRO GRC Access Controls Synchronization Jobs Fetch IDM Schema
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
What We’ll Cover …
• SAP BusinessObjects GRC application components in isolation• Integration of the SAP BusinessObjects GRC ARM and EAM
components Th i t t d l f ARA• The integrated role of ARA
• Beyond SAP BusinessObjects Access Control• Wrap-up
48
Additional Resources
• http://scn.sap.com/docs/DOC-8562SAP Community Network, SAP BusinessObjects Access Control 10.0 (SAP AG, April 2011).
• www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60e7bc69-p j g p p y0bbc-2e10-bf82-9a66c5279574
Ankur Baishya, “SAP BusinessObjects GRC 10.0 Integration Guide –Access Control 10.0 and NetWeaver Identity Management” (SAP Community Network, September 2011).
• www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/90871971-2dc0-2e10-93a0-9e3c156707ef?QuickLink=index&overridelayout=true&52235392344456
Ankur Baishya, “SAP BusinessObjects GRC 10.0 Integration Guide –Access & Process Control 10.0” (SAP AG, August 2011).
• http://wiki.sdn.sap.com/wiki/display/BPX/Governance%2C+Risk%2C+and+Compliance+%28GRC%29+How-To+Guides
Governance, Risk, and Compliance (GRC) How-To Guides
49
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
7 Key Points to Take Home
• Understand the purpose of the four main SAP BusinessObjects Access Control components
• Understand the potential integration points for the GRC componentscomponents
• Use ARM to provision superusers• Understand the configuration settings for connecting ARA to ARM• Understand how to connect ARA to BRM• Understand how to maintain the connection from ARA to EAM• Understand the wider context for SAP BusinessObjects Access • Understand the wider context for SAP BusinessObjects Access
Control
50
Your Turn!
How to contact me:Si P iSimon Persin
51
Continue the conversation! Post your questions in the Compliance Forum on Insider Learning Network*
*bit.ly/GRCForum
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
DisclaimerSAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet®, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP.
52
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2012 Wellesley Information Services. All rights reserved.