Profiling for SAP - Compliance Management, Access Control and Segregation of Duties

Profiling for SAP® Compliance Management Access Control and Segregation of Duties

Understand, Optimize and Control your Business and IT

Understand

ImproveControl

SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP

NetWeaver® technologies with ASAP, Run SAP and BPM methodologies

Subject Matter

Page 2

Access Management and Segregation of Duties

Project Support for SAP Blueprints

2

3

4

Optimization of Authorizations

Profiling for SAP supporting Security Compliance for SAP®

Profiling for SAP® Application1



Profiling for SAP for Compliance and Access Control

Page 3

“Profiling your SAP® Solution delivers our Clients all needed insights to understand, improve and control their Business and complex SAP® Landscapes.”

Heinz-Jürgen Scherer, CEO TransWare AG

Understand

ImproveControl



PROFILING FOR SAP APPLICATION

Standard application with tight SAP® integration, high automation

and flexible configuration

Page 4



SoD Analysis and the Process for Compliance

Page 5

1. Extract 2. Define 3. Analyze

Profiler BI DB AnalyzerReports

Dashboards

Authorizations

Usage (Transactions,

Reports, RFC Calls)

Define Risk Rules

Critical activity groups

Activities conflict matrix

Auditors, IT Security

Analytic reports and

dashboards

Conflicts and potential

conflicts of Accounts

and/or Roles, Profiles

Predefined set of Risk Rules



Profiling for SAP Product Components

Page 6

Profiling for SAP application customizing for SoD (configuration)

Definition of Task groups, specifies a set of tasks with identifiers

Assignments of critical transactions to task groups

Risk rules combining Task Groups with Financial Risk Values

Includes best practice for configuration settings

Analytic Reports (examples)

Charts plotting risks and SoD issues per e.g. SAP module

Role Compliance Check: Identifies roles that have SoD conflicts based upon the

underlying transactions

User Compliance Check: Identifies SoD conflicts in user’s profile

SAP Solution Manager integration (optional)



Profiling for SAP® featuring SAP Compliance Management

Page 7

TransWare’s reengineering and optimization solution for SAP®, compliance and

performance assessment and process analysis on any SAP® system or SAP®

Industry Solution highlights process risks in a system review and will lead to

minimized project times with corresponding cost reduction.

The solution reveals the quality of the implementation by analyzing transaction logs,

document types, user authorizations with roles and profiles, SAP® HR info types,

SAP® customizing and object modifications and other configuration items.

It shows the overall picture of customizing and utilization of the current SAP® system

with business related KPIs.

Complex ERP systems are potentially susceptible to segregation of duties (SoD)

issues. By means of Profiling for SAP®, the desired responsibilities of SAP® users

can be counterchecked against the real usage of SAP®. Reporting of the results can

be done per job role, so you know what each role entails in terms of process

activities, SAP® business blueprint process steps, SAP® roles and transactions.

Technical, Functional and Processual Analysis and Optimization of SAP



Access Control and Segregation of Duty

To-Be Transition Optimize LandscapeAs-Is Landscape

Profiling for SAP® smartly supports the Transition Phase from As-Is into an optimized SAP® Landscape

Page 8

Technical

AnalysisFunctional

Analysis

Processual

Analysis

Business

Reengineering

Understand

Process

Management

Optimize

Compliance

Management

Control

ASAP

Project Methodology

Run SAP

Process IT Support

Run SAP

Process IT Support

Profiling for SAP® SoD Compliance is based on the technical, functional

and processual analysis tool components.

Profiling for SAP® SoD Compliance



ACCESS MANAGEMENT AND SEGREGATION OF DUTIES

Introduction of an cost efficient compliance management

Page 9



Increased Focus on Security and Control

Page 10

Corporate scandals and fraud (Enron, Barings Bank, WorldCom, ...)

Security breaches (UCs, BC, Stanford, ...)

Regulatory Compliance

• Sarbanes-Oxley (SOX, EuroSOX)

• Family Educational Rights and Privacy Act (FERPA)

• Federal Information Security Management Act of 2002 (FISMA)

• Gramm-Leach-Bliley Act (GLBA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Joint Commission (TJC)



Security Risks, Security Compliance and Internal Controls

Page 11

Access Control

Do some users have too much access?

Sufficient access restrictions to private information?

Control for Segregation of Duties (SoD)

Every time a user is added ensure his rights are

not in conflict with SoD risk rules

A user's profile is amended and the change must

not cause any SoD conflict

Review of the company SoD requirements on a

periodic base

“Internal Controls are processes designed by management to provide reasonable

assurance that the Institute will achieve its objectives.”

(From MIT’s Guidelines For Financial Review and Control)

Who has access

to sensitive

transactions?

Are there any

SoD

violations?



Profiling for SAP® and SAP® Authorizations

Page 12

Profiling for SAP combines information from

different data sources like SAP usage, user

authorization and SoD configuration with BI

based reporting for a comprehensive security

analysis.

Actions are subject to authorization checks

that are performed before the start of a

program or table maintenance and mandatory

for the SAP applications :

· Starting SAP transactions

(authorization object S_TCODE)

· Starting reports

(authorization object S_PROGRAM)

· Calling RFC function modules

(authorization object S_RFC)

· Table maintenance with generic tools

(authorization object S_TABU_DIS)



Profiling for SAP® Compliance Management

Page 13

Reduce time and efforts when providing ongoing information to

internal and external auditors

Remove access or assign mitigating controls

Used during implementation of new SAP modules and processes or

optimizing SAP systems

Monitoring transaction and data access based on SAP background job

for 24/7 security and compliance control

Optionally runs on central SAP Solution Manager to manage complex

SAP landscapes as a non-invasive solution

Web based BI solution based on a Business Warehouse for

Compliance Management

A Software Solution for SAP Project and Compliance Process Support



Profiling for SAP® Compliance Application

Page 14

Useful during all phases of the deployment lifecycle

Design – Identify roles, build composite roles based upon team requirements

Implementation – Test and verify SoD compliance of roles

Production – Ensure compliance of existing users and roles

Tight integration within SAP to manage complex SAP Landscapes and

to leverage SAP standards

Applicable to SAP’s ERP, CRM, SCM and other ECC-based products

Web based product, non-invasive, non-deployment solution regarding

SAP production systems

A solution for compliance management based on standard software

Profiling is a configurable custom application with integration into SAP that

ensures all user’s authorizations are compliant with the company’s

compliance rules



Set of Risk Rules based on SoD conflicts and critical actions

Page 15

Set of Risk Rules for different business

domains like FI-GL, MM, SAP Basis,

CRM or etc.

Define SoD rules and critical actions

and add standard or custom

transactions to the rule set

Define rules on Functional,

Transactional or the most detailed

Authorization-Object level

Define critical rules with high financial

risks or potential security risks

Modify predefined configuration with a

set of rules for SoD best practice

Risk

Rules Set

SoD

Rule

Critical

Actions

Function

and

Transaction

Author.-

Object

Function

Transaction

Author.-

Object

Function

Transaction

Author.-

Object



Procedure for the Definition of SoD Risk Rules on a Functional Level

Page 16

1. Define SoD Functions (logical group of tasks)

Example:

Function A: – Process Sales Order

Function B: – Maintain credits master data

2. Assign Transactions to SoD Function

Example:

Function A – V-01, VA01, VA02, …

Function B – FD24, FD32, FD37, …

3. Define and Characterize the SoD Functions

with Risk Rules

Define a conflict: Function A & Group B

Characterize the conflict with financial risk indicators:

• High, Medium, Low

Exclude Rules from predefined configuration

as N/A for your organization with a description

Define

Functions

Assign

Transactions

Define Conflicts

and Risks



Examples for SoD Activities and Transaction Groups

Page 17

Description of Task Groups SAP Transactions

Group A: Process sales orders

Create sales order V-01

Create sales order VA01

Change sales order VA02

Group B: Maintain credit master data

Credit limit changes FD24

Change customer credit management FD32

Credit management mass change FD37

Credit management mass change F.34

Customers: Reset credit limit F.28

Credit Limit Data mass change S_ALR_87009999

Reset Credit Limit for Customers S_ALR_87012220



SoD Conflict Matrix

Page 18

FunctionSeparated Function

POTENTIAL RISKRISK LEVEL

(X, M, H)

Maintain credit master data

ANDProcess sales

orders

User can increase a customer credit limit and then process sales orders for that customer leading

to irrecoverable debt.

M

Maintain contract/scheduling agreement

ANDProcess sales

orders

User can create a fictitious contract and then create sales orders against that contract.

M

Customer master data

maintenanceAND

Process sales orders

User can create a fictitious customer and create orders for

delivery to them thereby misappropriating goods.

M


ANDProcess outbound

deliveries

User can create/change sales orders and deliveries to hide the

misappropriation of goods.H


ANDMaintain sales

deal

User can create sales orders and maintain pricing, therefore over-

charging customers or giving then unauthorized discounts.

M



Critical Transactions and assigned Risks

Page 19

Transaction Description Risk

FI12 Change House Banks/Bank Accounts Financial Risk

PA30 Maintain HR Master Data Access HR data

SCCL Local Client Copy System stability &

integrity at risk

SE11 Data Dictionary Maintenance System stability &

integrity at risk

PFCG Role Maintenance Security Risk

SM49 Execute OS commands System stability at risk



Excel to define Risk-Rules for Business-Domains

Page 20



SOD RULES

Configuration of Rules

Page 21



SoD Rules on Functional Level

Page 22



SoD Conflict Matrix on Functional Level

Page 23

X=Financial Risk Exists, M = Medium Risk, H = High Risk



Critical Combinations on Functional Level with Details

Page 24



SAP CONFIGURATION

SoD Rules and SAP® Authorizations

Page 25



Roles & Profiles with SoD Transactions included

Page 26

Shows Transactions used for SoD rules assigned to Authorization Objects

Identify all Authorizations Objects with potential risks.



SoD Conflicts with Risks for specific Composite-Roles

Page 27

Also available for specific Single-Roles and Profiles



CUSTOMIZED RISKS IN SAP

Standard or customized profiles and user assignment

Page 28



Potential Risks with Accounts customized in SAP

Page 29

X=Financial Risk Exists, M = Medium Risk, H = High Risk

ALL = ‘*’ in Authorization

16 Conflicts for 21 Accounts

At least one high financial risk in 485 conflicts for3 user



Actual Risks in Execution of SAP

Page 30



SAP USAGE

SAP Objects, Usage and Authorizations

Page 31



SAP Modules, used Transactions and Authoritations

Page 32



Accounts, Authorizations and Transaction Usage

Page 33



…and many analytic Reports more

Page 34



Benefits

Page 35

Using the same kind of tools used by chartered accountants reduces

service costs for external audit and advisory

Reduction of project efforts and establishment of SoD compliant

authorizations from the start

Fully automated SoD analysis reduces TCO for the ongoing security

control process

Auditors and IT security staff work on functional level even for complex

authorization scenarios

Avoidance of manual analysis and false positive assessments

Flexible configuration includes custom “Z” transactions or external

applications like Portals using BAPI or direct RFC calls

Easy identification of users with access to sensitive data by internal

security teams lowers costs of the compliance process



OPTIMIZATION OF AUTHORIZATIONS

Slimline authorization management of complex SAP®

landscapes

Page 36



Slimline your SAP® Authorization Management

Page 37

Assigned Role not

relevant for execution

of the custom “Y”

YXPROC transaction

Identify needless access rights by SAP Modules, Accounts, Transactions, …

Optimize your custom roles by identifying critical roles and access overlap

Setup segregation of duties by best practice and company compliance

Example Report:



Benefits

Page 38

Efficient establishment of a tradeoff between Business Requirements and

Company Compliance

Substantial reduction of project efforts in company compliance initiatives

Simplification of information access to complex SAP data for company

auditors reduces costs for the compliance process

Uniformed use of tools by chartered accountants reduces external

audit and advisory services costs

Allows the handling of complex SAP landscapes with automatic data

retrieval and cross-SAP system analytics

Automatic monitoring of changes of user authorizations given by

organizational requirements lowers costs for audits and security control



PROJECT SUPPORT FOR SAP BLUEPRINTS

Being compliant from the beginning

Page 39



Blueprinting with ASAP and SAP Solution Manager

Page 40

SAP® Solution Manager (SSM) is the SAP® tool that supports the plan, build

and run aspects of ERP solutions based on SAP® NetWeaver and covers

all needs for ITIL-compliant application lifecycle management (ALM).

SAP® describes ALM by the Run SAP® operational support methodology and

the Accelerate SAP® (ASAP) project methodology. SSM serves as an

interface between technology and business processes.

For SAP solution development like upgrades or implementations, the SAP

solution is consistently documented in SSM by the Blueprint that describes

the business processes and the resulting system configuration.

An important part of the SAP solution development is the configuration of

organizational structures and optimized business and security compliance

requirements.

Profiling for SAP® supports this aspect of SAP ALM to lower development

and maintenance costs and improve process and compliance quality



SAP Blueprint Procedure for Compliant Authorizations

Page 41

Support ASAP methodology and SAP Solution Manager Projects

Define your functional Task Groups in SAP Solution

Manger as Jobs or Org.-Units as End-User-Roles

Setup the Blueprint Process Structure by Business

Process Management Methodology including

organizational assignments to End-User-Roles

Assign Transactions manually or use predefined

Reference Models with T-Codes assigned like the SAP

Business Process Repository (BPR )

Run Reports to analyze organizational Access

Requirements

Automatically identify standard SAP right roles or

profiles supported

Customize Roles (PCFG) and assign users

Run analytic reports for SoD compliance and risk

control

Define

Blueprint

Analyze Access

Requirements

Define Roles

and User Access



SAP Solution Manager for SAP Blueprints

Page 42

Optimized user authorizations from project start-up

Assign End-User-

Roles to Process-

Steps, Master-Data or

Organizational-Unit

Data

SAP Blueprint with Masterdata,

Org.-Unit Data, Scenarios,

Processes, Process-Steps,

Transactions and Documentation

Process-Steps with

Assigned Transactions



SAP Solution Manager for SAP Blueprints

Page 43

Export the Blueprint structure for analytic reporting

SAP Blueprint Structure (SAP Project) Assigned User, Jobs, Org.-Units

Cross-Reference

between Objects

(T-Code, Forms,

Reports etc) and

End-User-Roles



Benefits

Page 44

Support of SAP Solution Manager improves the SAP Blueprint

business process definition in terms of Compliance and Risk Management

Synchronize organizational structures, functional access requirements,

business processes and access control for slimline, fine tuned and fully

SoD compliant SAP authorizations

Leverage SAP tools, methodologies and best practice by a tight SAP

integration with a BI based solution that reduces SAP® project planning

and implementation efforts

Reduce SAP maintenance efforts by a consistent business process

and security control documentation

Ensure compliance through SAP improvements like ERP Enhancement

Packages and organizational changes

Define authorizations on functional level and support setup of technical

roles and profiles.



Solutions by TransWare

Page 45

TransWare Software Solutions AG

Fritz-Wunderlich-Str. 49

66869 Kusel

Germany

Phone: +49-(0)6381-916-0

Email: [email protected]

Web: www.transware.de

All product, service and company names mentioned herein are for identification purposes only and may be

trademarks or registered trademarks of their respective owners

http://www.transware.de/

Documents

Profiling for SAP - Compliance Management, Access Control and Segregation of Duties