SlideShare a Scribd company logo

Sap GRC Basic Information | GRC 12 online training

grconlinetraining
grconlinetraining

SAP GRC online Training on Access Control , which includes all the four components Access Risk Analysis( ARA), Emergency Access Management ( EAM), Access Request Management(ARM), Business Role Management( BRM). GRC 12 online training SAP GRC 10 Online Training

Education
1 of 41
Download to read offline
GRC ONLINE TRAINING Contents: Time Section Topics Introduction Welcome SAP Security Overview SOX Overview Access Control Solution Overview Compliance Calibrator Overview Rules Architect Risk analysis & Informer Mitigation Controls Alerts Compliance Configuration Firefighter Overview Access Enforcer Overview Module Breakdown Process Walkthrough Role Expert Overview Module Breakdown
Example R/3 Role Design model Business Processes Process Sub-Process Sub-Process Activity Activity Activity Workstep Workstep Workstep Security Design Role Role Composite Role: Role performs one or more transactions Transaction: SAP worksteps Role Mapping Job: Org Unit: General category Division For jobs Position: performs one or Employee more roles
SAP Security – The major elements of the SAP authorization concept   Users  Composite Profiles Simple profiles Authorization Objects Authorizations   Fields  Values (Activities, Organizational elements)  Transactions  SAP Security To address this complexity and flexibility, SAP has developed a solution called SAP GRC-Access Controls Suite. We will guide through how CC addresses some of these issues. Users User Profile Composite Composite Profile Profile Roles Simple Simple Profile Profile Authorization Authorization Object Access and Objects Objects Restrictions Transactions Transactions
Securing Financial Applications Systems for SOX Compliance SOX…. The Sarbanes-Oxley Act of 2002 also called as Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox in response to major corporate scandals like Enron………….. Enron Corporation was an American energy company based in Houston, Texas. Enron figures in late 2001 –  Enron employed around 22,000 people (McLean & Elkind, 2003)  Claimed revenues of $111 billion in 2000  Fortune named Enron "America's Most Innovative Company" for six consecutive years At the end of 2001  It was revealed that its reported financial condition was sustained substantially by  institutionalized, systematic, and creatively planned accounting fraud  Enron filed for bankruptcy protection in the Southern District of New York
Some interesting facts
Present access and authorizations approach ♣IT does not own the responsibility for proper segregation of duties. They can’t understand hurdles on business side, as they lack the collaboration tools and language to efficiently collaborate with the business owners. ♣Lines of the business managers are responsible for SoD, but they lack the technical depth to manage user access, so they rely on IT ♣Internal auditors are trying desperately to stay on top of the SoD issue. However with manually maintained spreadsheets listing the access and authorizations of all employees, contractors, and partners and so on, they can only perform a very limited audit at a very high cost.
Sarbanes Oxley and SAP - Top 7 Control Deficiencies in SAP 1. Segregation of Duties - segregation of duties as the most important point of control focus or deficiency. 2. Inconsistent Business Process Procedures - Business procedures not matching the actual process is another problem area in many SAP implementations. 3. Unsecured Customized Programs - Many customized 'Z' transactions or 'Y' transactions built in to suit the business process. 4.Unauthorized Access to SAP BASIS - Many companies make the mistake of giving access to sensitive BASIS transactions like SE13, SE38, SM49, SU10, SU12, SM13, SC38, SM59, KE54 etc to users in production. Such unrestricted access can lead to a potential control deficiency under Sarbanes Oxley. 5. Unrestricted Posting Periods - Allowing unrestricted access to open Posting periods in SAP can result in unauthorized entires in previous open periods. This can become a severe control deficiency under SOX 6. SAP Access to Terminated Employees - SAP access had not been revoked for employees who had been terminated. This can potentially lead to control deficiency 7. Database and OS Hardening - The data in SAP sits on databases like Oracle etc and SAP Portal as such runs on an operating system. If databases and operating systems are not hardened, the whole SAP environment is put at risk.
GRC – Governance Risk Compliance SAP Compliance Calibrator Business Challenges - Identifying risks arising through user access privileges. - Knowing when users have executed transactions that constitute a risk - Developing solutions for risk management and control. - Stopping risk from being introduced into the production system through change updates. - Prohibiting and controlling access to critical basis, developer and sensitive business transaction. - Ensuring that mitigating controls exists for user access risks and are executed. IT / Security Challenges - Stopping risk from being introduced into the production system through change updates. - Prohibiting and controlling access to critical basis, developer and sensitive business transaction.
IT Based Antifraud Controls - SOD & SAT Segregation of duties in applications SOD – The basic premise of segregation of duties is that users should not be in a position to initiate and authorize their own transactions. Modern IT applications ERPs like SAP, Oracle Apps, J D Edwards, Peoplesoft can be configured based on roles. . Access to specific transactions in the system can be restricted based on user roles and profiles. Segregation of duties in applications can act as a major antifraud controls and lead to better SOX compliance. Sensitive Access Controls SAT – SATs coupled with SODs can act as the foundation for IT based antifraud controls. The other important antifraud control is restricting user access to sensitive transaction in the system. From an IT perspective users have access to a lot of information such as payroll data, balance sheet, profit and loss account etc. This sensitive information can be misused. It is therefore important to restrict users access to this sensitive information in applications.
MM SoD Conflicts – Sample data SoD Controls (Functions that should be segragated) Risks RISK LEVEL A user could post or change a fictitious or incorrect goods receipt and set up a fraudulent automatic payment or create a fraudulent Post Goods Receipt and Post Payments check. H A user could post or change a fictitious or incorrect goods receipt and post a fraudulent payment or clear the invoice to hide the Post Goods Receipt and Process Outgoing Payments deception. H A user could post or change a fictitious or incorrect goods receipt and create/change an inventory document/count to hide the Post Goods Receipt and Process Inventory deception or clear the inventory count to hide the deception. H A user could post or change a fictitious or incorrect goods receipt and create/change an inventory document/count to hide the Post Goods Receipt and Process Inventory Documents deception or clear the inventory count to hide the deception. H A user could post or change a fictitious or incorrect goods receipt and then use a goods issue to hide the deception. The vendor Post Goods Receipt and Goods Issue would be paid for the excess recorded receipt. H A user could create or change a fictitious receipt and create/change Post Goods Receipt and Process Materials a material document to hide the deception. H
Compliance Calibrator Key Terms  Business Process – Used to classify risks, rules and rule sets by business function e.g. Order to Cash, Purchase to Pay, Record to Report are all types of Business Processes. All risks and functions are assigned to business functions.    Function - Identifies the tasks an employee performs to accomplish a specific portion of their job responsibilities. This can be analogous to a role, but more often a role comprises multiple functions.    Action- Known as Transactions in SAP. To perform a function, more than one action may be required to be performed.    Permission – Object in SAP, which form as part of Actions.     Risks – Identify potential problems your enterprise may encounter, which could cause error or irregularities within the system.    Rule Sets –Ccategorize and aggregate the rules generated from a risk. when you define a risk, you attribute one or more rule sets to that risk. Similar to business process.    SoD – Segregation of Duties, are primary internal controls intended to prevent, or decrease the risk of errors or regulatory irregularities, identify problems, and ensure corrective action is taken. This is  achieved by assuring no single individual has control over separate phases of a business transaction.  .
Definitions – Function, Business Process, Action, Permissions & Activities 1 2 3 4 1. Function 5 2. Business process 3. Action 4. Permissions Activities
Process Overview SAP Compliance Calibrator Analyse &Role Request Role Build Risk Approve Deploy Approve RoleMaintenance change Change Analysis Change Change change(preventative) SAP CC is used to identify SOD conflicts before the change enters production. This allows control leads to reject the introduction of risk or assign / implement a mitigating control before risk is apparent. Note: Rules have to be pre-defined before Risk Analysis is performed. User Request Identify Business Update Execute Provisioning Access Risks Approval user Controls (preventative) …………. Deeper understanding of risks inherent in the security design allows business approvers to make a proactive choice as to whether they allow a user to have an SOD risk or critical transaction. Security Analyse Analyse Alert Alert SOD CTControls SOD Critical violations usage conflicts(detective) ….. Transactions….. ….. SAP CC is used to execute security controls for period review and approval for SOD conflict and critical transaction risks. The alert monitoring can also be used to identify business or control leads when a SOD violation occurs or a critical transaction is used.
Rules Architect – SOD risk SAP Compliance Calibrator Rules are created in compliance calibrator based on the “risks” you define. Rules are logical constructions composed of a circumstance or condition, and the appropriate response to that condition. This is commonly represented as an IF-THEN statement. IF Employee X can Create a Vendor & Employee X can Authorize Pay vendor Then Employee X has been granted High Risk Conflicting Roles This is an example of a SOD risk. Risks Compliance Rules Calibrator
Rules Architect – The Rules Library SAP Compliance Calibrator The core engine of SAP CC contains a rules library that maintains the risks for SOD conflicts. This library will contain conflicting transactions, grouped into functions, including the object and activity settings and runs to 1000s of records. For each identified risk the rules need to be configured so that the risk is properly recorded, in essence this means the removal of false positives. False positives are identified when at the object level potential risk is not realized e.g. the action is to read only. Building rule sets 1. Set up functions (groups of activities that users perform to carry out their role) by mapping transaction activities. 2. Map two or more functions together to define a risk 3. SAP CC creates rules based on the risks which are used for risk analysis reporting and alert monitoring. 4. Business process can also be defined and mapped to risks for ease of reporting e.g. Finance Accounting. 5. Multiple rule sets can also be set up to act as reporting filters, version control and other uses.
Rules Architect- Key Drivers SAP Compliance Calibrator Building rule sets can be complex and time consuming. Typically three distinct roles and skills are involved. Internal Controls Expert  Provides information on SOD risks, criticality and represents business (process) owners in decisions to mitigate or  remove risks. SAP Functional Expert  Provides expertise on the business process configuration in SAP , knowledge on objects and activity values. Helps to set the configuration data for the rule set library. Helps identify false positives. SAP CC Expert  Provides knowledge on rules  setting in SAP CC performing mass upload changes and risk analysis. Internal Control Expert Rules Generation SAP SAP Functional CC Expert Expert
Risk Analysis SAP Compliance Calibrator Once the rule set has been defined and implemented risk analysis can be performed to identify the SOD conflict and critical transaction risks in the staging and production system. Risk analysis can be performed at the user or role level. Risk Analysis and remediation is most efficient when a structured authorizations concept is implemented that maps roles to job and people. In these circumstance remedial efforts correct risks for large groups of users. Risk Analysis can be performed: 1. During the project lifecycle before users are allowed in the production system. 2. Before each change request for role maintenance is deployed to production. 3. Before provisioning exceptional roles to individual users 4. To execute periodic security controls.
Risk Analysis – Types of risks Segregation of Duties (SoD) risk A combination of two or more actions or permissions that, when assigned to a single employee, create a vulnerability. That is to say, in the case of two conflicting actions an employee may have permission to perform one of these actions, but not both. Critical Action risk Certain actions are, by their nature, inherently risky. Any employee who has permission to perform one of these actions automatically poses a risk. Defining a critical action risk ensures that any employee assigned this permission is identified by the risk analysis process. Critical Permission risk Just as some individual actions can be critical, the same is true for some permissions. Defining a critical permission risk ensures that risk analysis identifies any employee who has been assigned an action that includes a potentially risky permission. The severity of a risk can be categorized as either: •Low •Medium •High •Critical You use the Risk Level to categorize risks—and the rules they generate—by severity. What determines, for example, a critical risk is according to your company policies.
Informer INFORMER allows a appropriate user to access specific reports. In addition to the default report formats, there are specific user- selected focus areas available on many of the reports. Informer tab report types include:  Management View- Can view reports in the following types: “Risk Violations”, “Users Analysis”, “Role Analysis”, “Comparisons”,   “Alerts”, “Rules Library”, “Controls Library”     Risk Analysis- Performed to see if any User, Role, HR Object or Organization has access to two or more conflicting actions.   Audit Reports- Provides report headings covering different aspects of the enterprise. Each Audit report menu item contains links   to reports that may be user modified to fit needs requested.     Security Reports - Provides an access point for reports on every aspect of product and enterprise security compliance issue.   Background Job - Allows SoD conflicts to be analyzed for a large number of Users, Roles, HR Objects or Organizations. 
Informer Compliance Calibrator provides Interactive visual analysis in the form of Bar charts, Pie Charts and Line Charts By clicking upon a certain chart area, detailed statistics are accessed
Informer SAP Compliance Calibrator You can generate reports for Users, User Groups, Roles, Profiles, HR Objects and Organizational Levels
Mitigation Control Mitigation Controls- Rather than remove the cause of the risk, you may want to control certain risk violations that you want available to specific users, roles, or profiles. Monitor ID - The ID of the User who is assigned as a Monitor, who is assigned the specific Controls. Where risks are accepted in the system, a mitigating control should be implemented and executed. An example is a supervisory review and sign off. SAP CC gives you the functionality to document the mitigating controls for each risk. Once documented and assigned to a Monitor the tool can be used to track execution of the control or non compliance. Many clients will have separate cross-enterprise process controls software and we suggest three options for implementation: 1) Simplest option, identify risk as controlled. Risk is removed from risk reporting. 2) Associate the risk with a mitigating control in an alternate repository e.g. process control software. 3) Fully document the mitigating control within the SAP Compliance Calibrator. A choice also exists on who to give responsibility for maintaining data in the SAP CC tool. This can be centralized in IT or Controls or fully distributed to the business. Controls Library option lists all the existing Mitigation Controls (active/inactive). The Controls Library displays the Controls by Risk level and are sorted by: θRisk θRisk Level (Low, Medium, High) θBusiness Unit θMonitor θUser, Role, Profiles, or HR Object
Alerts Monitor Compliance Calibrator includes functionality which can alert business and controls leads by email when a critical or conflicting action is executed. Alerts are available within the following risk areas: Conflicting and Critical Actions – When a user performs both transactions in an SOD rule or uses a critical transaction. Mitigation monitoring – If a Monitor does not execute a control to a specified frequency then an alert will be generated which is sent to the Monitor and visible to the control leads. Cleared alerts- When an alert message has been delivered and cleared. Alerts remain as an archived record and can still be tracked and monitored.
SAP Compliance Configuration The configuration Tab is the main starting point for post installation setup. NOTE: Only an User with Administrative authority can access and use this aspect of Compliance calibrator.  The Java Connector (JCO) acts as the integration point between the Java application and the SAP system to be monitored / analyzed.    The User Management Engine provides for out-of the box J2EE Administrator profiles to be defined or activated .    The Rule set upload function is used to load the standard rules or customized rule set – e.g. critical transaction codes, critical objects etcetera. These characteristics are the foundations of the SoD rules.    The Workflow component is used to trigger email alerts to named Process Owners within the User Provisioning. It is an integrated part of the Access Enforcer solution.    Background Job Scheduling is used for activating Monitoring e.g.. frequency of SoD analysis, Risk Violations. 
SAP Compliance Configuration STANDARD GRC RULESET SCHEDULING RISK ANALYSIS
Major Activities Walkthrough Activity SAP Compliance Calibrator Install and set up SAP CC Technical installation Core ECC, RFC connections to Modules, Assembly Test. Agree security design principles and Establish design concepts and principles for mapping roles to jobs and users e.g. 1 dependencies with SAP CC Composite role to each user Confirm Project governance and high Agree business owners, Business Approvers, Control Approvers, Role level processes Maintenance and UP processes. Define Security controls. Master data and functional set up. Test Agree master data definitions; Organization; Business Process; Risk Descriptions; functionality Monitors and Control Approvers. Define risks and configure risk rule set Agree SODs conflicts and critical transactions. Categorise risk (H/M/L). Update risks rule set. Test risks. Run Risk analysis Run risk analysis in staging environment. Run Risk Analysis in production environment. Export reports and update Risk Logs. Remedial actions Identify and remove false positives. Agree whether to accept or reject risks. Plan authorization changes, update security design templates and raise change request to security maintenance. Re-run risk analysis. Mitigate Accepted Risks Agree mitigating controls for each risk. Agree control owners and business approvers (execution). Update mitigating controls in tool. Update procedures and security controls. Update procedures to introduce SAP CC as a preventative control and reflect governance for business ownership. Transition to live Train and enable operations staff, business approvers, control owners. Deploy new procedures. Stabilization support
F i r e - f i g h t e r The Firefighter application allows a user to take responsibility for tasks outside their normal job function, in a emergency situation. Enables users to perform duties not included in the roles or profiles assigned to their user IDs. Provides this extended capability to users while creating an auditing layer to monitor and record Firefighter usage, providing the capability to review activities used during an emergency situation. Role 1 Role 2 Firefighter ID 1 User 1 Role 3 Before users can access Firefighter, they must be assigned a Firefighter ID. For each Firefighter ID you define the following roles. Owner Controllers Owners can assign Firefighter IDs to Firefighters Receives email notification and reviews the Firefighter Log report. In addition the Administrator perform the creation of Firefighter ID and assign authorization roles.
Process Overview SAP Firefighter Request Request access Approve Assign Update Review access to to Production. Request Firefighter Production Control production account Log Firefighter enables users to perform duties not included in the roles or profiles assigned to their userIDs. Firefighter provides this extended capability to users while creating an auditing layer to monitor and record Firefighter usage. Through automated emergency access administration, Firefighter tracks, monitors, and logs all emergency access activities Example If the employee who normally works with vendor accounting, but is on vacation or sick leave, another employee who usually verifies invoices may be assigned a Firefighter ID to perform this task temporarily. Benefits of Firefighter are:  Avoid business obstructions with faster emergency response  Reduce audit time  Reduce time to perform critical tasks  30
F i r e - f i g h t e r Firefighter dashboard Firefighter Log Report
Access - Enforcer Access Enforcer is a web-based application within J2EE and NetWeaver environments. It is connected to multiple data sources such as an LDAP and SAP backend system. Access Enforcer automates the end-to-end access provisioning approval process by combining roles and permissions with workflow. When a user requests access to resources for which they do not have permission, Access Enforcer automatically forwards the access request to designated managers and approvers within a pre- defined workflow. This workflow is customized to reflect your company policy. Roles and permissions are automatically applied to the enterprise directories when the access request are approved. Access Enforcer automates the role provisioning process within the identity management environment. It ensures corporate accountability and compliance with Sarbanes-Oxley along with other laws and regulations.
Access Enforcer Access Enforcer has four task modules for specific usage. They include: Requestors The Requestors module is for end-users who are requesting access to SAP and non-SAP backend systems. Approvers The Approvers module is for approvers who approve access requests. Approvers can also request access for other end-users. Approvers include line managers and IT security. Informer The Informer module is a reporting tool that provides graphical and analytical reports for managers. Configuration The Configuration module is for Access Enforcer Administrators who define defaults, workflow, and other attributes that are based on their corporate business processes and policies.
Access Enforcer Module Breakdown Approver Requestor Informer Access Enforcer provides three standard Approver As a Requestor, you use the Access Enforcer provides the types. Depending on your organizational hierarchy Requestor module to create ability to generate various reports and process, there may be other Approver types various access requests for an for the purpose of viewing and that can be added to Access Enforcer. The standard SAP backend system, non-SAP analyzing request approval Approver types are: system, or other application activities. Reports are divided into (server). There are three types of two categories: Manager Approver is usually the requestor’s Requestors: manager. Manager can review and approve their Analytical lets you drill down to workflow stage during the approval process. Department Member Creates individual role change and access Role Owner Approver has the authority to approve requests for access permissions or permission requests. or reject a request. The Approver can put a request roles, for themselves or for their Chart generates a graphical view on hold and add additional roles to the request, if team members of the request approval necessary. An Approver can only approve or reject Managers Creates requests for information, which can be used to requests that they own and cannot approve roles for their subordinates analyze various activities. requests for other approvers unless they are Approvers Other managers can assigned as a alternate approver. also create requests Security Approver is usually the last approver in a typical workflow. The Security Approver can provision access to the target system that has been requested.
Access Enforcer Screenshots Request for Approval List- displays pending requests assigned to you. Request Approver Page for a request submitted.
Access Enforcer Walkthrough 1 Makes access Request for specific application, for which they do not have the necessary roles 2. Provides Access Request page, which can be set to specific or multiple data sources (e.g. SAP HR system or non-SAP systems) to complete the request process 3. Submits completed Access request page. This triggers a Workflow process, which is made up of several pre-defined approval stages and is customized to reflect the business and security policies and procedures. 4. Receives email notification of access request at each approval stage. Performs Risk analysis and SOD assessments. When conflict arises, approver can mitigate the problem or reject the Request. 5. Upon approval, access request is routed to next stage, which could involve the IT security team for entry to the SAP backend system or application server. Automatic provisioning to the target system could take place. SAP Access Enforcer Approver
Access Enforcer - Benefits
Role Expert Role Expert is a solution for compliant enterprise role management, allowing role owners to define, document, and manage roles across multiple enterprise applications ad enforces best practices, resulting in lower ongoing maintenance and effortless knowledge transfer Automatically analyzes roles for potential security risks (audit and SoD issues), tracks changes, and facilitates approval workflow, eliminating the inefficient back-and-forth exchanges between business managers and IT. Role Expert provides a complete audit trail, covering role definition, detailed change history, and control test results and allows SAP security administrators and Role Owners to document important role information that can be of great value for better role management such as:  Tracking progress during role implementation  Monitoring the overall quality of the implementation  Performing risk analysis at role design time  Setting up a workflow for role approval  Providing an audit trail for all role modifications  Maintaining roles after they are generated to keep role information current
Role Expert Role Library- Dashboard of all the roles in Role Expert. Displays an interactive graphical interface of the roles broken down by system landscape, role owner, or business process. It also shows the number of roles with violations and roles belonging to different role types. Role designer- Provides you with a step-by-step guide for designing roles across your enterprise. Role Designer allows you to define: ♣Role Building Methodology ♣Naming Conventions ♣Role Attributes ♣Org. Value Mapping ♣Approval Criteria Org Level- Maps the hierarchical structuring of organization, enabling to manage roles effectively. Change history provides you with an audit trail for all the changes made to roles within Role Expert or your SAP system Mass Maintenance- Allows you to synchronize the SAP Back- end systems with Role Expert by importing roles that already exist in the SAP system.
Sap GRC Basic Information | GRC 12 online training

Recommended

SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
SAP GRC
SAP GRC SAP GRC
SAP GRC Kellton Tech Solutions Ltd
 
Sap grc-access-control-solution
Sap grc-access-control-solutionSap grc-access-control-solution
Sap grc-access-control-solutionAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRCtechgurusuresh
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 

Recommended

SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
SAP GRC
SAP GRC SAP GRC
SAP GRC Kellton Tech Solutions Ltd
 
Sap grc-access-control-solution
Sap grc-access-control-solutionSap grc-access-control-solution
Sap grc-access-control-solutionAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRCtechgurusuresh
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceTLI GrowthSession
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
What is sap security
What is sap securityWhat is sap security
What is sap securitygrconlinetraining
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
SAP Risk Management
SAP Risk ManagementSAP Risk Management
SAP Risk ManagementAuditBot SAP Security Audit
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis SecurityGuang Ying Yuan
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administrationnanda nanda
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1Guang Ying Yuan
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasksSiva Pradeep Bolisetti
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-qAnywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
Top 9 bi interview questions answers
Top 9 bi interview questions answersTop 9 bi interview questions answers
Top 9 bi interview questions answershudsons168
 

More Related Content

What's hot

SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceTLI GrowthSession
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administrationnanda nanda
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1Guang Ying Yuan
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 

What's hot (20)

SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and Compliance
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
 
What is sap security
What is sap securityWhat is sap security
What is sap security
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshop
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
 
SAP Risk Management
SAP Risk ManagementSAP Risk Management
SAP Risk Management
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis Security
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answers
 
Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1Day1 Sap Basis Overview V1 1
Day1 Sap Basis Overview V1 1
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasks
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
 
165373293 sap-security-q
165373293 sap-security-q165373293 sap-security-q
165373293 sap-security-q
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation
 

Viewers also liked

Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
Top 9 bi interview questions answers
Top 9 bi interview questions answersTop 9 bi interview questions answers
Top 9 bi interview questions answershudsons168
 
SAP BI Implementation
SAP BI ImplementationSAP BI Implementation
SAP BI ImplementationRahul Bindroo
 

Viewers also liked (6)

Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 training
 
Top 9 bi interview questions answers
Top 9 bi interview questions answersTop 9 bi interview questions answers
Top 9 bi interview questions answers
 
GRC_2016_US_Brochure
GRC_2016_US_BrochureGRC_2016_US_Brochure
GRC_2016_US_Brochure
 
SAP BI Implementation
SAP BI ImplementationSAP BI Implementation
SAP BI Implementation
 
Sap bw bi
Sap bw biSap bw bi
Sap bw bi
 
SAP grc
SAP grc SAP grc
SAP grc
 

Similar to Sap GRC Basic Information | GRC 12 online training

Prevent SAP Security Vulnerabilities | Symmetry
Prevent SAP Security Vulnerabilities | SymmetryPrevent SAP Security Vulnerabilities | Symmetry
Prevent SAP Security Vulnerabilities | SymmetrySymmetry™
 
Blinde la seguridad de su empresa
Blinde la seguridad de su empresaBlinde la seguridad de su empresa
Blinde la seguridad de su empresaSAP Latinoamérica
 
Gourav ladha - Profile
Gourav ladha - ProfileGourav ladha - Profile
Gourav ladha - ProfileGourav Ladha
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]akquinet enterprise solutions GmbH
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...akquinet enterprise solutions GmbH
 
Identity & Access Governance versus Process Agility
Identity & Access Governance versus Process AgilityIdentity & Access Governance versus Process Agility
Identity & Access Governance versus Process AgilityHorst Walther
 
Brochure Auditing Erp System V2
Brochure Auditing Erp System V2Brochure Auditing Erp System V2
Brochure Auditing Erp System V2agc infotech
 
Rethinking Segregation of Duties: Where Is Your Business Most Exposed?
Rethinking Segregation of Duties: Where Is Your Business Most Exposed?Rethinking Segregation of Duties: Where Is Your Business Most Exposed?
Rethinking Segregation of Duties: Where Is Your Business Most Exposed?SAPinsider Events
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070retheauditors
 
Automating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and FinancialsAutomating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and FinancialsSmart ERP Solutions, Inc.
 
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 CA CISA Jayjit Biswas
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
Best Practices for Integrating with Your ERP
Best Practices for Integrating with Your ERPBest Practices for Integrating with Your ERP
Best Practices for Integrating with Your ERPdreamforce2006
 
Sap Learn1
Sap Learn1Sap Learn1
Sap Learn1marazban
 
Ascent overview deck_sep_25_2013
Ascent overview deck_sep_25_2013Ascent overview deck_sep_25_2013
Ascent overview deck_sep_25_2013Bindu Rathore
 
CSI Authorization Auditor 2014 Brochure
CSI Authorization Auditor 2014 BrochureCSI Authorization Auditor 2014 Brochure
CSI Authorization Auditor 2014 BrochureCSI tools
 
ERP Security as a Service 2017
ERP Security as a Service 2017ERP Security as a Service 2017
ERP Security as a Service 2017Jane Jones
 
Oracle Scene Safeguard your Business
Oracle Scene Safeguard your BusinessOracle Scene Safeguard your Business
Oracle Scene Safeguard your BusinessEmma Kelly
 

Similar to Sap GRC Basic Information | GRC 12 online training (20)

Prevent SAP Security Vulnerabilities | Symmetry
Prevent SAP Security Vulnerabilities | SymmetryPrevent SAP Security Vulnerabilities | Symmetry
Prevent SAP Security Vulnerabilities | Symmetry
 
IPO Readiness SOX Sod
IPO Readiness SOX SodIPO Readiness SOX Sod
IPO Readiness SOX Sod
 
Blinde la seguridad de su empresa
Blinde la seguridad de su empresaBlinde la seguridad de su empresa
Blinde la seguridad de su empresa
 
Gourav ladha - Profile
Gourav ladha - ProfileGourav ladha - Profile
Gourav ladha - Profile
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...
 
Identity & Access Governance versus Process Agility
Identity & Access Governance versus Process AgilityIdentity & Access Governance versus Process Agility
Identity & Access Governance versus Process Agility
 
Brochure Auditing Erp System V2
Brochure Auditing Erp System V2Brochure Auditing Erp System V2
Brochure Auditing Erp System V2
 
Rethinking Segregation of Duties: Where Is Your Business Most Exposed?
Rethinking Segregation of Duties: Where Is Your Business Most Exposed?Rethinking Segregation of Duties: Where Is Your Business Most Exposed?
Rethinking Segregation of Duties: Where Is Your Business Most Exposed?
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
 
Automating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and FinancialsAutomating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and Financials
 
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
Best Practices for Integrating with Your ERP
Best Practices for Integrating with Your ERPBest Practices for Integrating with Your ERP
Best Practices for Integrating with Your ERP
 
SAP Access Authorization Solution
SAP Access Authorization SolutionSAP Access Authorization Solution
SAP Access Authorization Solution
 
Sap Learn1
Sap Learn1Sap Learn1
Sap Learn1
 
Ascent overview deck_sep_25_2013
Ascent overview deck_sep_25_2013Ascent overview deck_sep_25_2013
Ascent overview deck_sep_25_2013
 
CSI Authorization Auditor 2014 Brochure
CSI Authorization Auditor 2014 BrochureCSI Authorization Auditor 2014 Brochure
CSI Authorization Auditor 2014 Brochure
 
ERP Security as a Service 2017
ERP Security as a Service 2017ERP Security as a Service 2017
ERP Security as a Service 2017
 
Oracle Scene Safeguard your Business
Oracle Scene Safeguard your BusinessOracle Scene Safeguard your Business
Oracle Scene Safeguard your Business
 

Recently uploaded

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxAmita Gupta
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 

Recently uploaded (20)

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptx
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 

Sap GRC Basic Information | GRC 12 online training

  • 1. GRC ONLINE TRAINING Contents: Time Section Topics Introduction Welcome SAP Security Overview SOX Overview Access Control Solution Overview Compliance Calibrator Overview Rules Architect Risk analysis & Informer Mitigation Controls Alerts Compliance Configuration Firefighter Overview Access Enforcer Overview Module Breakdown Process Walkthrough Role Expert Overview Module Breakdown
  • 2. Example R/3 Role Design model Business Processes Process Sub-Process Sub-Process Activity Activity Activity Workstep Workstep Workstep Security Design Role Role Composite Role: Role performs one or more transactions Transaction: SAP worksteps Role Mapping Job: Org Unit: General category Division For jobs Position: performs one or Employee more roles
  • 3. SAP Security – The major elements of the SAP authorization concept   Users  Composite Profiles Simple profiles Authorization Objects Authorizations   Fields  Values (Activities, Organizational elements)  Transactions  SAP Security To address this complexity and flexibility, SAP has developed a solution called SAP GRC-Access Controls Suite. We will guide through how CC addresses some of these issues. Users User Profile Composite Composite Profile Profile Roles Simple Simple Profile Profile Authorization Authorization Object Access and Objects Objects Restrictions Transactions Transactions
  • 4. Securing Financial Applications Systems for SOX Compliance SOX…. The Sarbanes-Oxley Act of 2002 also called as Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox in response to major corporate scandals like Enron………….. Enron Corporation was an American energy company based in Houston, Texas. Enron figures in late 2001 –  Enron employed around 22,000 people (McLean & Elkind, 2003)  Claimed revenues of $111 billion in 2000  Fortune named Enron "America's Most Innovative Company" for six consecutive years At the end of 2001  It was revealed that its reported financial condition was sustained substantially by  institutionalized, systematic, and creatively planned accounting fraud  Enron filed for bankruptcy protection in the Southern District of New York
  • 6. Present access and authorizations approach ♣IT does not own the responsibility for proper segregation of duties. They can’t understand hurdles on business side, as they lack the collaboration tools and language to efficiently collaborate with the business owners. ♣Lines of the business managers are responsible for SoD, but they lack the technical depth to manage user access, so they rely on IT ♣Internal auditors are trying desperately to stay on top of the SoD issue. However with manually maintained spreadsheets listing the access and authorizations of all employees, contractors, and partners and so on, they can only perform a very limited audit at a very high cost.
  • 7. Sarbanes Oxley and SAP - Top 7 Control Deficiencies in SAP 1. Segregation of Duties - segregation of duties as the most important point of control focus or deficiency. 2. Inconsistent Business Process Procedures - Business procedures not matching the actual process is another problem area in many SAP implementations. 3. Unsecured Customized Programs - Many customized 'Z' transactions or 'Y' transactions built in to suit the business process. 4.Unauthorized Access to SAP BASIS - Many companies make the mistake of giving access to sensitive BASIS transactions like SE13, SE38, SM49, SU10, SU12, SM13, SC38, SM59, KE54 etc to users in production. Such unrestricted access can lead to a potential control deficiency under Sarbanes Oxley. 5. Unrestricted Posting Periods - Allowing unrestricted access to open Posting periods in SAP can result in unauthorized entires in previous open periods. This can become a severe control deficiency under SOX 6. SAP Access to Terminated Employees - SAP access had not been revoked for employees who had been terminated. This can potentially lead to control deficiency 7. Database and OS Hardening - The data in SAP sits on databases like Oracle etc and SAP Portal as such runs on an operating system. If databases and operating systems are not hardened, the whole SAP environment is put at risk.
  • 8. GRC – Governance Risk Compliance SAP Compliance Calibrator Business Challenges - Identifying risks arising through user access privileges. - Knowing when users have executed transactions that constitute a risk - Developing solutions for risk management and control. - Stopping risk from being introduced into the production system through change updates. - Prohibiting and controlling access to critical basis, developer and sensitive business transaction. - Ensuring that mitigating controls exists for user access risks and are executed. IT / Security Challenges - Stopping risk from being introduced into the production system through change updates. - Prohibiting and controlling access to critical basis, developer and sensitive business transaction.
  • 9. IT Based Antifraud Controls - SOD & SAT Segregation of duties in applications SOD – The basic premise of segregation of duties is that users should not be in a position to initiate and authorize their own transactions. Modern IT applications ERPs like SAP, Oracle Apps, J D Edwards, Peoplesoft can be configured based on roles. . Access to specific transactions in the system can be restricted based on user roles and profiles. Segregation of duties in applications can act as a major antifraud controls and lead to better SOX compliance. Sensitive Access Controls SAT – SATs coupled with SODs can act as the foundation for IT based antifraud controls. The other important antifraud control is restricting user access to sensitive transaction in the system. From an IT perspective users have access to a lot of information such as payroll data, balance sheet, profit and loss account etc. This sensitive information can be misused. It is therefore important to restrict users access to this sensitive information in applications.
  • 10. MM SoD Conflicts – Sample data SoD Controls (Functions that should be segragated) Risks RISK LEVEL A user could post or change a fictitious or incorrect goods receipt and set up a fraudulent automatic payment or create a fraudulent Post Goods Receipt and Post Payments check. H A user could post or change a fictitious or incorrect goods receipt and post a fraudulent payment or clear the invoice to hide the Post Goods Receipt and Process Outgoing Payments deception. H A user could post or change a fictitious or incorrect goods receipt and create/change an inventory document/count to hide the Post Goods Receipt and Process Inventory deception or clear the inventory count to hide the deception. H A user could post or change a fictitious or incorrect goods receipt and create/change an inventory document/count to hide the Post Goods Receipt and Process Inventory Documents deception or clear the inventory count to hide the deception. H A user could post or change a fictitious or incorrect goods receipt and then use a goods issue to hide the deception. The vendor Post Goods Receipt and Goods Issue would be paid for the excess recorded receipt. H A user could create or change a fictitious receipt and create/change Post Goods Receipt and Process Materials a material document to hide the deception. H
  • 11. Compliance Calibrator Key Terms  Business Process – Used to classify risks, rules and rule sets by business function e.g. Order to Cash, Purchase to Pay, Record to Report are all types of Business Processes. All risks and functions are assigned to business functions.    Function - Identifies the tasks an employee performs to accomplish a specific portion of their job responsibilities. This can be analogous to a role, but more often a role comprises multiple functions.    Action- Known as Transactions in SAP. To perform a function, more than one action may be required to be performed.    Permission – Object in SAP, which form as part of Actions.     Risks – Identify potential problems your enterprise may encounter, which could cause error or irregularities within the system.    Rule Sets –Ccategorize and aggregate the rules generated from a risk. when you define a risk, you attribute one or more rule sets to that risk. Similar to business process.    SoD – Segregation of Duties, are primary internal controls intended to prevent, or decrease the risk of errors or regulatory irregularities, identify problems, and ensure corrective action is taken. This is  achieved by assuring no single individual has control over separate phases of a business transaction.  .
  • 12. Definitions – Function, Business Process, Action, Permissions & Activities 1 2 3 4 1. Function 5 2. Business process 3. Action 4. Permissions Activities
  • 13. Process Overview SAP Compliance Calibrator Analyse &Role Request Role Build Risk Approve Deploy Approve RoleMaintenance change Change Analysis Change Change change(preventative) SAP CC is used to identify SOD conflicts before the change enters production. This allows control leads to reject the introduction of risk or assign / implement a mitigating control before risk is apparent. Note: Rules have to be pre-defined before Risk Analysis is performed. User Request Identify Business Update Execute Provisioning Access Risks Approval user Controls (preventative) …………. Deeper understanding of risks inherent in the security design allows business approvers to make a proactive choice as to whether they allow a user to have an SOD risk or critical transaction. Security Analyse Analyse Alert Alert SOD CTControls SOD Critical violations usage conflicts(detective) ….. Transactions….. ….. SAP CC is used to execute security controls for period review and approval for SOD conflict and critical transaction risks. The alert monitoring can also be used to identify business or control leads when a SOD violation occurs or a critical transaction is used.
  • 14. Rules Architect – SOD risk SAP Compliance Calibrator Rules are created in compliance calibrator based on the “risks” you define. Rules are logical constructions composed of a circumstance or condition, and the appropriate response to that condition. This is commonly represented as an IF-THEN statement. IF Employee X can Create a Vendor & Employee X can Authorize Pay vendor Then Employee X has been granted High Risk Conflicting Roles This is an example of a SOD risk. Risks Compliance Rules Calibrator
  • 15. Rules Architect – The Rules Library SAP Compliance Calibrator The core engine of SAP CC contains a rules library that maintains the risks for SOD conflicts. This library will contain conflicting transactions, grouped into functions, including the object and activity settings and runs to 1000s of records. For each identified risk the rules need to be configured so that the risk is properly recorded, in essence this means the removal of false positives. False positives are identified when at the object level potential risk is not realized e.g. the action is to read only. Building rule sets 1. Set up functions (groups of activities that users perform to carry out their role) by mapping transaction activities. 2. Map two or more functions together to define a risk 3. SAP CC creates rules based on the risks which are used for risk analysis reporting and alert monitoring. 4. Business process can also be defined and mapped to risks for ease of reporting e.g. Finance Accounting. 5. Multiple rule sets can also be set up to act as reporting filters, version control and other uses.
  • 16. Rules Architect- Key Drivers SAP Compliance Calibrator Building rule sets can be complex and time consuming. Typically three distinct roles and skills are involved. Internal Controls Expert  Provides information on SOD risks, criticality and represents business (process) owners in decisions to mitigate or  remove risks. SAP Functional Expert  Provides expertise on the business process configuration in SAP , knowledge on objects and activity values. Helps to set the configuration data for the rule set library. Helps identify false positives. SAP CC Expert  Provides knowledge on rules  setting in SAP CC performing mass upload changes and risk analysis. Internal Control Expert Rules Generation SAP SAP Functional CC Expert Expert
  • 17. Risk Analysis SAP Compliance Calibrator Once the rule set has been defined and implemented risk analysis can be performed to identify the SOD conflict and critical transaction risks in the staging and production system. Risk analysis can be performed at the user or role level. Risk Analysis and remediation is most efficient when a structured authorizations concept is implemented that maps roles to job and people. In these circumstance remedial efforts correct risks for large groups of users. Risk Analysis can be performed: 1. During the project lifecycle before users are allowed in the production system. 2. Before each change request for role maintenance is deployed to production. 3. Before provisioning exceptional roles to individual users 4. To execute periodic security controls.
  • 18. Risk Analysis – Types of risks Segregation of Duties (SoD) risk A combination of two or more actions or permissions that, when assigned to a single employee, create a vulnerability. That is to say, in the case of two conflicting actions an employee may have permission to perform one of these actions, but not both. Critical Action risk Certain actions are, by their nature, inherently risky. Any employee who has permission to perform one of these actions automatically poses a risk. Defining a critical action risk ensures that any employee assigned this permission is identified by the risk analysis process. Critical Permission risk Just as some individual actions can be critical, the same is true for some permissions. Defining a critical permission risk ensures that risk analysis identifies any employee who has been assigned an action that includes a potentially risky permission. The severity of a risk can be categorized as either: •Low •Medium •High •Critical You use the Risk Level to categorize risks—and the rules they generate—by severity. What determines, for example, a critical risk is according to your company policies.
  • 19. Informer INFORMER allows a appropriate user to access specific reports. In addition to the default report formats, there are specific user- selected focus areas available on many of the reports. Informer tab report types include:  Management View- Can view reports in the following types: “Risk Violations”, “Users Analysis”, “Role Analysis”, “Comparisons”,   “Alerts”, “Rules Library”, “Controls Library”     Risk Analysis- Performed to see if any User, Role, HR Object or Organization has access to two or more conflicting actions.   Audit Reports- Provides report headings covering different aspects of the enterprise. Each Audit report menu item contains links   to reports that may be user modified to fit needs requested.     Security Reports - Provides an access point for reports on every aspect of product and enterprise security compliance issue.   Background Job - Allows SoD conflicts to be analyzed for a large number of Users, Roles, HR Objects or Organizations. 
  • 20. Informer Compliance Calibrator provides Interactive visual analysis in the form of Bar charts, Pie Charts and Line Charts By clicking upon a certain chart area, detailed statistics are accessed
  • 21. Informer SAP Compliance Calibrator You can generate reports for Users, User Groups, Roles, Profiles, HR Objects and Organizational Levels
  • 22. Mitigation Control Mitigation Controls- Rather than remove the cause of the risk, you may want to control certain risk violations that you want available to specific users, roles, or profiles. Monitor ID - The ID of the User who is assigned as a Monitor, who is assigned the specific Controls. Where risks are accepted in the system, a mitigating control should be implemented and executed. An example is a supervisory review and sign off. SAP CC gives you the functionality to document the mitigating controls for each risk. Once documented and assigned to a Monitor the tool can be used to track execution of the control or non compliance. Many clients will have separate cross-enterprise process controls software and we suggest three options for implementation: 1) Simplest option, identify risk as controlled. Risk is removed from risk reporting. 2) Associate the risk with a mitigating control in an alternate repository e.g. process control software. 3) Fully document the mitigating control within the SAP Compliance Calibrator. A choice also exists on who to give responsibility for maintaining data in the SAP CC tool. This can be centralized in IT or Controls or fully distributed to the business. Controls Library option lists all the existing Mitigation Controls (active/inactive). The Controls Library displays the Controls by Risk level and are sorted by: θRisk θRisk Level (Low, Medium, High) θBusiness Unit θMonitor θUser, Role, Profiles, or HR Object
  • 23. Alerts Monitor Compliance Calibrator includes functionality which can alert business and controls leads by email when a critical or conflicting action is executed. Alerts are available within the following risk areas: Conflicting and Critical Actions – When a user performs both transactions in an SOD rule or uses a critical transaction. Mitigation monitoring – If a Monitor does not execute a control to a specified frequency then an alert will be generated which is sent to the Monitor and visible to the control leads. Cleared alerts- When an alert message has been delivered and cleared. Alerts remain as an archived record and can still be tracked and monitored.
  • 24. SAP Compliance Configuration The configuration Tab is the main starting point for post installation setup. NOTE: Only an User with Administrative authority can access and use this aspect of Compliance calibrator.  The Java Connector (JCO) acts as the integration point between the Java application and the SAP system to be monitored / analyzed.    The User Management Engine provides for out-of the box J2EE Administrator profiles to be defined or activated .    The Rule set upload function is used to load the standard rules or customized rule set – e.g. critical transaction codes, critical objects etcetera. These characteristics are the foundations of the SoD rules.    The Workflow component is used to trigger email alerts to named Process Owners within the User Provisioning. It is an integrated part of the Access Enforcer solution.    Background Job Scheduling is used for activating Monitoring e.g.. frequency of SoD analysis, Risk Violations. 
  • 25. SAP Compliance Configuration STANDARD GRC RULESET SCHEDULING RISK ANALYSIS
  • 26. Major Activities Walkthrough Activity SAP Compliance Calibrator Install and set up SAP CC Technical installation Core ECC, RFC connections to Modules, Assembly Test. Agree security design principles and Establish design concepts and principles for mapping roles to jobs and users e.g. 1 dependencies with SAP CC Composite role to each user Confirm Project governance and high Agree business owners, Business Approvers, Control Approvers, Role level processes Maintenance and UP processes. Define Security controls. Master data and functional set up. Test Agree master data definitions; Organization; Business Process; Risk Descriptions; functionality Monitors and Control Approvers. Define risks and configure risk rule set Agree SODs conflicts and critical transactions. Categorise risk (H/M/L). Update risks rule set. Test risks. Run Risk analysis Run risk analysis in staging environment. Run Risk Analysis in production environment. Export reports and update Risk Logs. Remedial actions Identify and remove false positives. Agree whether to accept or reject risks. Plan authorization changes, update security design templates and raise change request to security maintenance. Re-run risk analysis. Mitigate Accepted Risks Agree mitigating controls for each risk. Agree control owners and business approvers (execution). Update mitigating controls in tool. Update procedures and security controls. Update procedures to introduce SAP CC as a preventative control and reflect governance for business ownership. Transition to live Train and enable operations staff, business approvers, control owners. Deploy new procedures. Stabilization support
  • 27.
  • 28. F i r e - f i g h t e r The Firefighter application allows a user to take responsibility for tasks outside their normal job function, in a emergency situation. Enables users to perform duties not included in the roles or profiles assigned to their user IDs. Provides this extended capability to users while creating an auditing layer to monitor and record Firefighter usage, providing the capability to review activities used during an emergency situation. Role 1 Role 2 Firefighter ID 1 User 1 Role 3 Before users can access Firefighter, they must be assigned a Firefighter ID. For each Firefighter ID you define the following roles. Owner Controllers Owners can assign Firefighter IDs to Firefighters Receives email notification and reviews the Firefighter Log report. In addition the Administrator perform the creation of Firefighter ID and assign authorization roles.
  • 29. Process Overview SAP Firefighter Request Request access Approve Assign Update Review access to to Production. Request Firefighter Production Control production account Log Firefighter enables users to perform duties not included in the roles or profiles assigned to their userIDs. Firefighter provides this extended capability to users while creating an auditing layer to monitor and record Firefighter usage. Through automated emergency access administration, Firefighter tracks, monitors, and logs all emergency access activities Example If the employee who normally works with vendor accounting, but is on vacation or sick leave, another employee who usually verifies invoices may be assigned a Firefighter ID to perform this task temporarily. Benefits of Firefighter are:  Avoid business obstructions with faster emergency response  Reduce audit time  Reduce time to perform critical tasks  30
  • 30. F i r e - f i g h t e r Firefighter dashboard Firefighter Log Report
  • 31.
  • 32. Access - Enforcer Access Enforcer is a web-based application within J2EE and NetWeaver environments. It is connected to multiple data sources such as an LDAP and SAP backend system. Access Enforcer automates the end-to-end access provisioning approval process by combining roles and permissions with workflow. When a user requests access to resources for which they do not have permission, Access Enforcer automatically forwards the access request to designated managers and approvers within a pre- defined workflow. This workflow is customized to reflect your company policy. Roles and permissions are automatically applied to the enterprise directories when the access request are approved. Access Enforcer automates the role provisioning process within the identity management environment. It ensures corporate accountability and compliance with Sarbanes-Oxley along with other laws and regulations.
  • 33. Access Enforcer Access Enforcer has four task modules for specific usage. They include: Requestors The Requestors module is for end-users who are requesting access to SAP and non-SAP backend systems. Approvers The Approvers module is for approvers who approve access requests. Approvers can also request access for other end-users. Approvers include line managers and IT security. Informer The Informer module is a reporting tool that provides graphical and analytical reports for managers. Configuration The Configuration module is for Access Enforcer Administrators who define defaults, workflow, and other attributes that are based on their corporate business processes and policies.
  • 34. Access Enforcer Module Breakdown Approver Requestor Informer Access Enforcer provides three standard Approver As a Requestor, you use the Access Enforcer provides the types. Depending on your organizational hierarchy Requestor module to create ability to generate various reports and process, there may be other Approver types various access requests for an for the purpose of viewing and that can be added to Access Enforcer. The standard SAP backend system, non-SAP analyzing request approval Approver types are: system, or other application activities. Reports are divided into (server). There are three types of two categories: Manager Approver is usually the requestor’s Requestors: manager. Manager can review and approve their Analytical lets you drill down to workflow stage during the approval process. Department Member Creates individual role change and access Role Owner Approver has the authority to approve requests for access permissions or permission requests. or reject a request. The Approver can put a request roles, for themselves or for their Chart generates a graphical view on hold and add additional roles to the request, if team members of the request approval necessary. An Approver can only approve or reject Managers Creates requests for information, which can be used to requests that they own and cannot approve roles for their subordinates analyze various activities. requests for other approvers unless they are Approvers Other managers can assigned as a alternate approver. also create requests Security Approver is usually the last approver in a typical workflow. The Security Approver can provision access to the target system that has been requested.
  • 35. Access Enforcer Screenshots Request for Approval List- displays pending requests assigned to you. Request Approver Page for a request submitted.
  • 36. Access Enforcer Walkthrough 1 Makes access Request for specific application, for which they do not have the necessary roles 2. Provides Access Request page, which can be set to specific or multiple data sources (e.g. SAP HR system or non-SAP systems) to complete the request process 3. Submits completed Access request page. This triggers a Workflow process, which is made up of several pre-defined approval stages and is customized to reflect the business and security policies and procedures. 4. Receives email notification of access request at each approval stage. Performs Risk analysis and SOD assessments. When conflict arises, approver can mitigate the problem or reject the Request. 5. Upon approval, access request is routed to next stage, which could involve the IT security team for entry to the SAP backend system or application server. Automatic provisioning to the target system could take place. SAP Access Enforcer Approver
  • 37. Access Enforcer - Benefits
  • 38.
  • 39. Role Expert Role Expert is a solution for compliant enterprise role management, allowing role owners to define, document, and manage roles across multiple enterprise applications ad enforces best practices, resulting in lower ongoing maintenance and effortless knowledge transfer Automatically analyzes roles for potential security risks (audit and SoD issues), tracks changes, and facilitates approval workflow, eliminating the inefficient back-and-forth exchanges between business managers and IT. Role Expert provides a complete audit trail, covering role definition, detailed change history, and control test results and allows SAP security administrators and Role Owners to document important role information that can be of great value for better role management such as:  Tracking progress during role implementation  Monitoring the overall quality of the implementation  Performing risk analysis at role design time  Setting up a workflow for role approval  Providing an audit trail for all role modifications  Maintaining roles after they are generated to keep role information current
  • 40. Role Expert Role Library- Dashboard of all the roles in Role Expert. Displays an interactive graphical interface of the roles broken down by system landscape, role owner, or business process. It also shows the number of roles with violations and roles belonging to different role types. Role designer- Provides you with a step-by-step guide for designing roles across your enterprise. Role Designer allows you to define: ♣Role Building Methodology ♣Naming Conventions ♣Role Attributes ♣Org. Value Mapping ♣Approval Criteria Org Level- Maps the hierarchical structuring of organization, enabling to manage roles effectively. Change history provides you with an audit trail for all the changes made to roles within Role Expert or your SAP system Mass Maintenance- Allows you to synchronize the SAP Back- end systems with Role Expert by importing roles that already exist in the SAP system.