5. Installation:
(Backend system)
• The GRC 10.0 suite runs on AS
ABAP 7.02 SP6 or higher
• Add-on “GRCFND_A”
• Add-on “SLL-LEG”
• Add-on “SLL-NFE”
• The Content Lifecycle Management
(CLM)
FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE
4
6. Frontend:
• The front-end needs a web browser
or (optionally) a client installation of
the NetWeaver Business Client 3.0
(NWBC)
• The Adobe flash player 10 is used for
displaying dashboards e.g. RM heat
map
• SAPGUI 7.10 PL 15 or higher
• The Crystal Reports Adapter (CRA)
FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE
5
8. Components of Access Control
Access Risk
Analysis
Access Risk
Management
Emergency Access
Management
FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE
7
9. Access Risk Analysis?
The Access Risk Analysis (ARA) module is used for preventive and ongoing monitoring of SOD
risks, critical transactions and mitigating controls.
ARA life cycle::
FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE
8
11. Action (s)
An activity which is performed in the system in order to fulfil a specific
task, in the terminology of GRC is called action
In easy worlds an activity is action and an action means tcode.
For example,
Create Purchase Order – ME22
User master record – SU01
RFC – SM59
FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE
10
12. Function (s)
A grouping of one or more related actions or permissions for a specific business
area is called function:
For Example:
Function ID: AO01
Description: APO Supply and demand planning
Business Process: APO
FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE
11
13. Risk (s)
An opportunity for physical loss, fraud, process disruption, or productivity loss
that occurs when individuals exploit a specific condition; functions are the main
components of risks.
A risk has at least two risk (access risk). Risk-IDs are system generated.
FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE
12
15. Rule set (s)
A set of rule which identifies SoD is called rule-set.
There are two types of rule set
1). Global – provided by SAP
2). user defined
FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE
14
16. How to Identification risk?
When we assess uses, role or profile against given rule set, it identifies SoD.
This process is called Access Risk Analysis (ARA).
ARA can be run at:
1.
2.
3.
4.
User level
Role level
Profile level
HR Object
FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE
15
17. How to run ARA:
1.A user with appropriate access
2.Run “NWBC” in command area as illustrated
3.Click on “Access Management”
4.Move to “Access Risk Analysis”
5.Take your desired report
FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE
16
21. How to elimination the risk?
There are two approaches:
1. Remediate
2. Mitigation
What is Remediate?
What is Mitigate?
FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE
20
22. Start
Remediate flow:
Run ARA
Analyse SoD report
SoD
found
Yes
No
Fix
unavoidable
SoD
Yes
Mitigation
FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE
21
No
End