Profiling for SAP - Compliance Management, Access Control and Segregation of Duties

Understand

Control Improve

Profiling for SAP® Compliance Management
Access Control and Segregation of Duties
Understand, Optimize and Control your Business and IT

Subject Matter
Profiling for SAP supporting Security Compliance for SAP®

1 Profiling for SAP® Application

2 Access Management and Segregation of Duties

3 Optimization of Authorizations

4 Project Support for SAP Blueprints

SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page  2 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies

Profiling for SAP for Compliance and Access Control

Understand “Profiling your SAP® Solution delivers our
Clients all needed insights to understand,
improve and control their Business and
complex SAP® Landscapes.”

Control Improve Heinz-Jürgen Scherer, CEO TransWare AG


Standard application with tight SAP® integration, high automation
and flexible configuration

PROFILING FOR SAP
APPLICATION

SoD Analysis and the Process for Compliance

1. Extract 2. Define 3. Analyze

Reports
Profiler BI DB Analyzer Dashboards

Predefined set of Risk Rules
 Auditors, IT Security
 Analytic reports and
dashboards
 Authorizations  Define Risk Rules  Conflicts and potential
 Usage (Transactions,  Critical activity groups conflicts of Accounts
Reports, RFC Calls)  Activities conflict matrix and/or Roles, Profiles


Profiling for SAP Product Components

Profiling for SAP application customizing for SoD (configuration)
 Definition of Task groups, specifies a set of tasks with identifiers
 Assignments of critical transactions to task groups
 Risk rules combining Task Groups with Financial Risk Values
 Includes best practice for configuration settings
Analytic Reports (examples)
 Charts plotting risks and SoD issues per e.g. SAP module
 Role Compliance Check: Identifies roles that have SoD conflicts based upon the
underlying transactions
 User Compliance Check: Identifies SoD conflicts in user’s profile
SAP Solution Manager integration (optional)


Profiling for SAP® featuring SAP Compliance Management
Technical, Functional and Processual Analysis and Optimization of SAP

TransWare’s reengineering and optimization solution for SAP®, compliance and
performance assessment and process analysis on any SAP® system or SAP®
Industry Solution highlights process risks in a system review and will lead to
minimized project times with corresponding cost reduction.
The solution reveals the quality of the implementation by analyzing transaction logs,
document types, user authorizations with roles and profiles, SAP® HR info types,
SAP® customizing and object modifications and other configuration items.
It shows the overall picture of customizing and utilization of the current SAP® system
with business related KPIs.
Complex ERP systems are potentially susceptible to segregation of duties (SoD)
issues. By means of Profiling for SAP®, the desired responsibilities of SAP® users
can be counterchecked against the real usage of SAP®. Reporting of the results can
be done per job role, so you know what each role entails in terms of process
activities, SAP® business blueprint process steps, SAP® roles and transactions.


Profiling for SAP® smartly supports the Transition
Phase from As-Is into an optimized SAP® Landscape
As-Is Landscape To-Be Transition Optimize Landscape

Run SAP ASAP Run SAP
Process IT Support Project Methodology Process IT Support

Business Process Compliance
Reengineering Management Management
 Understand  Optimize  Control

Access Control and Segregation of Duty

Technical Functional Processual
Analysis Analysis Analysis

Profiling for SAP® SoD Compliance
Profiling for SAP® SoD Compliance is based on the technical, functional
and processual analysis tool components.


Introduction of an cost efficient compliance management

ACCESS MANAGEMENT AND
SEGREGATION OF DUTIES

Increased Focus on Security and Control

 Corporate scandals and fraud (Enron, Barings Bank, WorldCom, ...)
 Security breaches (UCs, BC, Stanford, ...)
 Regulatory Compliance
• Sarbanes-Oxley (SOX, EuroSOX)
• Family Educational Rights and Privacy Act (FERPA)
• Federal Information Security Management Act of 2002 (FISMA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Joint Commission (TJC)


Security Risks, Security Compliance and Internal Controls

Are there any Who has access
 Access Control
SoD
violations?
to sensitive
transactions?
 Do some users have too much access?
 Sufficient access restrictions to private information?
 Control for Segregation of Duties (SoD)
 Every time a user is added ensure his rights are
not in conflict with SoD risk rules
 A user's profile is amended and the change must
not cause any SoD conflict
 Review of the company SoD requirements on a
periodic base

“Internal Controls are processes designed by management to provide reasonable
assurance that the Institute will achieve its objectives.”
(From MIT’s Guidelines For Financial Review and Control)


Profiling for SAP® and SAP® Authorizations
Profiling for SAP combines information from
different data sources like SAP usage, user
authorization and SoD configuration with BI
based reporting for a comprehensive security
analysis.

Actions are subject to authorization checks
that are performed before the start of a
program or table maintenance and mandatory
for the SAP applications :
· Starting SAP transactions
(authorization object S_TCODE)
· Starting reports
(authorization object S_PROGRAM)
· Calling RFC function modules
(authorization object S_RFC)
· Table maintenance with generic tools
(authorization object S_TABU_DIS)


Profiling for SAP® Compliance Management
A Software Solution for SAP Project and Compliance Process Support

 Reduce time and efforts when providing ongoing information to
internal and external auditors
 Remove access or assign mitigating controls
 Used during implementation of new SAP modules and processes or
optimizing SAP systems
 Monitoring transaction and data access based on SAP background job
for 24/7 security and compliance control
 Optionally runs on central SAP Solution Manager to manage complex
SAP landscapes as a non-invasive solution
 Web based BI solution based on a Business Warehouse for
Compliance Management


Profiling for SAP® Compliance Application
A solution for compliance management based on standard software

Profiling is a configurable custom application with integration into SAP that
ensures all user’s authorizations are compliant with the company’s
compliance rules

 Useful during all phases of the deployment lifecycle
 Design – Identify roles, build composite roles based upon team requirements
 Implementation – Test and verify SoD compliance of roles
 Production – Ensure compliance of existing users and roles

 Tight integration within SAP to manage complex SAP Landscapes and
to leverage SAP standards
 Applicable to SAP’s ERP, CRM, SCM and other ECC-based products
 Web based product, non-invasive, non-deployment solution regarding
SAP production systems

Set of Risk Rules based on SoD conflicts and critical actions
Risk
Rules Set  Set of Risk Rules for different business
domains like FI-GL, MM, SAP Basis,
CRM or etc.
SoD Critical  Define SoD rules and critical actions
Rule Actions
and add standard or custom
transactions to the rule set
and
 Define rules on Functional,
Function Function Function Transactional or the most detailed
Authorization-Object level
 Define critical rules with high financial
Transaction Transaction Transaction risks or potential security risks
 Modify predefined configuration with a
set of rules for SoD best practice
Author.- Author.- Author.-
Object Object Object


Procedure for the Definition of SoD Risk Rules on a
Functional Level
1. Define SoD Functions (logical group of tasks)
Define
Functions  Example:
 Function A: – Process Sales Order
 Function B: – Maintain credits master data
2. Assign Transactions to SoD Function
Assign
 Example:
Transactions  Function A – V-01, VA01, VA02, …
 Function B – FD24, FD32, FD37, …
3. Define and Characterize the SoD Functions
with Risk Rules
Define Conflicts  Define a conflict: Function A & Group B
and Risks  Characterize the conflict with financial risk indicators:
• High, Medium, Low
 Exclude Rules from predefined configuration
as N/A for your organization with a description

Examples for SoD Activities and Transaction Groups

Description of Task Groups SAP Transactions
Group A: Process sales orders
Create sales order V-01
Create sales order VA01
Change sales order VA02

Group B: Maintain credit master data
Credit limit changes FD24
Change customer credit management FD32
Credit management mass change FD37
Credit management mass change F.34
Customers: Reset credit limit F.28
Credit Limit Data mass change S_ALR_87009999
Reset Credit Limit for Customers S_ALR_87012220


SoD Conflict Matrix
RISK
Separated
Function POTENTIAL RISK LEVEL
Function
(X, M, H)
User can increase a customer
Maintain credit Process sales credit limit and then process sales
AND M
master data orders orders for that customer leading
to irrecoverable debt.
Maintain User can create a fictitious
Process sales
contract/schedu AND contract and then create sales M
orders
ling agreement orders against that contract.
User can create a fictitious
Customer
Process sales customer and create orders for
master data AND M
orders delivery to them thereby
maintenance
misappropriating goods.
User can create/change sales
Process sales Process outbound
AND orders and deliveries to hide the H
orders deliveries
misappropriation of goods.
User can create sales orders and
Process sales Maintain sales maintain pricing, therefore over-
AND M
orders deal charging customers or giving then
unauthorized discounts.


Critical Transactions and assigned Risks

Transaction Description Risk
FI12 Change House Banks/Bank Accounts Financial Risk

PA30 Maintain HR Master Data Access HR data

SCCL Local Client Copy System stability &
integrity at risk

SE11 Data Dictionary Maintenance System stability &
integrity at risk
PFCG Role Maintenance Security Risk

SM49 Execute OS commands System stability at risk


Excel to define Risk-Rules for Business-Domains


Configuration of Rules

SOD RULES


SoD Rules on Functional Level


SoD Conflict Matrix on Functional Level

X=Financial Risk Exists, M = Medium Risk, H = High Risk


Critical Combinations on Functional Level with Details


SoD Rules and SAP® Authorizations

SAP CONFIGURATION


Roles & Profiles with SoD Transactions included

Shows Transactions used for SoD rules assigned to Authorization Objects
Identify all Authorizations Objects with potential risks.


SoD Conflicts with Risks for specific Composite-Roles

Also available for specific Single-Roles and Profiles


Standard or customized profiles and user assignment

CUSTOMIZED RISKS IN SAP


Potential Risks with Accounts customized in SAP

ALL = ‘*’ in Authorization

16 Conflicts for 21 Accounts

At least one high financial
risk in 485 conflicts for
3 user

X=Financial Risk Exists, M = Medium Risk, H = High Risk

Actual Risks in Execution of SAP


SAP Objects, Usage and Authorizations

SAP USAGE


SAP Modules, used Transactions and Authoritations


Accounts, Authorizations and Transaction Usage


…and many analytic Reports more


Benefits
 Using the same kind of tools used by chartered accountants reduces
service costs for external audit and advisory
 Reduction of project efforts and establishment of SoD compliant
authorizations from the start
 Fully automated SoD analysis reduces TCO for the ongoing security
control process
 Auditors and IT security staff work on functional level even for complex
authorization scenarios
 Avoidance of manual analysis and false positive assessments
 Flexible configuration includes custom “Z” transactions or external
applications like Portals using BAPI or direct RFC calls
 Easy identification of users with access to sensitive data by internal
security teams lowers costs of the compliance process


Slimline authorization management of complex SAP®
landscapes

OPTIMIZATION OF
AUTHORIZATIONS

Slimline your SAP® Authorization Management

 Identify needless access rights by SAP Modules, Accounts, Transactions, …
 Optimize your custom roles by identifying critical roles and access overlap
 Setup segregation of duties by best practice and company compliance

Assigned Role not
relevant for execution
Example Report: of the custom “Y”
YXPROC transaction


Benefits

 Efficient establishment of a tradeoff between Business Requirements and
Company Compliance
 Substantial reduction of project efforts in company compliance initiatives
 Simplification of information access to complex SAP data for company
auditors reduces costs for the compliance process
 Uniformed use of tools by chartered accountants reduces external
audit and advisory services costs
 Allows the handling of complex SAP landscapes with automatic data
retrieval and cross-SAP system analytics
 Automatic monitoring of changes of user authorizations given by
organizational requirements lowers costs for audits and security control


Being compliant from the beginning

PROJECT SUPPORT FOR SAP
BLUEPRINTS

Blueprinting with ASAP and SAP Solution Manager
SAP® Solution Manager (SSM) is the SAP® tool that supports the plan, build
and run aspects of ERP solutions based on SAP® NetWeaver and covers
all needs for ITIL-compliant application lifecycle management (ALM).
SAP® describes ALM by the Run SAP® operational support methodology and
the Accelerate SAP® (ASAP) project methodology. SSM serves as an
interface between technology and business processes.
For SAP solution development like upgrades or implementations, the SAP
solution is consistently documented in SSM by the Blueprint that describes
the business processes and the resulting system configuration.
An important part of the SAP solution development is the configuration of
organizational structures and optimized business and security compliance
requirements.
Profiling for SAP® supports this aspect of SAP ALM to lower development
and maintenance costs and improve process and compliance quality


SAP Blueprint Procedure for Compliant Authorizations
Support ASAP methodology and SAP Solution Manager Projects

Define  Define your functional Task Groups in SAP Solution
Blueprint Manger as Jobs or Org.-Units as End-User-Roles
 Setup the Blueprint Process Structure by Business
Process Management Methodology including
organizational assignments to End-User-Roles
 Assign Transactions manually or use predefined
Analyze Access Reference Models with T-Codes assigned like the SAP
Requirements Business Process Repository (BPR )
 Run Reports to analyze organizational Access
Requirements
 Automatically identify standard SAP right roles or
Define Roles profiles supported
and User Access
 Customize Roles (PCFG) and assign users
 Run analytic reports for SoD compliance and risk
control


SAP Solution Manager for SAP Blueprints
Optimized user authorizations from project start-up

SAP Blueprint with Masterdata,
Org.-Unit Data, Scenarios,
Processes, Process-Steps,
Transactions and Documentation

Assign End-User-
Roles to Process-
Steps, Master-Data or
Organizational-Unit
Data

Process-Steps with
Assigned Transactions


SAP Solution Manager for SAP Blueprints
Export the Blueprint structure for analytic reporting

Cross-Reference
between Objects
(T-Code, Forms,
Reports etc) and
End-User-Roles

SAP Blueprint Structure (SAP Project) Assigned User, Jobs, Org.-Units


Benefits
 Support of SAP Solution Manager improves the SAP Blueprint
business process definition in terms of Compliance and Risk Management
 Synchronize organizational structures, functional access requirements,
business processes and access control for slimline, fine tuned and fully
SoD compliant SAP authorizations
 Leverage SAP tools, methodologies and best practice by a tight SAP
integration with a BI based solution that reduces SAP® project planning
and implementation efforts
 Reduce SAP maintenance efforts by a consistent business process
and security control documentation
 Ensure compliance through SAP improvements like ERP Enhancement
Packages and organizational changes
 Define authorizations on functional level and support setup of technical
roles and profiles.

Solutions by TransWare

TransWare Software Solutions AG
Fritz-Wunderlich-Str. 49
66869 Kusel
Germany

Phone: +49-(0)6381-916-0
Email: info@transware.de
Web: www.transware.de

All product, service and company names mentioned herein are for identification purposes only and may be
trademarks or registered trademarks of their respective owners


Profiling for SAP - Compliance Management, Access Control and Segregation of Duties

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (18)

Ähnlich wie Profiling for SAP - Compliance Management, Access Control and Segregation of Duties

Ähnlich wie Profiling for SAP - Compliance Management, Access Control and Segregation of Duties (20)

Mehr von TransWare AG

Mehr von TransWare AG (8)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Profiling for SAP - Compliance Management, Access Control and Segregation of Duties