Complex ERP systems are potentially susceptible to segregation of duties (SoD) issues. By means of Profiling for SAP®, the desired responsibilities of SAP® users can be counterchecked against the real usage of SAP®
Profiling for SAP - Compliance Management, Access Control and Segregation of Duties
1. Understand
Control Improve
Profiling for SAP® Compliance Management
Access Control and Segregation of Duties
Understand, Optimize and Control your Business and IT
2. Subject Matter
Profiling for SAP supporting Security Compliance for SAP®
1 Profiling for SAP® Application
2 Access Management and Segregation of Duties
3 Optimization of Authorizations
4 Project Support for SAP Blueprints
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 2 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
3. Profiling for SAP for Compliance and Access Control
Understand “Profiling your SAP® Solution delivers our
Clients all needed insights to understand,
improve and control their Business and
complex SAP® Landscapes.”
Control Improve Heinz-Jürgen Scherer, CEO TransWare AG
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 3 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
4. Standard application with tight SAP® integration, high automation
and flexible configuration
PROFILING FOR SAP
APPLICATION
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 4 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
5. SoD Analysis and the Process for Compliance
1. Extract 2. Define 3. Analyze
Reports
Profiler BI DB Analyzer Dashboards
Predefined set of Risk Rules
Auditors, IT Security
Analytic reports and
dashboards
Authorizations Define Risk Rules Conflicts and potential
Usage (Transactions, Critical activity groups conflicts of Accounts
Reports, RFC Calls) Activities conflict matrix and/or Roles, Profiles
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 5 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
6. Profiling for SAP Product Components
Profiling for SAP application customizing for SoD (configuration)
Definition of Task groups, specifies a set of tasks with identifiers
Assignments of critical transactions to task groups
Risk rules combining Task Groups with Financial Risk Values
Includes best practice for configuration settings
Analytic Reports (examples)
Charts plotting risks and SoD issues per e.g. SAP module
Role Compliance Check: Identifies roles that have SoD conflicts based upon the
underlying transactions
User Compliance Check: Identifies SoD conflicts in user’s profile
SAP Solution Manager integration (optional)
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 6 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
7. Profiling for SAP® featuring SAP Compliance Management
Technical, Functional and Processual Analysis and Optimization of SAP
TransWare’s reengineering and optimization solution for SAP®, compliance and
performance assessment and process analysis on any SAP® system or SAP®
Industry Solution highlights process risks in a system review and will lead to
minimized project times with corresponding cost reduction.
The solution reveals the quality of the implementation by analyzing transaction logs,
document types, user authorizations with roles and profiles, SAP® HR info types,
SAP® customizing and object modifications and other configuration items.
It shows the overall picture of customizing and utilization of the current SAP® system
with business related KPIs.
Complex ERP systems are potentially susceptible to segregation of duties (SoD)
issues. By means of Profiling for SAP®, the desired responsibilities of SAP® users
can be counterchecked against the real usage of SAP®. Reporting of the results can
be done per job role, so you know what each role entails in terms of process
activities, SAP® business blueprint process steps, SAP® roles and transactions.
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 7 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
8. Profiling for SAP® smartly supports the Transition
Phase from As-Is into an optimized SAP® Landscape
As-Is Landscape To-Be Transition Optimize Landscape
Run SAP ASAP Run SAP
Process IT Support Project Methodology Process IT Support
Business Process Compliance
Reengineering Management Management
Understand Optimize Control
Access Control and Segregation of Duty
Technical Functional Processual
Analysis Analysis Analysis
Profiling for SAP® SoD Compliance
Profiling for SAP® SoD Compliance is based on the technical, functional
and processual analysis tool components.
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 8 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
9. Introduction of an cost efficient compliance management
ACCESS MANAGEMENT AND
SEGREGATION OF DUTIES
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 9 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
10. Increased Focus on Security and Control
Corporate scandals and fraud (Enron, Barings Bank, WorldCom, ...)
Security breaches (UCs, BC, Stanford, ...)
Regulatory Compliance
• Sarbanes-Oxley (SOX, EuroSOX)
• Family Educational Rights and Privacy Act (FERPA)
• Federal Information Security Management Act of 2002 (FISMA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Joint Commission (TJC)
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 10 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
11. Security Risks, Security Compliance and Internal Controls
Are there any Who has access
Access Control
SoD
violations?
to sensitive
transactions?
Do some users have too much access?
Sufficient access restrictions to private information?
Control for Segregation of Duties (SoD)
Every time a user is added ensure his rights are
not in conflict with SoD risk rules
A user's profile is amended and the change must
not cause any SoD conflict
Review of the company SoD requirements on a
periodic base
“Internal Controls are processes designed by management to provide reasonable
assurance that the Institute will achieve its objectives.”
(From MIT’s Guidelines For Financial Review and Control)
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 11 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
12. Profiling for SAP® and SAP® Authorizations
Profiling for SAP combines information from
different data sources like SAP usage, user
authorization and SoD configuration with BI
based reporting for a comprehensive security
analysis.
Actions are subject to authorization checks
that are performed before the start of a
program or table maintenance and mandatory
for the SAP applications :
· Starting SAP transactions
(authorization object S_TCODE)
· Starting reports
(authorization object S_PROGRAM)
· Calling RFC function modules
(authorization object S_RFC)
· Table maintenance with generic tools
(authorization object S_TABU_DIS)
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 12 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
13. Profiling for SAP® Compliance Management
A Software Solution for SAP Project and Compliance Process Support
Reduce time and efforts when providing ongoing information to
internal and external auditors
Remove access or assign mitigating controls
Used during implementation of new SAP modules and processes or
optimizing SAP systems
Monitoring transaction and data access based on SAP background job
for 24/7 security and compliance control
Optionally runs on central SAP Solution Manager to manage complex
SAP landscapes as a non-invasive solution
Web based BI solution based on a Business Warehouse for
Compliance Management
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 13 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
14. Profiling for SAP® Compliance Application
A solution for compliance management based on standard software
Profiling is a configurable custom application with integration into SAP that
ensures all user’s authorizations are compliant with the company’s
compliance rules
Useful during all phases of the deployment lifecycle
Design – Identify roles, build composite roles based upon team requirements
Implementation – Test and verify SoD compliance of roles
Production – Ensure compliance of existing users and roles
Tight integration within SAP to manage complex SAP Landscapes and
to leverage SAP standards
Applicable to SAP’s ERP, CRM, SCM and other ECC-based products
Web based product, non-invasive, non-deployment solution regarding
SAP production systems
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 14 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
15. Set of Risk Rules based on SoD conflicts and critical actions
Risk
Rules Set Set of Risk Rules for different business
domains like FI-GL, MM, SAP Basis,
CRM or etc.
SoD Critical Define SoD rules and critical actions
Rule Actions
and add standard or custom
transactions to the rule set
and
Define rules on Functional,
Function Function Function Transactional or the most detailed
Authorization-Object level
Define critical rules with high financial
Transaction Transaction Transaction risks or potential security risks
Modify predefined configuration with a
set of rules for SoD best practice
Author.- Author.- Author.-
Object Object Object
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 15 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
16. Procedure for the Definition of SoD Risk Rules on a
Functional Level
1. Define SoD Functions (logical group of tasks)
Define
Functions Example:
Function A: – Process Sales Order
Function B: – Maintain credits master data
2. Assign Transactions to SoD Function
Assign
Example:
Transactions Function A – V-01, VA01, VA02, …
Function B – FD24, FD32, FD37, …
3. Define and Characterize the SoD Functions
with Risk Rules
Define Conflicts Define a conflict: Function A & Group B
and Risks Characterize the conflict with financial risk indicators:
• High, Medium, Low
Exclude Rules from predefined configuration
as N/A for your organization with a description
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 16 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
17. Examples for SoD Activities and Transaction Groups
Description of Task Groups SAP Transactions
Group A: Process sales orders
Create sales order V-01
Create sales order VA01
Change sales order VA02
Group B: Maintain credit master data
Credit limit changes FD24
Change customer credit management FD32
Credit management mass change FD37
Credit management mass change F.34
Customers: Reset credit limit F.28
Credit Limit Data mass change S_ALR_87009999
Reset Credit Limit for Customers S_ALR_87012220
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 17 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
18. SoD Conflict Matrix
RISK
Separated
Function POTENTIAL RISK LEVEL
Function
(X, M, H)
User can increase a customer
Maintain credit Process sales credit limit and then process sales
AND M
master data orders orders for that customer leading
to irrecoverable debt.
Maintain User can create a fictitious
Process sales
contract/schedu AND contract and then create sales M
orders
ling agreement orders against that contract.
User can create a fictitious
Customer
Process sales customer and create orders for
master data AND M
orders delivery to them thereby
maintenance
misappropriating goods.
User can create/change sales
Process sales Process outbound
AND orders and deliveries to hide the H
orders deliveries
misappropriation of goods.
User can create sales orders and
Process sales Maintain sales maintain pricing, therefore over-
AND M
orders deal charging customers or giving then
unauthorized discounts.
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 18 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
19. Critical Transactions and assigned Risks
Transaction Description Risk
FI12 Change House Banks/Bank Accounts Financial Risk
PA30 Maintain HR Master Data Access HR data
SCCL Local Client Copy System stability &
integrity at risk
SE11 Data Dictionary Maintenance System stability &
integrity at risk
PFCG Role Maintenance Security Risk
SM49 Execute OS commands System stability at risk
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 19 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
20. Excel to define Risk-Rules for Business-Domains
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 20 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
21. Configuration of Rules
SOD RULES
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 21 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
22. SoD Rules on Functional Level
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 22 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
23. SoD Conflict Matrix on Functional Level
X=Financial Risk Exists, M = Medium Risk, H = High Risk
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 23 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
24. Critical Combinations on Functional Level with Details
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 24 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
25. SoD Rules and SAP® Authorizations
SAP CONFIGURATION
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 25 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
26. Roles & Profiles with SoD Transactions included
Shows Transactions used for SoD rules assigned to Authorization Objects
Identify all Authorizations Objects with potential risks.
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 26 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
27. SoD Conflicts with Risks for specific Composite-Roles
Also available for specific Single-Roles and Profiles
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 27 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
28. Standard or customized profiles and user assignment
CUSTOMIZED RISKS IN SAP
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 28 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
29. Potential Risks with Accounts customized in SAP
ALL = ‘*’ in Authorization
16 Conflicts for 21 Accounts
At least one high financial
risk in 485 conflicts for
3 user
X=Financial Risk Exists, M = Medium Risk, H = High Risk
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 29 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
30. Actual Risks in Execution of SAP
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 30 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
31. SAP Objects, Usage and Authorizations
SAP USAGE
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 31 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
32. SAP Modules, used Transactions and Authoritations
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 32 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
33. Accounts, Authorizations and Transaction Usage
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 33 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
34. …and many analytic Reports more
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 34 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
35. Benefits
Using the same kind of tools used by chartered accountants reduces
service costs for external audit and advisory
Reduction of project efforts and establishment of SoD compliant
authorizations from the start
Fully automated SoD analysis reduces TCO for the ongoing security
control process
Auditors and IT security staff work on functional level even for complex
authorization scenarios
Avoidance of manual analysis and false positive assessments
Flexible configuration includes custom “Z” transactions or external
applications like Portals using BAPI or direct RFC calls
Easy identification of users with access to sensitive data by internal
security teams lowers costs of the compliance process
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 35 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
36. Slimline authorization management of complex SAP®
landscapes
OPTIMIZATION OF
AUTHORIZATIONS
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 36 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
37. Slimline your SAP® Authorization Management
Identify needless access rights by SAP Modules, Accounts, Transactions, …
Optimize your custom roles by identifying critical roles and access overlap
Setup segregation of duties by best practice and company compliance
Assigned Role not
relevant for execution
Example Report: of the custom “Y”
YXPROC transaction
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 37 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
38. Benefits
Efficient establishment of a tradeoff between Business Requirements and
Company Compliance
Substantial reduction of project efforts in company compliance initiatives
Simplification of information access to complex SAP data for company
auditors reduces costs for the compliance process
Uniformed use of tools by chartered accountants reduces external
audit and advisory services costs
Allows the handling of complex SAP landscapes with automatic data
retrieval and cross-SAP system analytics
Automatic monitoring of changes of user authorizations given by
organizational requirements lowers costs for audits and security control
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 38 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
39. Being compliant from the beginning
PROJECT SUPPORT FOR SAP
BLUEPRINTS
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 39 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
40. Blueprinting with ASAP and SAP Solution Manager
SAP® Solution Manager (SSM) is the SAP® tool that supports the plan, build
and run aspects of ERP solutions based on SAP® NetWeaver and covers
all needs for ITIL-compliant application lifecycle management (ALM).
SAP® describes ALM by the Run SAP® operational support methodology and
the Accelerate SAP® (ASAP) project methodology. SSM serves as an
interface between technology and business processes.
For SAP solution development like upgrades or implementations, the SAP
solution is consistently documented in SSM by the Blueprint that describes
the business processes and the resulting system configuration.
An important part of the SAP solution development is the configuration of
organizational structures and optimized business and security compliance
requirements.
Profiling for SAP® supports this aspect of SAP ALM to lower development
and maintenance costs and improve process and compliance quality
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 40 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
41. SAP Blueprint Procedure for Compliant Authorizations
Support ASAP methodology and SAP Solution Manager Projects
Define Define your functional Task Groups in SAP Solution
Blueprint Manger as Jobs or Org.-Units as End-User-Roles
Setup the Blueprint Process Structure by Business
Process Management Methodology including
organizational assignments to End-User-Roles
Assign Transactions manually or use predefined
Analyze Access Reference Models with T-Codes assigned like the SAP
Requirements Business Process Repository (BPR )
Run Reports to analyze organizational Access
Requirements
Automatically identify standard SAP right roles or
Define Roles profiles supported
and User Access
Customize Roles (PCFG) and assign users
Run analytic reports for SoD compliance and risk
control
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 41 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
42. SAP Solution Manager for SAP Blueprints
Optimized user authorizations from project start-up
SAP Blueprint with Masterdata,
Org.-Unit Data, Scenarios,
Processes, Process-Steps,
Transactions and Documentation
Assign End-User-
Roles to Process-
Steps, Master-Data or
Organizational-Unit
Data
Process-Steps with
Assigned Transactions
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 42 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
43. SAP Solution Manager for SAP Blueprints
Export the Blueprint structure for analytic reporting
Cross-Reference
between Objects
(T-Code, Forms,
Reports etc) and
End-User-Roles
SAP Blueprint Structure (SAP Project) Assigned User, Jobs, Org.-Units
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 43 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
44. Benefits
Support of SAP Solution Manager improves the SAP Blueprint
business process definition in terms of Compliance and Risk Management
Synchronize organizational structures, functional access requirements,
business processes and access control for slimline, fine tuned and fully
SoD compliant SAP authorizations
Leverage SAP tools, methodologies and best practice by a tight SAP
integration with a BI based solution that reduces SAP® project planning
and implementation efforts
Reduce SAP maintenance efforts by a consistent business process
and security control documentation
Ensure compliance through SAP improvements like ERP Enhancement
Packages and organizational changes
Define authorizations on functional level and support setup of technical
roles and profiles.
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 44 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
45. Solutions by TransWare
TransWare Software Solutions AG
Fritz-Wunderlich-Str. 49
66869 Kusel
Germany
Phone: +49-(0)6381-916-0
Email: info@transware.de
Web: www.transware.de
All product, service and company names mentioned herein are for identification purposes only and may be
trademarks or registered trademarks of their respective owners
SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP
Page 45 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies