User Maintenance Workflow Application


Published on

Workflow application - Automated Sox-Compliant User Maintenance

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

User Maintenance Workflow Application

  1. 1. A General Mills Workflow Application: Automated, SOx-Compliant User Maintenance Bijay Shrestha / Luis Martins Nov. 7–10, 2004
  2. 2. Learning Objectives <ul><li>Use of Workflow for SAP User maintenance with real-time Sarbanes-Oxley compliance </li></ul><ul><ul><li>Business learning </li></ul></ul><ul><ul><li>Technical learning </li></ul></ul>
  3. 3. About General Mills, Inc. <ul><li>Headquarters in Minneapolis, MN </li></ul><ul><li>27,000 employees </li></ul><ul><li>World’s 7 th largest food company </li></ul><ul><li>$12.3 billion in FY04 net sales </li></ul><ul><li>Marketed in more than 100 countries </li></ul>
  4. 4. Some of our best known brands
  5. 5. SAP at General Mills <ul><ul><li>Implemented R/2 in 1992 </li></ul></ul><ul><ul><li>R/3 Go-Live: </li></ul></ul><ul><ul><ul><li>Nov 2000 for HR and BW </li></ul></ul></ul><ul><ul><ul><li>Apr 2001 for ER </li></ul></ul></ul><ul><ul><li>Current modules: </li></ul></ul><ul><ul><ul><li>ERP, HR, BW, PLM, SEM-BPS, APO, CFM, Enterprise Portals, CRM (in progress) </li></ul></ul></ul>
  6. 6. SAP landscape at General Mills
  7. 7. Sarbanes-Oxley Act – Section 404 <ul><li>Section 404 requires annually: </li></ul><ul><li>Management (CEO/CFO) responsible for internal controls over financial reporting </li></ul><ul><li>Management identifies control framework employed </li></ul><ul><li>Management makes assertion regarding effectiveness of internal controls over financial reporting </li></ul><ul><li>External auditor attestation of that assertion, as of year-end (separate from financial statement audit) </li></ul>
  8. 8. Key Business drivers/challenges <ul><ul><li>Decentralized administration of SAP Security </li></ul></ul><ul><ul><li>Different levels of data sensitivity across functions </li></ul></ul><ul><ul><li>Different role approvers within business functions </li></ul></ul><ul><ul><li>Multiple levels of approval </li></ul></ul><ul><ul><li>Email-based request and approval system </li></ul></ul><ul><ul><li>Complex tracking of user role assignments </li></ul></ul><ul><ul><li>Complex trail for system audits </li></ul></ul><ul><ul><li>No real-time prevention of conflicting role assignments </li></ul></ul>
  9. 9. Old Form (Word doc)
  10. 10. Key solution components <ul><li>Users </li></ul><ul><ul><li>Local Security Administrators (LSA) </li></ul></ul><ul><ul><li>Role Owners </li></ul></ul><ul><ul><li>Assertion Coordinators/SOD Approvers </li></ul></ul><ul><ul><li>IS Security </li></ul></ul><ul><li>Request types </li></ul><ul><ul><li>CREATE (May trigger workflow) </li></ul></ul><ul><ul><li>UPDATE (May trigger workflow) </li></ul></ul><ul><ul><li>DELETE (Sends email to IS Security) </li></ul></ul><ul><ul><li>DISABLE (Sends email to user) </li></ul></ul><ul><li>User Group management and CUA </li></ul><ul><ul><li>User maintenance by location </li></ul></ul><ul><ul><li>Assertion Coordinators/SOD Approvers by location </li></ul></ul><ul><ul><li>CUA - central distribution of role assignments and key for future web integration </li></ul></ul><ul><li>Job Roles (no connection to HR Jobs) </li></ul>
  11. 11. Technical details of Workflow <ul><li>Source code maintained in one system </li></ul><ul><li>14 tables </li></ul><ul><li>1 custom Business Object </li></ul><ul><li>1 extended Business Object </li></ul><ul><li>Table driven dynamic role resolution </li></ul><ul><li>HTML formatted Emails </li></ul><ul><li>Currently used in the ER SAP system (rolling out to BW) </li></ul>
  12. 12. Some numbers <ul><li>7000+ users </li></ul><ul><li>120+ Local Security Administrators </li></ul><ul><li>1100+ security roles </li></ul><ul><li>900+ requests per month (in ER system) </li></ul><ul><li>30 Role Approvers </li></ul><ul><li>26 Assertion Coordinators </li></ul>
  13. 13. Benefits/ROI of Workflow Automation <ul><li>16+ hours a week saved in productivity for full-time central administrators incl. Role owners & Local Security Administrators </li></ul><ul><li>System-based tracking mechanism </li></ul><ul><li>Integration with Separation of Duties (SOD) engine from Virsa Systems </li></ul><ul><li>Identify and fix SOD conflicts while maintaining users vs. fix after the fact </li></ul><ul><li>Backbone for other applications such as Accounts Payable approval process </li></ul><ul><li>Better integration / platform for future automation </li></ul>
  14. 14. Demo (custom ZAUTH transaction) <ul><li>Integration with Central User Administration (CUA) </li></ul><ul><li>Key request types </li></ul><ul><li>Screen examples </li></ul>
  15. 15. Integration with CUA Role assignments are triggered in the CUA child/component systems and committed in the central system via standard SU01 BAPIs/function modules. CALL FUNCTION 'BAPI_USER_CREATE1‘ DESTINATION V_CONNDEST… … CALL FUNCTION 'BAPI_USER_LOCACTGROUPS_ASSIGN' DESTINATION V_CONNDEST…
  16. 16. Request type CREATE Proposed role assignments What-if analysis for proposed role assignments Job Roles automatically enter the corresponding security roles in the request.
  17. 17. Job Role selection Each job role is composed of two or more security roles. Requestors do not need to know the PFCG role name when setting up user access.
  18. 18. Request type UPDATE Current role assignments CANCELLED or REJECTED requests can be copied and re-submitted after correction. Requests can have a NORMAL or CRITICAL priority
  19. 19. Real-time detection of SOD conflicts Real-time alert regarding SOD conflicts caused by proposed role assignments.
  20. 20. SOD conflicts in submitted request Requestor can SUBMIT or CANCEL the request.
  21. 21. SOD conflicts at authorization object level
  22. 22. Confirmation for email & workflow routing Confirmation triggers Outlook email and work item to higher level approvers.
  23. 23. Email to Role Owner/Approver List of security roles that require approval from Role Owner(s).
  24. 24. Approver’s inbox in Universal Work List (UWL) Pending requests from multiple SAP systems.
  25. 25. Approver’s inbox in Business Workplace (SBWP) Execution of work item opens screen with security request data.
  26. 26. APPROVED request – Role Owner Request in APPROVED status with pending SOD conflicts triggers Outlook email and work item to higher level approver – Assertion Coordinator.
  27. 27. Email to Assertion Coordinator (SOD Approver) List of SOD conflicts that require approval from Business Assertion Coordinator/SOD Approver.
  28. 28. SOD Approval – Assertion Coordinator Request can be APPROVED or REJECTED.
  29. 29. COMPLETED request – Assertion Coordinator Confirmation of completed request.
  30. 30. Confirmation email to initiator ( COMPLETED )
  31. 31. Request type DELETE Requestor must provide reason for deleting a user ID.
  32. 32. Substitution rule in request type DELETE Substitution user ID required for users with pending work items.
  33. 33. Reporting & system-based tracking/auditing Requests can be tracked using several search criteria.
  34. 34. Reporting & system-based tracking/auditing (cont.)
  35. 35. Project timeline & resources <ul><li>3 ABAP developers (inc. 1 Technical Consultant) </li></ul><ul><li>1 Workflow developer </li></ul><ul><li>1 IS Security Analyst </li></ul><ul><li>Phase 1 – from June 2003 to November 2003 </li></ul><ul><li>Phase 2 (SOD project) – July 2004 to October 2004 </li></ul>
  36. 36. Key lessons <ul><li>Start with prototype system </li></ul><ul><li>Get input from end-users before and after major milestones </li></ul><ul><li>Communicate frequently about enhancements and technical limitations </li></ul><ul><li>Plan for future integration </li></ul><ul><li>Be generous with time allocated for testing </li></ul>
  37. 37. 312 Session Code: