Building a GRC System for SAPAlexey YudinThe Head of DBs and Business Applications Security DepartmentPositive TechnologiesPHDays III
Plan― Another three-letter acronym: GRC― GRC market― Access Control― Fraud Management― SAP authorization concept― How to build access control mechanism in SAP― How to build SOD check mechanism in SAP― Fraud schemes in SAP MM― Conclusions: to buy, to build or …?
GRCGovernanceTopmanagementsets thecompany’s goalsand wants tocontrol themRiskManagementA companyidentifies risksfor business andwants to avoidthemComplianceInner and outercontrols,regulations,laws, that acompany mustobeyAn integrated approach used by corporations to act in accordance with theguidelines set for each category. Governance, risk management andcompliance (GRC) is not a single activity, but rather a firm-wide approachto achieving high standards in all three overlapping categories.
What does business really want?GovernanceTo make moneyRisk managementTo save moneyComplianceTo save money
― Detecting an unauthorized access to critical businessactions― Detecting segregation of duties violations― Detecting fraudulent actions― IdM integration and automated access controlRussian companies are interested in
SAP GRC componentsRisk ManagementAccess ControlProcess ControlFraudManagementThe most demanded part of SAP GRCAccess Control
Possible approaches1. Deployment one of the existing solutions (SAP GRC for SAPERP)• High price• Long term implementation• High IT operations cost• Too complicated• Need much customization2. Building own solution• Need development from scratch
GRC implementation process― Analyze critical business process― Assess business actions― Develop SoD matrix with possible violations― Create and redesign roles (remove unnecessary roles)― Map business actions to roles― Check current usage of roles― Find users with SoD violations― Minimize number of SoD violations― Control role modifications― Develop and automate user access process
SAP terminology― SAP Transaction is the execution of a program. The normalway of executing ABAP code in the SAP system is byentering a transaction code (for instance, PA30 is thetransaction code for "Maintain HR Master Data").― Authorization objects are composed of a groups of fieldsthat are related to AND. These fields’ values are used inauthorization check. For example, authorization objectS_TCODE has one field TCD (transaction code).― Authorization is a definition of an authorization object, thatis a combination of permissible values in each authorizationfield of an authorization object. For example, authorizationS_TCODE: TCD=SE16.
Business Processes in SAPAuthorization 2Authorization 1BusinessAction 1BusinessAction 2Business Process
SOD in SAPBusinessAction 1BusinessAction 2Authorization 2Authorization 1Authorization 4Authorization 3SOD
Where to find SoD matrix― ISACA - Security, Audit and Control Features SAP ERP, 3rdEdition― Australian National Office - SAP ECC 6.0 Security and Control― http://scn.sap.com― Google :)
SAP MM― purchasing,― goods receiving,― material storage,― consumption-based planning,― inventory.
How to build a control mechanismModule Action Transaction Role 1/Profile1/User 1Role N/ProfileN/User 1MM CreatePurchaseOrderME21ME21NZ_Role_1 Z_Role_N― Create XL table with critical actions― Run check on regular basis• Report RSUSR070• Transaction SUIM― Compare results in XL
SOD in purchasingCreate SOD matrix based on particular business processesPurchasing DocumentCreatorPurchasing DocumentApproverPurchasing DocumentCreatorXPurchasing DocumentApproverX
How to build a SOD check mechanism― Create XL table based on SOD matrixSOD Name Action 1 Transaction(Action 1)Action 2 Transaction(Action 2)Role/Profile/UserCREATEPURCHASEORDER &CREATEVENDORMASTERRECORDCreatePurchaseOrderME21ME21NME25ME27ME31CreateVendorMasterRecordFK01MK01XK01
How to build a SOD check mechanism― Run roles check on regular basis• Report RSUSR070• Transaction SUIM― Compare results in XL
How to build a SOD check mechanism― Run users check on regular basis• Report RSUSR002• Transaction SUIM― Compare results in XL
Max PatrolNow― Helps to analyze roles and authorization profiles― Monitors users with critical administrative privileges― Regular control of roles assigned to users― Regular control of roles modifications (creating, updatingand role removal)
Max PatrolNear futures― Create customer business actions― Map roles to business actions― Automatically find matches of roles and business actionrules― Automation in creating and control users and roles thatviolate SoD matrix― Check usage of roles and transactions
Fraudulent activity in purchasing― Purchasing without purchase requisition― Abuse of one-time vendor accounts
How to build a fraud check mechanism― Build a possible fraud scheme― Divide a scheme into separate actions― Describe each action in SAP terms― Go to logs and get all users who perform actions― Analyze users, performed sequence of actions which suits toa fraud scheme
One-time vendor (OTV) payments― SAP provides one-time vendor functionality to reduceadministration over the vendor master file by payinginfrequent vendors through a one-time vendor account.― The use of the one-time vendor function overcomes typicalvendor master file authorization and review controls andmay be used to process unauthorized payments.
How to control OTV payments?― Periodically review one-time vendor payments.• The vendor line item report RFKEPL00, transaction codeS_ALR_87012103, is the best report to view one-time vendorpayments.• Payments are also be viewed through the PurchasingOverview by Vendor Report.
Best Practices― Focus on prevention― Automate as many controls as possible― Automate the flow of manual controls― Identify business actions that produce risks when executedby one person― Perform risk analysis before committing and approvingchanges to access controls― SoD risk identification and remediation should beperformed automatically across multiple ERP environmentsand instances― Automate user provisioning and changes― Control real transaction and role usage
Conclusions― GRC is an information security trend― The most demanded GRC-features:• Critical actions control• SOD violation control• Fraud control― It’s possible to build a GRC system that satisfies topmanagement without large-scale deployments.