Profiling for SAP - Compliance Management, Access Control and Segregation of Duties

10,070 views

Published on

Complex ERP systems are potentially susceptible to segregation of duties (SoD) issues. By means of Profiling for SAP®, the desired responsibilities of SAP® users can be counterchecked against the real usage of SAP®

Published in: Technology

Profiling for SAP - Compliance Management, Access Control and Segregation of Duties

  1. 1. UnderstandControl Improve Profiling for SAP® Compliance Management Access Control and Segregation of Duties Understand, Optimize and Control your Business and IT
  2. 2. Subject MatterProfiling for SAP supporting Security Compliance for SAP® 1 Profiling for SAP® Application 2 Access Management and Segregation of Duties 3 Optimization of Authorizations 4 Project Support for SAP Blueprints SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  2 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  3. 3. Profiling for SAP for Compliance and Access Control Understand “Profiling your SAP® Solution delivers our Clients all needed insights to understand, improve and control their Business and complex SAP® Landscapes.”Control Improve Heinz-Jürgen Scherer, CEO TransWare AG SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  3 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  4. 4. Standard application with tight SAP® integration, high automation and flexible configuration PROFILING FOR SAP APPLICATION SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  4 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  5. 5. SoD Analysis and the Process for Compliance 1. Extract 2. Define 3. Analyze Reports Profiler BI DB Analyzer Dashboards Predefined set of Risk Rules  Auditors, IT Security  Analytic reports and dashboards  Authorizations  Define Risk Rules  Conflicts and potential  Usage (Transactions,  Critical activity groups conflicts of Accounts Reports, RFC Calls)  Activities conflict matrix and/or Roles, Profiles SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  5 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  6. 6. Profiling for SAP Product Components Profiling for SAP application customizing for SoD (configuration)  Definition of Task groups, specifies a set of tasks with identifiers  Assignments of critical transactions to task groups  Risk rules combining Task Groups with Financial Risk Values  Includes best practice for configuration settings Analytic Reports (examples)  Charts plotting risks and SoD issues per e.g. SAP module  Role Compliance Check: Identifies roles that have SoD conflicts based upon the underlying transactions  User Compliance Check: Identifies SoD conflicts in user’s profile SAP Solution Manager integration (optional) SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  6 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  7. 7. Profiling for SAP® featuring SAP Compliance ManagementTechnical, Functional and Processual Analysis and Optimization of SAPTransWare’s reengineering and optimization solution for SAP®, compliance and performance assessment and process analysis on any SAP® system or SAP® Industry Solution highlights process risks in a system review and will lead to minimized project times with corresponding cost reduction.The solution reveals the quality of the implementation by analyzing transaction logs, document types, user authorizations with roles and profiles, SAP® HR info types, SAP® customizing and object modifications and other configuration items.It shows the overall picture of customizing and utilization of the current SAP® system with business related KPIs.Complex ERP systems are potentially susceptible to segregation of duties (SoD) issues. By means of Profiling for SAP®, the desired responsibilities of SAP® users can be counterchecked against the real usage of SAP®. Reporting of the results can be done per job role, so you know what each role entails in terms of process activities, SAP® business blueprint process steps, SAP® roles and transactions. SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  7 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  8. 8. Profiling for SAP® smartly supports the TransitionPhase from As-Is into an optimized SAP® Landscape As-Is Landscape To-Be Transition Optimize Landscape Run SAP ASAP Run SAP Process IT Support Project Methodology Process IT Support Business Process Compliance Reengineering Management Management  Understand  Optimize  Control Access Control and Segregation of Duty Technical Functional Processual Analysis Analysis Analysis Profiling for SAP® SoD Compliance Profiling for SAP® SoD Compliance is based on the technical, functional and processual analysis tool components. SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  8 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  9. 9. Introduction of an cost efficient compliance management ACCESS MANAGEMENT AND SEGREGATION OF DUTIES SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  9 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  10. 10. Increased Focus on Security and Control Corporate scandals and fraud (Enron, Barings Bank, WorldCom, ...) Security breaches (UCs, BC, Stanford, ...) Regulatory Compliance • Sarbanes-Oxley (SOX, EuroSOX) • Family Educational Rights and Privacy Act (FERPA) • Federal Information Security Management Act of 2002 (FISMA) • Gramm-Leach-Bliley Act (GLBA) • Health Insurance Portability and Accountability Act (HIPAA) • Joint Commission (TJC) SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  10 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  11. 11. Security Risks, Security Compliance and Internal Controls Are there any Who has access  Access Control SoD violations? to sensitive transactions?  Do some users have too much access?  Sufficient access restrictions to private information?  Control for Segregation of Duties (SoD)  Every time a user is added ensure his rights are not in conflict with SoD risk rules  A users profile is amended and the change must not cause any SoD conflict  Review of the company SoD requirements on a periodic base“Internal Controls are processes designed by management to provide reasonableassurance that the Institute will achieve its objectives.”(From MIT’s Guidelines For Financial Review and Control) SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  11 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  12. 12. Profiling for SAP® and SAP® Authorizations Profiling for SAP combines information from different data sources like SAP usage, user authorization and SoD configuration with BI based reporting for a comprehensive security analysis. Actions are subject to authorization checks that are performed before the start of a program or table maintenance and mandatory for the SAP applications : · Starting SAP transactions (authorization object S_TCODE) · Starting reports (authorization object S_PROGRAM) · Calling RFC function modules (authorization object S_RFC) · Table maintenance with generic tools (authorization object S_TABU_DIS) SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  12 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  13. 13. Profiling for SAP® Compliance ManagementA Software Solution for SAP Project and Compliance Process Support  Reduce time and efforts when providing ongoing information to internal and external auditors  Remove access or assign mitigating controls  Used during implementation of new SAP modules and processes or optimizing SAP systems  Monitoring transaction and data access based on SAP background job for 24/7 security and compliance control  Optionally runs on central SAP Solution Manager to manage complex SAP landscapes as a non-invasive solution  Web based BI solution based on a Business Warehouse for Compliance Management SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  13 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  14. 14. Profiling for SAP® Compliance ApplicationA solution for compliance management based on standard software Profiling is a configurable custom application with integration into SAP that ensures all user’s authorizations are compliant with the company’s compliance rules Useful during all phases of the deployment lifecycle  Design – Identify roles, build composite roles based upon team requirements  Implementation – Test and verify SoD compliance of roles  Production – Ensure compliance of existing users and roles Tight integration within SAP to manage complex SAP Landscapes and to leverage SAP standards Applicable to SAP’s ERP, CRM, SCM and other ECC-based products Web based product, non-invasive, non-deployment solution regarding SAP production systems SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  14 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  15. 15. Set of Risk Rules based on SoD conflicts and critical actions Risk Rules Set  Set of Risk Rules for different business domains like FI-GL, MM, SAP Basis, CRM or etc. SoD Critical  Define SoD rules and critical actions Rule Actions and add standard or custom transactions to the rule set and  Define rules on Functional, Function Function Function Transactional or the most detailed Authorization-Object level  Define critical rules with high financialTransaction Transaction Transaction risks or potential security risks  Modify predefined configuration with a set of rules for SoD best practice Author.- Author.- Author.- Object Object Object SAP® Services Partner delivering expertise for SAP® Solution Manager and SAP Page  15 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  16. 16. Procedure for the Definition of SoD Risk Rules on aFunctional Level 1. Define SoD Functions (logical group of tasks) Define Functions  Example:  Function A: – Process Sales Order  Function B: – Maintain credits master data 2. Assign Transactions to SoD Function Assign  Example: Transactions  Function A – V-01, VA01, VA02, …  Function B – FD24, FD32, FD37, … 3. Define and Characterize the SoD Functions with Risk Rules Define Conflicts  Define a conflict: Function A & Group B and Risks  Characterize the conflict with financial risk indicators: • High, Medium, Low  Exclude Rules from predefined configuration as N/A for your organization with a description SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  16 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  17. 17. Examples for SoD Activities and Transaction Groups Description of Task Groups SAP Transactions Group A: Process sales orders Create sales order V-01 Create sales order VA01 Change sales order VA02 Group B: Maintain credit master data Credit limit changes FD24 Change customer credit management FD32 Credit management mass change FD37 Credit management mass change F.34 Customers: Reset credit limit F.28 Credit Limit Data mass change S_ALR_87009999 Reset Credit Limit for Customers S_ALR_87012220 SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  17 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  18. 18. SoD Conflict Matrix RISK Separated Function POTENTIAL RISK LEVEL Function (X, M, H) User can increase a customer Maintain credit Process sales credit limit and then process sales AND M master data orders orders for that customer leading to irrecoverable debt. Maintain User can create a fictitious Process salescontract/schedu AND contract and then create sales M ordersling agreement orders against that contract. User can create a fictitious Customer Process sales customer and create orders for master data AND M orders delivery to them thereby maintenance misappropriating goods. User can create/change sales Process sales Process outbound AND orders and deliveries to hide the H orders deliveries misappropriation of goods. User can create sales orders and Process sales Maintain sales maintain pricing, therefore over- AND M orders deal charging customers or giving then unauthorized discounts. SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  18 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  19. 19. Critical Transactions and assigned Risks Transaction Description Risk FI12 Change House Banks/Bank Accounts Financial Risk PA30 Maintain HR Master Data Access HR data SCCL Local Client Copy System stability & integrity at risk SE11 Data Dictionary Maintenance System stability & integrity at risk PFCG Role Maintenance Security Risk SM49 Execute OS commands System stability at risk SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  19 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  20. 20. Excel to define Risk-Rules for Business-Domains SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  20 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  21. 21. Configuration of Rules SOD RULES SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  21 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  22. 22. SoD Rules on Functional Level SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  22 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  23. 23. SoD Conflict Matrix on Functional Level X=Financial Risk Exists, M = Medium Risk, H = High Risk SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  23 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  24. 24. Critical Combinations on Functional Level with Details SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  24 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  25. 25. SoD Rules and SAP® Authorizations SAP CONFIGURATION SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  25 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  26. 26. Roles & Profiles with SoD Transactions included Shows Transactions used for SoD rules assigned to Authorization Objects Identify all Authorizations Objects with potential risks. SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  26 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  27. 27. SoD Conflicts with Risks for specific Composite-Roles Also available for specific Single-Roles and Profiles SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  27 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  28. 28. Standard or customized profiles and user assignment CUSTOMIZED RISKS IN SAP SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  28 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  29. 29. Potential Risks with Accounts customized in SAP ALL = ‘*’ in Authorization 16 Conflicts for 21 Accounts At least one high financial risk in 485 conflicts for 3 user X=Financial Risk Exists, M = Medium Risk, H = High Risk SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  29 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  30. 30. Actual Risks in Execution of SAP SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  30 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  31. 31. SAP Objects, Usage and Authorizations SAP USAGE SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  31 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  32. 32. SAP Modules, used Transactions and Authoritations SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  32 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  33. 33. Accounts, Authorizations and Transaction Usage SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  33 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  34. 34. …and many analytic Reports more SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  34 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  35. 35. Benefits  Using the same kind of tools used by chartered accountants reduces service costs for external audit and advisory  Reduction of project efforts and establishment of SoD compliant authorizations from the start  Fully automated SoD analysis reduces TCO for the ongoing security control process  Auditors and IT security staff work on functional level even for complex authorization scenarios  Avoidance of manual analysis and false positive assessments  Flexible configuration includes custom “Z” transactions or external applications like Portals using BAPI or direct RFC calls  Easy identification of users with access to sensitive data by internal security teams lowers costs of the compliance process SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  35 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  36. 36. Slimline authorization management of complex SAP® landscapes OPTIMIZATION OF AUTHORIZATIONS SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  36 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  37. 37. Slimline your SAP® Authorization Management  Identify needless access rights by SAP Modules, Accounts, Transactions, …  Optimize your custom roles by identifying critical roles and access overlap  Setup segregation of duties by best practice and company compliance Assigned Role not relevant for execution Example Report: of the custom “Y” YXPROC transaction SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  37 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  38. 38. Benefits Efficient establishment of a tradeoff between Business Requirements and Company Compliance Substantial reduction of project efforts in company compliance initiatives Simplification of information access to complex SAP data for company auditors reduces costs for the compliance process Uniformed use of tools by chartered accountants reduces external audit and advisory services costs Allows the handling of complex SAP landscapes with automatic data retrieval and cross-SAP system analytics Automatic monitoring of changes of user authorizations given by organizational requirements lowers costs for audits and security control SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  38 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  39. 39. Being compliant from the beginning PROJECT SUPPORT FOR SAP BLUEPRINTS SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  39 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  40. 40. Blueprinting with ASAP and SAP Solution ManagerSAP® Solution Manager (SSM) is the SAP® tool that supports the plan, build and run aspects of ERP solutions based on SAP® NetWeaver and covers all needs for ITIL-compliant application lifecycle management (ALM).SAP® describes ALM by the Run SAP® operational support methodology and the Accelerate SAP® (ASAP) project methodology. SSM serves as an interface between technology and business processes.For SAP solution development like upgrades or implementations, the SAP solution is consistently documented in SSM by the Blueprint that describes the business processes and the resulting system configuration.An important part of the SAP solution development is the configuration of organizational structures and optimized business and security compliance requirements.Profiling for SAP® supports this aspect of SAP ALM to lower development and maintenance costs and improve process and compliance quality SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  40 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  41. 41. SAP Blueprint Procedure for Compliant AuthorizationsSupport ASAP methodology and SAP Solution Manager Projects Define  Define your functional Task Groups in SAP Solution Blueprint Manger as Jobs or Org.-Units as End-User-Roles  Setup the Blueprint Process Structure by Business Process Management Methodology including organizational assignments to End-User-Roles  Assign Transactions manually or use predefined Analyze Access Reference Models with T-Codes assigned like the SAP Requirements Business Process Repository (BPR )  Run Reports to analyze organizational Access Requirements  Automatically identify standard SAP right roles or Define Roles profiles supported and User Access  Customize Roles (PCFG) and assign users  Run analytic reports for SoD compliance and risk control SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  41 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  42. 42. SAP Solution Manager for SAP BlueprintsOptimized user authorizations from project start-up SAP Blueprint with Masterdata, Org.-Unit Data, Scenarios, Processes, Process-Steps, Transactions and Documentation Assign End-User- Roles to Process- Steps, Master-Data or Organizational-Unit Data Process-Steps with Assigned Transactions SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  42 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  43. 43. SAP Solution Manager for SAP BlueprintsExport the Blueprint structure for analytic reporting Cross-Reference between Objects (T-Code, Forms, Reports etc) and End-User-Roles SAP Blueprint Structure (SAP Project) Assigned User, Jobs, Org.-Units SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  43 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  44. 44. Benefits Support of SAP Solution Manager improves the SAP Blueprint business process definition in terms of Compliance and Risk Management Synchronize organizational structures, functional access requirements, business processes and access control for slimline, fine tuned and fully SoD compliant SAP authorizations Leverage SAP tools, methodologies and best practice by a tight SAP integration with a BI based solution that reduces SAP® project planning and implementation efforts Reduce SAP maintenance efforts by a consistent business process and security control documentation Ensure compliance through SAP improvements like ERP Enhancement Packages and organizational changes Define authorizations on functional level and support setup of technical roles and profiles. SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  44 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies
  45. 45. Solutions by TransWare TransWare Software Solutions AG Fritz-Wunderlich-Str. 49 66869 Kusel Germany Phone: +49-(0)6381-916-0 Email: info@transware.de Web: www.transware.de All product, service and company names mentioned herein are for identification purposes only and may be trademarks or registered trademarks of their respective owners SAP® Services Partner delivering expertise for SAP® Solution Manager and SAPPage  45 NetWeaver® technologies with ASAP, Run SAP and BPM methodologies

×