Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Alexey Yudin. Building a GRC System for SAP


Published on

Published in: Technology
  • Be the first to comment

Alexey Yudin. Building a GRC System for SAP

  1. 1. Building a GRC System for SAPAlexey YudinThe Head of DBs and Business Applications Security DepartmentPositive TechnologiesPHDays III
  2. 2. Plan― Another three-letter acronym: GRC― GRC market― Access Control― Fraud Management― SAP authorization concept― How to build access control mechanism in SAP― How to build SOD check mechanism in SAP― Fraud schemes in SAP MM― Conclusions: to buy, to build or …?
  3. 3. GRC intro
  4. 4. GRCGovernanceTopmanagementsets thecompany’s goalsand wants tocontrol themRiskManagementA companyidentifies risksfor business andwants to avoidthemComplianceInner and outercontrols,regulations,laws, that acompany mustobeyAn integrated approach used by corporations to act in accordance with theguidelines set for each category. Governance, risk management andcompliance (GRC) is not a single activity, but rather a firm-wide approachto achieving high standards in all three overlapping categories.
  5. 5. What does business really want?GovernanceTo make moneyRisk managementTo save moneyComplianceTo save money
  6. 6. ― Detecting an unauthorized access to critical businessactions― Detecting segregation of duties violations― Detecting fraudulent actions― IdM integration and automated access controlRussian companies are interested in
  7. 7. GRC market leaders
  8. 8. GRC market leaders― ERP vendors solutions• SAP• Oracle― GRC vendors solutions• EMC-RSA• Protivity• MetricStream• SAS• Software AG• …..
  9. 9. SAP GRC componentsRisk ManagementAccess ControlProcess ControlFraudManagementThe most demanded part of SAP GRCAccess Control
  10. 10. Possible approaches1. Deployment one of the existing solutions (SAP GRC for SAPERP)• High price• Long term implementation• High IT operations cost• Too complicated• Need much customization2. Building own solution• Need development from scratch
  11. 11. GRC implementation process― Analyze critical business process― Assess business actions― Develop SoD matrix with possible violations― Create and redesign roles (remove unnecessary roles)― Map business actions to roles― Check current usage of roles― Find users with SoD violations― Minimize number of SoD violations― Control role modifications― Develop and automate user access process
  12. 12. SAP terminology― SAP Transaction is the execution of a program. The normalway of executing ABAP code in the SAP system is byentering a transaction code (for instance, PA30 is thetransaction code for "Maintain HR Master Data").― Authorization objects are composed of a groups of fieldsthat are related to AND. These fields’ values are used inauthorization check. For example, authorization objectS_TCODE has one field TCD (transaction code).― Authorization is a definition of an authorization object, thatis a combination of permissible values in each authorizationfield of an authorization object. For example, authorizationS_TCODE: TCD=SE16.
  13. 13. Business Processes in SAPAuthorization 2Authorization 1BusinessAction 1BusinessAction 2Business Process
  14. 14. SOD in SAPBusinessAction 1BusinessAction 2Authorization 2Authorization 1Authorization 4Authorization 3SOD
  15. 15. Where to find SoD matrix― ISACA - Security, Audit and Control Features SAP ERP, 3rdEdition― Australian National Office - SAP ECC 6.0 Security and Control―― Google :)
  16. 16. SAP MM― purchasing,― goods receiving,― material storage,― consumption-based planning,― inventory.
  17. 17. Procurement cycle overview
  18. 18. Purchasing activities
  19. 19. Critical actions in purchasing― MM01 – Create Material― MK01 – Create Vendor― ME01 – Maintain Source List― MD11 – Create Planned Order― ME51N – Create Purchase Requisition― ME41 – Create RFQ― ME21N – Create PO― MIRO – Enter Invoice
  20. 20. How to build a control mechanismModule Action Transaction Role 1/Profile1/User 1Role N/ProfileN/User 1MM CreatePurchaseOrderME21ME21NZ_Role_1 Z_Role_N― Create XL table with critical actions― Run check on regular basis• Report RSUSR070• Transaction SUIM― Compare results in XL
  21. 21. XL example
  22. 22. SOD in purchasingCreate SOD matrix based on particular business processesPurchasing DocumentCreatorPurchasing DocumentApproverPurchasing DocumentCreatorXPurchasing DocumentApproverX
  23. 23. How to build a SOD check mechanism― Create XL table based on SOD matrixSOD Name Action 1 Transaction(Action 1)Action 2 Transaction(Action 2)Role/Profile/UserCREATEPURCHASEORDER &CREATEVENDORMASTERRECORDCreatePurchaseOrderME21ME21NME25ME27ME31CreateVendorMasterRecordFK01MK01XK01
  24. 24. How to build a SOD check mechanism― Run roles check on regular basis• Report RSUSR070• Transaction SUIM― Compare results in XL
  25. 25. How to build a SOD check mechanism― Run users check on regular basis• Report RSUSR002• Transaction SUIM― Compare results in XL
  26. 26. Max PatrolNow― Helps to analyze roles and authorization profiles― Monitors users with critical administrative privileges― Regular control of roles assigned to users― Regular control of roles modifications (creating, updatingand role removal)
  27. 27. Max PatrolNear futures― Create customer business actions― Map roles to business actions― Automatically find matches of roles and business actionrules― Automation in creating and control users and roles thatviolate SoD matrix― Check usage of roles and transactions
  28. 28. MaxPatrol – Role Control
  29. 29. MaxPatrol – Authorization profile control
  30. 30. MaxPatrol –Control administrativeprivileges
  31. 31. Fraudulent activity in purchasing― Purchasing without purchase requisition― Abuse of one-time vendor accounts
  32. 32. How to build a fraud check mechanism― Build a possible fraud scheme― Divide a scheme into separate actions― Describe each action in SAP terms― Go to logs and get all users who perform actions― Analyze users, performed sequence of actions which suits toa fraud scheme
  33. 33. One-time vendor (OTV) payments― SAP provides one-time vendor functionality to reduceadministration over the vendor master file by payinginfrequent vendors through a one-time vendor account.― The use of the one-time vendor function overcomes typicalvendor master file authorization and review controls andmay be used to process unauthorized payments.
  34. 34. How to control OTV payments?― Periodically review one-time vendor payments.• The vendor line item report RFKEPL00, transaction codeS_ALR_87012103, is the best report to view one-time vendorpayments.• Payments are also be viewed through the PurchasingOverview by Vendor Report.
  35. 35. Best Practices― Focus on prevention― Automate as many controls as possible― Automate the flow of manual controls― Identify business actions that produce risks when executedby one person― Perform risk analysis before committing and approvingchanges to access controls― SoD risk identification and remediation should beperformed automatically across multiple ERP environmentsand instances― Automate user provisioning and changes― Control real transaction and role usage
  36. 36. Conclusions― GRC is an information security trend― The most demanded GRC-features:• Critical actions control• SOD violation control• Fraud control― It’s possible to build a GRC system that satisfies topmanagement without large-scale deployments.
  37. 37. Thank you for your attention!Q&A