![Subcategory DescriptionStep 3 – Provide Model InputsInputsSub Category Score [1,5] (1:low, 5:high)](https://image.slidesharecdn.com/sapadvancedauthorizationsep2011webinarpartiiforslideshare-111005155422-phpapp01/85/Part-II-of-III-Advanced-Authorization-for-SAP-Global-Deployments-September-27-2011-12-320.jpg)
![Impact (Weight) [1,2]](https://image.slidesharecdn.com/sapadvancedauthorizationsep2011webinarpartiiforslideshare-111005155422-phpapp01/85/Part-II-of-III-Advanced-Authorization-for-SAP-Global-Deployments-September-27-2011-13-320.jpg)
![Authorization Complexity Score = Sub Category Score * ImpactStep 4 – Calculate Authorization Complexity Score System Authorization Complexity Score [Scale: 0 – 10] = Weighted Average (Individual Authorization Complexity Scores)1050](https://image.slidesharecdn.com/sapadvancedauthorizationsep2011webinarpartiiforslideshare-111005155422-phpapp01/85/Part-II-of-III-Advanced-Authorization-for-SAP-Global-Deployments-September-27-2011-14-320.jpg)
Uploaded byNextLabs, Inc.
Part II of III: Advanced Authorization for SAP Global Deployments: September 27, 2011
The document discusses advanced authorization methodologies for SAP global deployments, focusing on export compliance requirements. It introduces an authorization decision map and a framework for assessing authorization complexities, volatility, and compliance with global regulations. The framework aims to streamline access to technical data and ensure compliance with various export laws through a structured authorization model.
More Related Content
Similar to Part II of III: Advanced Authorization for SAP Global Deployments: September 27, 2011
Part II of III: Advanced Authorization for SAP Global Deployments: September 27, 2011
- 1. Advanced Authorization forSAP Global DeploymentsPart II: SAP Authorization model for Export ComplianceSandeep Chopra, Senior Product Mgr, NextLabs, Inc.
- 2. AgendaObjectiveIntroduce Authorization DecisionMap methodologyUnderstand the Export Compliance requirements for global SAP deploymentApply the Authorization FrameworkPresentationQuick Recap of Part IHow to assess Authorization Complexity and VolatilityExport Compliance 101Export compliance requirements for global SAP deploymentAuthorization Decision MapNext StepsQuestion and Answers
- 3. Mapping Requirements toAuthorization ToolsUnderstanding Global Deployment Authorization Requirements and ChallengesIntroduction to the Authorization ToolboxAuthorization Framework – Clear Separation of Authorization DimensionsAuthorization Decision Map
- 4. The Authorization FrameworkRevisited5. Choose the right tools for each layer4. Develop Data Authorization Decision Map3. Authorization Model Assessment for Data Entitlements2. Develop Functional Authorization Map1. Separate Functional, Data and Governance Requirements
- 5. Methodology for AuthorizationDecision Map
- 6. NextLabs – AuthorizationModel AssessmentBased on real world projectsBusiness Profile templates provide authorization complexity factors for different business modelsHighlights priorities and generates actionable plans1-3 week authorization assessmentDeliverable = Authorization Decision Map
- 7. Authorization Complexity –StepsQuantitativelymeasures authorization rule complexity
- 8. Authorization complexity islargely based on total number of access variable valuesSelect Company TypeProvides template Business Profile (Complexity Categories, Sub Categories, Questionnaire)Review Business ProfileTweak template based for your companyProvide Model InputsQuestion answers and Impact (weight)Calculate Authorization Complexity ScoreRun model and review Authorization Decision Map
- 9. Step 1 –Select Company TypeSelect the type of company(Loads template Business Profile)
- 10. Step 2 –Review Business ProfileBusiness ProfileComplexity Type (IT, Compliance, Operations)
- 11.
- 12. Subcategory DescriptionStep 3– Provide Model InputsInputsSub Category Score [1,5] (1:low, 5:high)
- 13.
- 14. Authorization Complexity Score= Sub Category Score * ImpactStep 4 – Calculate Authorization Complexity Score System Authorization Complexity Score [Scale: 0 – 10] = Weighted Average (Individual Authorization Complexity Scores)1050
- 15. Authorization VolatilityA measureof how likely or often authorization rules will changeH,M,L rating to indicate likelihood, or could be based on historical dataSystem considerationsDe-centralized models are more volatile Frequent system upgrades or changes are more volatileAverage number of locations per userBusiness considerationsFrequent M&A could impact volatility of access rulesNew product ratioFrequency of design and manufacturing partner collaborationsEmployee attritionHM10L
- 16. Export Compliance 101Regulatesthe transfer for articles and technology (services, technical data)Transfer outside the country is considered an exportTransfer to a foreign person is considered an export to that persons home countryStrict control over strategic technologies (weapons, space, nuclear, chemical, etc.)Authorizations/Licenses or Exemption are required for exportPenalties can be financial, criminal, or loss of export privileges
- 17.
- 18. Authorization RequirementsTechnical Data“Informationdirectly related to defense articles, which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles.”*Where is it typically found in SAP ERPRouting operations
- 19.
- 20.
- 21. Material master longtext (purchase, sales, basic, internal and inspection)
- 22.
- 23. Attachments with detailedinstructions
- 24.
- 25. Sales order longtext
Editor's Notes
- #4 The NextLabs Information Risk Assessment Model is a model that we have developed jointly with our clients to solve numerous real world compliance issues such as ITAR. Inputs to the model include:Strategic Information Objectives, requirements and events. It also includes business profile templates which details a large library (hundreds) or risk components. Having such accelerators in place helps us help clients execute a risk assessment in one to three weeks. The final deliverable of this Risk Assessment is a report that contains the Risk Map I showed you earlier, which highlights priorities for various problems, as well as recommendations for an action plan.
- #5 Potential Number of rules is the product of the number of possible values for each access variableEg. Security Class = Secret, High, Medium Low (4 values)Eg. Partner Program = Silver, Gold, Platinum (3 values)Eg Location = US, APAC, Europe, Others (4 values)Potential number of rules = 4 x 3 x 4If Partner is Silver and Location is Others and security is Low, then …VsAllow access to MM if security is < > Secret, Partner is Gold or Platinum and Location = US
- #6 In Step 1, as I mentioned earlier, we select the company type. In our risk assessment model, we have a number of categories of companies. For example, we have a template for a Global Commercial business that has some portion of its business involving the production or servicing of defense articles. By selecting the Global Commercial tab, we are presented with a pre-populated framework from which to start the risk assessment process.
- #7 Next, after selecting the company type as Global Commercial we look at its business profile template and then tweak it as appropriate. On the far left in the first column we have Information Objectives. The first one, Electronic Data, should look familiar as it represents the base level of the Top 10 Challenges pyramid we looked at earlier. Next let’s look at the Challenge Area column, this represents a particular challenge with an Information Objective, for example Access Control within Electronic Data. The next column is Risk Events, which refer to actions that create some level of business risk. - An example of a Risk event is data subject to ITAR copied onto a US file server which is accessible by non US peopleThe next set of columns in the template are around Export probability for different types of exports, such as deemed exports, exports and re-exports, re-export (product) and theft-loss. This column indicates the probability that a given event would result in a type of export. re-export (product) – your widget gets incorporated into another product that is exported – this has different considerations. theft or lossAnd finally, the last part of the template is the Export Factor, which is a weighted number. It is based on the measured compliance risk for each export type. Each export type will have a different weight factor based on a given organization’s business model and operations. For example, the weight associated with theft/data loss may be greater for an organization than that associated with a deemed export. To summarize, the general idea here is to select Objectives, Challenge Areas and Events that reflect a particular organization’s information needs, and select appropriate export probabilities for different types of exports.