GRC

Risk Analysis and Remediation

Intro to portal
URL http://10.0.0.14:51000/irj/portal Creatin a !ser
Go to the User Administration ta" to #reate the !ser $he %irst %e& !sers' &e #opied %rom an e(istin !ser.

Creatin roles in portal is a de)elopmental responsi"ility * assi nin roles to ro!ps or indi)id!al !sers is a se#!rity/a!thori+ation

A,$ Create an URL i)ie& * &&&..somethin /.#om Create a 0a e Create a 1orkset as an entry point Create a Role as an entry point Assi n the i)ie& to the pa e Assi n the pa e to the &orkset Assi n the &orkset to the role Assi n the role to yo!r !ser id

GRC appli#ation

A,$3ro&se thro! h this po&erpoint Lo in to the GRC appli#ation Re)ie& the 4 s!"4appli#ations that e(ist in the prod!#t GRC A##ess Control 1hat ea#h o% these s!"4appli#ations #an per%orm A-5655 * A##ess Control A-5640/650/670 * 8o %ar &hat &e ha)e #o)ered.

http:// 10.0.0.14:51000/&e"dynpro/dispat#her/sap.#o

9 phase approa#h

Roles and Responsi"ilities

Roles Business Process Owners !enior officers Responsibilities

Identify risks and/or approve risks for monitoring Approve remediation involving user access Approve/re"ect risks between business areas Design controls for mitigating conflicts Approve mitigating controls for selected risks assignments or role c and anges !ecurity Administrators Communicate Own t e %RC access tec nology foundation tools security process Perform proactive continuous compliance and #ec nical $iaisons Design and maintain rules to identify risk conditions Perform risk assessment on a regular basis Auditors and Customi&e t e !AP %RC tec nology foundation roles to enforce roles and Provide specific re'uirements for audit purposes Regulators responsibilities *ust not be involved in day+to+day security administration !oD Rule )eeper Perform periodic testing of rules and mitigating controls Analy&e and remediate !oD conflicts at role level *aintains controls over rules to ensure integrity Act as a liaison between e(ternal auditors *ay act as a liaison between Basis and t e !AP %RC met odology foundation support center

:(er#ise
:nter an in)oi#e in ;inan#ials . A##o!nts 0aya"le <Company Code 1000= <$ransa#tion ;370=.

,ield -ame .endor

.alue /010

Invoice Date #oday2s date Amount 03011 !elect Calculate #a( 0I 4Input ta( 0156 Input ta( %/$ Account 708110 Amount in doc9 Currency 03011 8a)e the do#!ment 0rint the )endor "alan#e #on%irmation <$ransa#tion ;.1>= $he #ompany m!st print and send "alan#e #on%irmations as part o% its ann!al a!dit pro#ess. 0rint the "alan#e #on%irmation %or )endors. Report )ariant GRC010 is a)aila"le %or ease o% !se. 1hat is the risk o% this pro#ess? $here is a potential %or %ra!d i% the same person #an #reated an in)oi#e then print the )endor "alan#e #on%irmation.

R!le 3!ildin $erminolo y

3!siness 0ro#ess: $he "!siness area #ate ories in &hi#h yo! &o!ld like to report risk analysis res!lts in Risk Analysis and Remediation ;!n#tion: A ro!pin o% one or more related a#tions or permissions %or a spe#i%i# "!siness area Risk: An opport!nity %or physi#al loss' %ra!d' pro#ess disr!ption' or prod!#ti)ity loss that o##!rs &hen indi)id!als e(ploit a spe#i%i# #ondition@ %!n#tions are the main #omponents o% risks A#tion: An a#ti)ity that is per%ormed in the system in order to %!l%ill a spe#i%i# %!n#tion' %or e(ample' Create 0!r#hase ,rder or Create 5aterial 5aster Re#ord 0ermission: A!thori+ations that allo& a !ser to per%orm a parti#!lar a#ti)ity in a system 8ystem: Re%ers to a system in &hi#h risk analysis is per%ormed' %or e(ample' 8A0 :R0' ,ra#le' 8A0 CR5' 0eople8o%t' or Ayperion

R!le 8tr!#t!re

R!le 3!ildin

Risk ID ,unction 0 ,unction 0 ID ,110 %$1: *aintain %/$ records !O1/ !D1>

,unction : ,unction : ID %$10 Post ;ournal <ntry Customer *aster *aintenance

Description of Risk

Risk $evel

Create a fictitious %$ account and =ig generate "ournal activity or ide activity via postings Create a fictitious customer and =ig initiate fraudulent sales document

!ales Order !D10 Agreements or Contracts

,!10 ,!1: ,!P0 ,!P:

Create C ange*aster *asterRecord Recordin inC C art/Accts art/Accts

,+:0 Post ,+7: ,+78 ,B10 ,B1> <nterwit Down Document #ransfer Payment Clearing Posting Re'uest

G L0

SO D R i sk :

G L0

:(er#ise 4B
Lo on to 8A0 GRC A##ess Control <r!le ar#hite#t= and #reate R!A@@B 4w ere @@ is your group number6 Business Process ID PPA@@B 4w ere @@ is your group number6 a ne& r!le set. Description @@ Rule !et Description @@ Procure to Pay
Rule !et ID

Lo on to 8A0 GRC A##ess Control <r!le ar#hite#t= and #reate yo!r o&n "!siness pro#ess %or p!r#hase4to4pay as a"o)e ,unction ID ,unc:?@@ 4w ere @@ is your group number6 ,unction ID ,unc0?@@ 4w ere @@ is your group number6 Create %!n#tions &ith the %ollo&in in%ormation. Description ,unc0?@@ Description ,unc:?@@ Business Process PPA@@B Business Process PPA@@B Analysis !cope !ingle Analysis !cope !ingle Actions @)10 Actions *<:0 Risk ID R)A@@ B4w ere @@ is your group number6 Create a risk &ith the B %!n#tions a"o)e and the %ollo&in Description Risk?@@ in%o Risk #ype !eggregation of Duties Risk $evel *edium Business Process PPA@@B !tatus <nable Generate the r!les %or the risk that yo! j!st #reated.

Chan e Aistory
$o )ie& #han e lo in%ormation %or %!n#tions' #hoose Rule Architect Change History Functions. In the displayed Functions-Change History Results s#reen' sele#t yo!r settin s and #hoose Execute to r!n a sear#h to )ie& the #han e lo res!lts. $he ;!n#tions Chan e Aistory Res!lts lo in#l!des:
Chan ed ,n: $he date and time Chan ed "y: $he !ser I;!n#tion <I-= Chan e $ype: $his is either Insert Function or Delete Functions 8ystem A#tion Item Cal!e 8tat!s

Comparison o% r!le sets

$he r!le sets #an "e #ompared in t&o &ays:
A #omparison o% j!st the risks in the desi nated r!le sets A #omparison o% risks and a#tions/permissions

$o per%orm a #omparison o% r!le sets' #hoose Rule Architect Rule Sets Compare. A #omparison o% risks is always per%ormed' and these res!lts are displayed initially. $he Summary "!tton on the risk #omparison s#reen drills do&n to an a#tion r!le #omparison. $he -etail "!tton in the

8,- 0hase B 4 Analysis

$he p!rpose o% this phase is to pro)ide "!siness pro#ess analysts and "!siness pro#ess o&ners &ith alternati)es %or #orre#tin or eliminatin risks "y: 0er%ormin a se#!rity analysis to #on%irm risks %or:
8imple roles Composite roles Users

Re)ie&in the role to determine ho& #ertain personnel mi ht "e restri#ted %rom per%ormin !ndesired a#ti)ities "y #he#kin :
,"je#ts ;ields Cal!es

Analysis * :(er#ise 1
:nter the %ollo&in in%ormation.

Role: DEGRC*O2C* Rule Set: Global Report Type: Permission Level Report Format: Summary

Choose Bac groun!. :nter "o# $ame: xx Risk Analysis GRC-O2C Choose Imme!iate Start. Choose Sche!ule.

Remediation :(er#ise as a %ollo&4!p to Analysis :(er#ise41

Lo on to 8A0 3!siness,"je#ts A##ess Control and per%orm a sim!lation on role le)el. 8im!late the remo)al o% the sin le role Z*GRC* !SC* %rom the #omposite role Z*GRC*O2C. Compare the res!lts &ith the %irst part o% this e(er#ise.

5iti ation
5iti ation #ontrols are reF!ired &hen it is not possi"le to se re ate d!ties &ithin the "!siness pro#ess. ;or e(ample' in a small o%%i#e' one person has to take o)er t&o roles &ithin the "!siness pro#ess' &hi#h #a!ses a missin 8o- #on%li#t. :(amples o% miti ation #ontrols:
Release strate ies and a!thori+ation limits Re)ie& o% !ser lo s Re)ie& o% e(#eption reports -etailed )arian#e analysis :sta"lish ins!ran#e to #o)er impa#t o% a se#!rity in#ident

$ypes o% 5iti ation #ontrols

0re)entati)e #ontrols
5inimi+e the likelihood or impa#t o% a risk "e%ore it a#t!ally o##!rs.

-ete#ti)e #ontrols
Alert &hen a risk takes pla#e and ena"le the responsi"le person to initiate #orre#ti)e meas!res.
Detective Reports Budget Review Plan vs Actual Reviews #ec nical logs Alerts

Preventative Configuration Custom Ob"ects Cser <(its and <n ancements !ecurity Dorkflow

8ettin !p miti ation #ontrols

-e%inition o% responsi"ilities -e%ine administrators and sele#t appli#a"le role.
Appro)er
Appro)e the #ontrol and identi%y appropriate miti ation monitors. :ns!re monitors are e(e#!tin appli#a"le #ontrols &ithin the period %reF!en#y stated in a miti ation #ontrol.

5onitor
0er%orm the a#tions identi%ied in the #ontrol to monitor !sers and identi%y inappropriate a#tions.

Risk4o&ner
Responsi"le %or monitorin the !se o% a#tions and permissions asso#iated &ith a risk

Control #reation
8pe#i%y #ontrol I-. 8ample namin #on)ention:
Chara#ter 1 . 3!siness area desi nation Chara#ter B . User or role ro!p letter Chara#ters 9 to 10 . 8eF!ential n!m"er

:nter des#ription.
-e%inition: 1ho / &hat / ho& o%ten / &hy <#ontrol o"je#ti)e=

Assi n "!siness !nit. Assi n appro)er %rom a)aila"le appro)ers %or the entered "!siness !nit. Assi n asso#iated risk I-s as pre4sele#tion. -o#!ment #ontrol monitorin :
Assi n one or more monitors. Assi n one or more miti ation reports <optional=.
8ele#t the system %rom &hi#h yo! &ill r!n the reports. :nter asso#iated a#tion. Assi n a monitor to ea#h report. $he %reF!en#y m!st "e esta"lished in n!m"er o% days' %or e(ample' enter "# %or monthly reports.

Alerts
As a temporary miti ation #ontrol $o display !sers a##essin m!ltiple #on%li#tin a#tions $o display !sers a##essin #riti#al a#tions $o ens!re e%%e#ti)eness o% miti ation #ontrol "y sho&in delays in startin miti ation reports

Alert 8et!p
:na"lement and s#hed!lin :
:nter an appli#ation ser)er lo#ation to store e(e#!ted a#tion in%ormation: Choose Con%iguration &iscellaneous.

8#hed!le "a#k ro!nd jo"s %or alert eneration:

A#tion lo Con%li#tin a#tion Criti#al a#tion 5iti ation monitorin

8#hed!le "a#k ro!nd jo"s %or alert noti%i#ation:

Risk o&ner assi ned to the asso#iated risk is noti%ied "y e4mail <maintained in &itigation ta"= 5onitors #an also re)ie& the list o% alerts thro! h the Alert mod!le

5iti ation :(er#ise

Create an appro)er %or the ne& miti ation #ontrol. 1. Create an appro)er %or the ne& miti ation #ontrol. a= Lo on to 8A0 3!siness,"je#ts A##ess Control &ith !ser GRC9004GG. "= 8ele#t the &itigation ta" and #hoose A!ministrators Create. #= :nter the %ollo&in in%ormation. A!ministrator ID: $$-A%%rover Full $ame: A%%rove& A%%rover $$ Email: 'n(er a )i*(i(ious mail a&&ress Role: A%%rover B. Create a monitor %or the ne& miti ation #ontrol. a= Lo on to 8A0 3!siness,"je#ts A##ess Control. "= 8ele#t the &itigation ta" and #hoose A!ministrators Create . #= :nter the %ollo&in in%ormation. A!ministrator ID: $$oni(or Full $ame: +a(*,inoni(or $$

5iti ation :(er#ise Contd.

9. -e%ine a "!siness !nit as #ontainer %or the miti ation #ontrols. a= Lo on to 8A0 3!siness,"je#ts A##ess Control. "= 8ele#t the &itigation ta" and #hoose Business 'nits Create. #= :nter the %ollo&in in%ormation. Business 'nit ID: PP$$ Description: G$ Pur*,ase-(o-Pay Appro(er ID: 'n(er (,e a%%rover !. (,a( you *rea(e& in (,e %revious s(e% &onitor ID: 'n(er (,e moni(or !. (,a( you *rea(e& in (,e %revious s(e%

8A0 o%%ers a d!al4#ontrol prin#iple to prote#t sensiti)e %ields in the )endor master re#ord %rom dire#t manip!lations per%ormed "y one !ser. $his pre)entati)e miti ation #ontrol #an "e !sed to miti ate the risk o% %ra!d!lent manip!lation o% "ank a##o!nts. A%ter the se#!rity meas!re is a#ti)ated in #!stomi+in "y the I$ department' the miti ation #ontrol needs to "e implemented in 8A0 3!siness,"je#ts A##ess Control. 1. Implement the miti ation #ontrol in 8A0 3!siness,"je#ts A##ess Control. a= Lo on to 8A0 3!siness,"je#ts A##ess Control. "= 8ele#t the &itigation ta" and #hoose &itigation Controls Create. #= &itigation Control ID: C/'0$$ $o ens!re the e%%e#ti)eness o% the #ontrol' the monitor needs to #he#k the #riti#al )endor on a &eekly "asis to in)esti ate the res!lt o% 8HALRH>I01B060 <-isplay / Con%irm #riti#al )endor #han es=. d= Description: A )endor master data %ield marked in #!stomi+in ta"le $055; as sensiti)e #an only "e #han ed a%ter it is #on%irmed "y a se#ond party. 3e%ore appro)al takes pla#e' a payment r!n "lo#k is a#ti)ated %or that a##o!nt' and the #on%irmation stat!s .$o "e #on%irmed. is set. ConseF!ently' the likelihood o% %ra!d!lent manip!lation is lo&er "e#a!se an e(tra #on%irmation is reF!ired. e= Business 'nit: PP$$ &anagement Appro(er: $$-A%%rover Ris ID: Choose all risks GGJJ yo! "!ilt in e(er#ise' Rule Buil!ing an! )ali!ation' #ontainin .)endor master data maintenan#e. as one o% the #on%li#tin %!n#tions &onitor ID: $$oni(or System: Sele*( (,e a%%ro%ria(e sys(em

5iti ation :(er#ise B

A%ter the se#!rity meas!re is a#ti)ated in #!stomi+in "y the I$ department' implement the miti ation #ontrol in 8A0 3!siness,"je#ts A##ess Control. a= 8ele#t the In%ormer ta" and #hoose Ris Analysis Role +e(el. :nter the %ollo&in data. Role: GRC"##-CR1P6RC7AS'18O1PA9-$$ Rule Set: Global Report Type: Permission Level Report Format: ana-emen( Summary "= In the res!ltin report' sele#t the risk yo! &ant to miti ate &ith the #ontrol and #hoose Execute. 7in(: It sho!ld #ontain K)endor master data maintenan#eL as one o% the #on%li#tin %!n#tions. $o see more details' to le to the 8!mmary report. #= 8ele#t the risk des#ription and sele#t &itigate the Ris in the ,ptions area. d= Choose Continue. In the Ris &itigation s#reen' and enter the %ollo&in data. &itigation Control: C/'0$$ &onitor ID: $$oni(or Status: 'nable

5iti ation :(er#ise B Contd.

Che#k the assi nment o% the miti ation #ontrol "y per%ormin a ne& risk analysis on GRC9004CRH0URCAA8:H$,H0AM4GG. a= 8ele#t the In%ormer ta" and #hoose Ris Analysis. "= :nter the %ollo&in data. Role Le)el Role: GRC"##-CR1P6RC7AS'18O1PA9-$$ Rule Set: Global Report Type: Permission Level Report Format: ana-emen( Summary #= Choose &ore ,ptions. d= 8et Ignore &itigation to 9'S to make the miti ated risks in)isi"le in the res!lt s#reen o% the analysis. e= Choose Execute. In the res!lts s#reen' all miti ated risks ha)e )anished and the #omposite role is m!#h #leaner than "e%ore o!r remediation and miti ation a#ti)ities started.

5iti ation :(er#ise B Contd.

Remediation rele)ant reportin

-emonstrate the A#tion Usa e "y Users report. a= Lo on on to Risk Analysis and Remediation )ia the 8A0 3!siness,"je#ts A##ess Control la!n#h pad. "= Choose In%ormer &iscellaneous. #= 8ele#t the A#tion Usa e "y Users report. d= In the sele#tion #riteria' enter the %ollo&in data. System 85#CL08#5# Date 6se &e)aul( Action S6#4 Report Type All e= Choose Execute. %= Look at the res!lts o% the sear#h.

5iti ations #ontrol report

-emonstrate the In)alid 5iti ation Controls report. a= Lo on to Risk Analysis and Remediation )ia the 8A0 3!siness,"je#ts A##ess Control la!n#h pad. "= Choose In%ormer Ris Analysis 'ser +e(el. #= In the sele#tion #riteria' enter the %ollo&in data. System 85#CL08#5# Ris ID 55#4* Report Type !nvali& i(i-a(ion Con(rols d= Choose Execute . I% yo! see a r!ntime &arnin ' #hoose ,-.

8,- Ciolations %rom #!stom pro rams

-emonstrate the 8o- Ciolations %rom C!stom 0ro rams report. 1. -emonstrate the 8o- Ciolations %rom C!stom 0ro rams report. a= Lo on to Risk Analysis and Remediation )ia the 8A0 3!siness,"je#ts A##ess Control la!n#h pad. "= Choose In%ormer Au!it Reports &iscellaneous.

CU0 * Ceri%i#ation o% install

CU0 A!th. 8ystem

Inte rate RAR and CU0

. Retrie)e the URL %or Risk Analysis 1e" ser)i#e #on%i !ration. a. ;rom the SA. $et/ea(er /e# Application Ser(er start pa e' #hoose /e# Ser(ice $a(igator. ". :(pand )irsaCCRis AnalysisSer(ice 1e" ser)i#e. #. Choose Document. d. Ri ht #li#k on the URL address !nder the 18-L headin to #opy as a short#!t. . Choose Compliant 'ser .ro(isioning' #hoose the Con%iguration ta"' and #hoose Ris Analysis. . In the Select Analysis an! Reme!iation )ersion pane' #hoose 012 /e# Ser(ice %rom the )ersion men!. . In the 'R+ %ield' enter the risk analysis URL. Mo! #an paste in the #opied short#!t yo! o"tained in the %irst step. . :nter a 'ser $ame and a .ass3or!. 0o(e: $his !ser m!st ha)e the Admin role %or Risk Analysis and Remediation. . Choose Sa(e.

-e%ine #onne#tors %or 8A0

Choose C'.' sele#t the Con%iguration ta"' and #hoose Connectors Create Connectors. In the Connector Type men!' #hoose SA.. In the $ame %ield' enter a name %or the #onne#tor. 0o(e: $he #onne#tor names are important &hen inte ratin &ith other A##ess Control Components and Central User Administration <CUA=. 5ake s!re that the #onne#tor name %or A##ess Control is the same as the one #on%i !red %or CUA. In the Short Description %ield' enter a "rie% des#ription o% the #onne#tor. In the Description %ield' enter a lon 4te(t des#ription o% the #onne#tor. In the Application %ield' enter the name o% the appli#ation or appli#ation ser)er. In the Application Ser(er Host %ield' enter the host name o% the appli#ation ser)er. In the System $um#er %ield' enter the n!m"er in the 8A0 system lo . In the Client %ield' enter the 8A0 #lient n!m"er. In the 'ser ID %ield' enter the !ser I- yo! are #on%i !rin to ha)e a##ess to the "a#k4end system. In the .ass3or! %ield' enter the spe#i%ied pass&ord %or the 8A0 !ser I-. In the System +anguage %ield' enter the lan !a e %or the system. In the &essage Ser(er $ame %ield' enter the name o% the messa e ser)er' &hi#h s !sed %or load "alan#in . In the &essage Ser(er 4roup %ield' enter the lo on ro!p name to &hi#h the messa e ser)er "elon s. In the &essage Ser(er Host %ield' enter the host name o% yo!r messa e ser)er. In the SA. )ersion men!' sele#t the appropriate 8A0 )ersion. CU0 s!pports 8A0 4.7C' 8A0 4.I' and 8A0 :CC 7.0. 8ele#t the S+D Connector #he#k"o( to ena"le the 8tandard Lands#ape -ire#tory.

-e%ine 8A0 #onne#tors %or CU0

CU0 Li%e#y#le

Ao& does CU0 &ork%lo& &ork

CU0 1ork%lo& #omponents

1ork%lo& e(ample

Appro)er -etermination

Appro)al 8ta e C!stomi+ation

$here are three #on%i !ration areas:
Joti%i#ation Con%i !ration Additional Con%i !ration Additional 8e#!rity Con%i !ration <Appro)al Rea%%irm=

I% the !ser' reF!estor' and appro)er are the same' ea#h re#ei)es m!ltiple e4 mail noti%i#ations. 1hen sendin an e4 mail noti%i#ation to the !ser and the reF!estor i% the !ser is the reF!estor' the system sends t&o e4mail noti%i#ations. I% the reF!estor and the mana er are the same !ser' that person re#ei)es t&o e4mails.

Joti%i#ation #on%i !ration

$he $oti%ication Con%iguration s#reen #on%i !res e4 mail noti%i#ations %or a sta e to determine &hether and to &hom the system sends noti%i#ations a"o!t the a#tions taken at this sta e. $here are %o!r possi"le a#tions: 1. Appro)ed: $he system sends the e4mail noti%i#ation #on%i !red on the Appro(e! ta" &hen the appro)er appro)es the reF!est. B. Reje#ted: $he system sends the e4mail noti%i#ation #on%i !red on the Re5ecte! ta" &hen the appro)er reje#ts or denies the reF!est. 9. :s#alation: $he system sends the e4mail noti%i#ation #on%i !red on the Escalation ta" &hen the appro)er %ails to respond to the reF!est &ithin the allotted &ait time and an es#alation has o##!rred. 4. Je(t Appro)er: $he system sends the e4mail noti%i#ation to the appro)er<s= o% the sta e &hen the reF!est enters this sta e. $he ne(t appro)er is

Additional Con%i !ration

Ris Analysis &an!atory: 8ele#t Mes or Jo to determine &hether the appro)er is reF!ired to per%orm a risk analysis "e%ore appro)in the reF!est. Change Re*uest Content: An appro)er has the a!thority to #han e the #ontent o% the reF!est. I% set to Mes' the A!! Roles %ield "e#omes a)aila"le %or sele#tion. 8ele#t Mes or Jo to allo& roles to "e added d!rin this sta e. I% set to Mes' the .ath E(aluation For $e3 Roles %ield "e#omes a)aila"le %or sele#tion. $his settin determines ho& the roles are e)al!ated to see i% they are on the #orre#t path <this is ne#essary only i% yo! #on%i !re yo!r initiators "y roles=. All Roles in :)al!ation 0ath: All roles are re4e)al!ated a ainst the initiators. Je& Roles ,nly: $hese ne& roles are analy+ed a ainst the initiators to determine i% another parallel &ork%lo& mist "e #reated %or the ne&ly added roles. I% the Change Re*uest Content #on%i !ration option is set to Mes "!t A!! Roles is set to Jo' the appro)er #an remo)e roles %rom the reF!est "!t not add additional roles. I% the Change Re*uest Content #on%i !ration option is set to Jo' the appro)er #annot #han e the roles on the reF!est. $hey #annot reje#t or remo)e roles' nor #an they add additional roles to the reF!est. Appro(al +e(el: $he appro)er has the a!thority to appro)e the reF!est at the ReF!est' Role' or 8ystem and Role le)els. Re5ect +e(el: $he appro)er has the a!thority to reje#t the reF!est at the ReF!est' Role' or 8ystem and Role le)els. Appro(al Type: 8ele#t &hether any one appro)er #an appro)e at this sta e. ,r &hether all appro)ers m!st appro)e at this sta e. %or the reF!est to mo)e on to the ne(t sta e. Email 4roup: $his %eat!re is no lon er !sed. It remains on the s#reen %or "a#k&ard #ompati"ility.

Re*uest Re5ection: I% yo! set this option to Mes' appro)er is allo&ed to reje#t entire reF!est. Re5ect "!tton appears ne(t to Appro(e "!tton' so appro)er #an reje#t the entire reF!est &itho!t indi)id!ally reje#tin ea#h role. I% Jo' the appro)ers #an reje#t roles on the reF!est &itho!t the a"ility to reje#t the entire reF!est. Re4Ro!te: Appro)er has a!thority to re4ro!te the reF!est to a pre)io!s sta e as an alternati)e to reje#tin the reF!est entirely. Re4ro!tin does not apply i% the appro)er #hooses to appro)e the reF!est. Con%irm Appro)al: Appro)er m!st ans&er an additional F!estion i% he or she &ants to #on%irm appro)al a#tion. Con%irm Reje#tion: Appro)er m!st ans&er an additional F!estion i% he/she &ants to #on%irm reje#tion a#tion. Reje#t "y :mail and Appro)e "y :mail: Appro)er #an reje#t or appro)e the reF!est "y e4 mail. I% yo! set this option to Mes' there #o!ld "e t&o additional links on e4mail &hen appro)er ets e4mail noti%i#ation %or this sta e statin that there is a reF!est &aitin %or a#tion. I% Appro(e #y Email is set to Mes' one link &ill "e the Appro(e Re*uest a#tion. I% Re5ect #y Email is set to Mes' another link &ill "e present %or Re5ect Re*uest. $hese "!ttons &ill trans%er the appro)er to Compliant User 0ro)isionin . $he appro)er m!st still "e the )alid appro)er %or this sta e o% the reF!est and m!st enter his or her !ser I- and pass&ord. Reje#t "y :mail: $he appro)er #an reje#t the reF!est "y e4mail. $his settin is not an option i% a#tions are reF!ired' %or e(ample' i% risk analysis or #omments are reF!ired. Appro)e "y :mail: ,ptions &ill allo& the appro)er to appro)e the reF!est "y e4mail. $his settin &ill not "e an option i% a#tions are reF!ired' %or instan#e' i% risk analysis or #omments are reF!ired. ;or&ard: $he appro)er has the a!thority to %or&ard the reF!est to someone else %or appro)al.

Additional Con%i !ration Contd.

CU0 1ork%lo& Con%i !ration :(er#ise 8et !p a "asi# &ork%lo& &ith one sta e to make a #han e to a !ser'

r!n an 8o- #he#k' then ha)e the #han e a!to4pro)isioned to an 8A0 system. Lo on to the "a#k4end system assi ned "y yo!r instr!#tor' into #lient >00 &ith yo!r !ser I-' and #reate the %ollo&in roles: a. DHGGH;350 and assi n transa#tion ;350 &ith %!ll a!thori+ations i. -es#ription: Pos( ;ournal 'n(ry ". DHGGH,35B and assi n transa#tion ,35B &ith %!ll a!thori+ations i. -es#ription: O%en an& Close A**oun(in- Perio& Lo on to 8A0 3!siness,"je#ts A##ess Control Compliant User 0ro)isionin thro! h http ://10.0.0.14:51000/&e"dynpro/dispat#her/sap.#om/ r#2a#app#omp/AC Choose Con%iguration Role Import and import the roles yo! #reated !sin the Selecte! Roles option. Lo on to the U5: !sin yo!r User I- and #reate the %ollo&in !sers in the U5::
5ana er<NN= &ith Role: A: Appro)er Role,&ner<NN= &ith Role: A: Appro)er 8e#!rity<NN= &ith Role: A: 8e#!rity 8o(<NN= &ith Role: A: Appro)er

Lo on to 8A0 3!siness,"je#ts A##ess Control Compliant User 0ro)isionin thro! h http ://10.0.0.14:51000/&e"dynpro/dispat#her/sap.#om/ r#2a#app#omp/AC

CU0 1ork%lo& e(er#ise #ontd.

Choose Con%iguration Roles Role Search and sele#t the roles imported into Compliant User 0ro)isionin in step 4 a"o)e. Ceri%y/assi n the %ollo&in :
DHGGH;350
3!siness 0ro#ess ;inan#e Criti#al Le)el Ai h Role Appro)er $a" Role,&ner <NN= 3!siness 0ro#ess ;inan#e Criti#al Le)el Ai h Role Appro)er $a" Role,&ner<NN=

DHGGH,35B

Go to the &ork%lo& #on%i !ration and #reate an initiator. Choose Con%iguration /or %lo3 Initiator. Choose Create and enter the %ollo&in data.
$ame $$1!ni(ia(or< Short Description $$1!ni(ia(or /or %lo3 Type Com%lian( 6ser Provisionin-< Attri#ute =un*(ional Area< )alue $$=!

Choose Sa(e to sa)e the initiator. Create three sta es. Choose Con%iguration /or %lo3 Stage. Choose Create and enter the %ollo&in data.
$ame $$1 ana-er< Short Description $$1 ana-er /or %lo3 Type Com%lian( 6ser Provisionin-< Appro(er Determinator ana-er $ame $$1RoleOwner< Short Description $$1RoleOwner /or %lo3 Type Com%lian( 6ser Provisionin-< Appro(er Determinator

CU0 1ork%lo& e(er#ise ;or the noti%i#ation #on%i #ontd. !ration' sele#t the $ext Appro(er ta" and %ill in the in%ormation %or appro)al.
8ele#t the %ollo&in options %or the A!!itional Con%iguration se#tion.
Ris Analysis &an!atory Mes Change Re*uest Content Jo A!! Role 8ho!ld not "e a"le to #han e. 1hy? Chan e ReF!est Content set to Jo. .ath Re(aluation %or $e3 Roles 8ho!ld not "e a"le to #han e. 1hy? Chan e ReF!est Content set to Jo. Appro(al +e(el set to ReF!est Re5ection +e(el set to ReF!est Appro(al Type Any one Appro)er Comments &an!atory Mes or no Re*uest re5ecte! Jo Re-route Jo Con%irm Appro(al Jo Con%irm Re5ection Jo Re5ect #y Email Jo Appro(e By Email Jo For3ar! Allo3e! Jo Appro(e Re*uest Despite Ris s Mes

Choose Sa(e to sa)e ea#h sta e.

CU0 1ork%lo& e(er#ise #ontd.

Create a path. Choose Con%iguration /or %lo3 .ath. Choose Create' then enter the %ollo&in data.
Jame $$1Pa(, 8hort -es#ription $$1Pa(, 1ork%lo& $ype Com%lian( 6ser ProvisioninJ!m"er o% 8ta es " Initiator $$1!ni(ia(or 3e s!re to make the path A#ti)e.

8ele#t the three sta es that yo! #reated in this e(er#ise. Choose Sa(e to sa)e the path. Create a C!stom Appro)er -eterminator %or deto!r. Choose Con%iguration /or %lo3 Custom Appro(er Determinators and #reate a #!stom appro)er determinator.
$ame $$1SO.1CA. Short Description $$1SO.1CA. CAD Type A((ribu(e /or %lo3 Type Com%lian( 6ser ProvisioninAttri#ute =un*(ional Area

Choose Sa(e. Choose the Appro(ers "!tton and #hoose A!!.

Functional Area $$=! Appro(er Sox$$ 6ser

-e%ine a sta e %or 8o- )iolation. Choose Con%iguration /or %lo3 Stage and enter the %ollo&in data.
$ame $$1 SO.1S(a-e< Short Description $$1 SO.1S(a-e /or %lo3 Type Com%lian( 6ser ProvisioninAppro(er Determinator $$1SO.1CA.

CU0 1ork%lo& e(er#ise #ontd.

$ame $$1.e(our< Short Description $$1.e(our /or %lo3 Type Com%lian( 6ser Provisionin$um#er o% Stages >>>2 Initiator 0one 3e s!re to make the path Acti(e Detour #he#k"o( 8ele#t 9es Stage 6 $$1SO.1S8AG' Stage 7 $$1Se*uri(y

-e%ine a deto!r path. Choose Con%iguration /or %lo3 .ath and #reate the %ollo&in path.

Choose Sa(e. -e%ine a deto!r %or 8o- )iolations. Choose Con%iguration /or %lo3
Detour8For and #reate a deto!r. /or %lo3 Type Com%lian( 6ser Provisionin.ath $$1Pa(, Stage $$1RoleOwner Action Save Con!ition SO. /iola(ions )alue 9es Detour .ath $$1.e(our

$est yo!r &ork%lo& "y #reatin se)eral reF!ests and )eri%y that the path and deto!r yo! #reated &ork properly.