0% found this document useful (0 votes)
169 views49 pages

Risk Analysis and Remediation

This document discusses risk analysis and remediation in GRC (Governance, Risk management, and Compliance) applications. It covers topics such as creating roles and functions in the portal, the 9 phase approach to risk analysis, roles and responsibilities, rule building terminology, exercises in rule building and analysis, and setting up mitigation controls. The goal is to provide a process for identifying, analyzing, and remediating risks through configuration of rules and controls in SAP GRC applications.

Uploaded by

stolson
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
169 views49 pages

Risk Analysis and Remediation

This document discusses risk analysis and remediation in GRC (Governance, Risk management, and Compliance) applications. It covers topics such as creating roles and functions in the portal, the 9 phase approach to risk analysis, roles and responsibilities, rule building terminology, exercises in rule building and analysis, and setting up mitigation controls. The goal is to provide a process for identifying, analyzing, and remediating risks through configuration of rules and controls in SAP GRC applications.

Uploaded by

stolson
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 49

GRC

Risk Analysis and Remediation

Intro to portal
URL http://10.0.0.14:51000/irj/portal Creatin a !ser
Go to the User Administration ta" to #reate the !ser $he %irst %e& !sers' &e #opied %rom an e(istin !ser.

Creatin roles in portal is a de)elopmental responsi"ility * assi nin roles to ro!ps or indi)id!al !sers is a se#!rity/a!thori+ation

A,$ Create an URL i)ie& * &&&..somethin /.#om Create a 0a e Create a 1orkset as an entry point Create a Role as an entry point Assi n the i)ie& to the pa e Assi n the pa e to the &orkset Assi n the &orkset to the role Assi n the role to yo!r !ser id

GRC appli#ation

A,$3ro&se thro! h this po&erpoint Lo in to the GRC appli#ation Re)ie& the 4 s!"4appli#ations that e(ist in the prod!#t GRC A##ess Control 1hat ea#h o% these s!"4appli#ations #an per%orm A-5655 * A##ess Control A-5640/650/670 * 8o %ar &hat &e ha)e #o)ered.

http:// 10.0.0.14:51000/&e"dynpro/dispat#her/sap.#o

9 phase approa#h

Roles and Responsi"ilities


Roles Business Process Owners !enior officers Responsibilities

Identify risks and/or approve risks for monitoring Approve remediation involving user access Approve/re"ect risks between business areas Design controls for mitigating conflicts Approve mitigating controls for selected risks assignments or role c and anges !ecurity Administrators Communicate Own t e %RC access tec nology foundation tools security process Perform proactive continuous compliance and #ec nical $iaisons Design and maintain rules to identify risk conditions Perform risk assessment on a regular basis Auditors and Customi&e t e !AP %RC tec nology foundation roles to enforce roles and Provide specific re'uirements for audit purposes Regulators responsibilities *ust not be involved in day+to+day security administration !oD Rule )eeper Perform periodic testing of rules and mitigating controls Analy&e and remediate !oD conflicts at role level *aintains controls over rules to ensure integrity Act as a liaison between e(ternal auditors *ay act as a liaison between Basis and t e !AP %RC met odology foundation support center

:(er#ise
:nter an in)oi#e in ;inan#ials . A##o!nts 0aya"le <Company Code 1000= <$ransa#tion ;370=.

,ield -ame .endor

.alue /010

Invoice Date #oday2s date Amount 03011 !elect Calculate #a( 0I 4Input ta( 0156 Input ta( %/$ Account 708110 Amount in doc9 Currency 03011 8a)e the do#!ment 0rint the )endor "alan#e #on%irmation <$ransa#tion ;.1>= $he #ompany m!st print and send "alan#e #on%irmations as part o% its ann!al a!dit pro#ess. 0rint the "alan#e #on%irmation %or )endors. Report )ariant GRC010 is a)aila"le %or ease o% !se. 1hat is the risk o% this pro#ess? $here is a potential %or %ra!d i% the same person #an #reated an in)oi#e then print the )endor "alan#e #on%irmation.

R!le 3!ildin $erminolo y


3!siness 0ro#ess: $he "!siness area #ate ories in &hi#h yo! &o!ld like to report risk analysis res!lts in Risk Analysis and Remediation ;!n#tion: A ro!pin o% one or more related a#tions or permissions %or a spe#i%i# "!siness area Risk: An opport!nity %or physi#al loss' %ra!d' pro#ess disr!ption' or prod!#ti)ity loss that o##!rs &hen indi)id!als e(ploit a spe#i%i# #ondition@ %!n#tions are the main #omponents o% risks A#tion: An a#ti)ity that is per%ormed in the system in order to %!l%ill a spe#i%i# %!n#tion' %or e(ample' Create 0!r#hase ,rder or Create 5aterial 5aster Re#ord 0ermission: A!thori+ations that allo& a !ser to per%orm a parti#!lar a#ti)ity in a system 8ystem: Re%ers to a system in &hi#h risk analysis is per%ormed' %or e(ample' 8A0 :R0' ,ra#le' 8A0 CR5' 0eople8o%t' or Ayperion

R!le 8tr!#t!re

R!le 3!ildin

Risk ID ,unction 0 ,unction 0 ID ,110 %$1: *aintain %/$ records !O1/ !D1>

,unction : ,unction : ID %$10 Post ;ournal <ntry Customer *aster *aintenance

Description of Risk

Risk $evel

Create a fictitious %$ account and =ig generate "ournal activity or ide activity via postings Create a fictitious customer and =ig initiate fraudulent sales document

!ales Order !D10 Agreements or Contracts

,!10 ,!1: ,!P0 ,!P:

Create C ange*aster *asterRecord Recordin inC C art/Accts art/Accts

,+:0 Post ,+7: ,+78 ,B10 ,B1> <nterwit Down Document #ransfer Payment Clearing Posting Re'uest

G L0

SO D R i sk :

G L0

:(er#ise 4B
Lo on to 8A0 GRC A##ess Control <r!le ar#hite#t= and #reate R!A@@B 4w ere @@ is your group number6 Business Process ID PPA@@B 4w ere @@ is your group number6 a ne& r!le set. Description @@ Rule !et Description @@ Procure to Pay
Rule !et ID

Lo on to 8A0 GRC A##ess Control <r!le ar#hite#t= and #reate yo!r o&n "!siness pro#ess %or p!r#hase4to4pay as a"o)e ,unction ID ,unc:?@@ 4w ere @@ is your group number6 ,unction ID ,unc0?@@ 4w ere @@ is your group number6 Create %!n#tions &ith the %ollo&in in%ormation. Description ,unc0?@@ Description ,unc:?@@ Business Process PPA@@B Business Process PPA@@B Analysis !cope !ingle Analysis !cope !ingle Actions @)10 Actions *<:0 Risk ID R)A@@ B4w ere @@ is your group number6 Create a risk &ith the B %!n#tions a"o)e and the %ollo&in Description Risk?@@ in%o Risk #ype !eggregation of Duties Risk $evel *edium Business Process PPA@@B !tatus <nable Generate the r!les %or the risk that yo! j!st #reated.

Chan e Aistory
$o )ie& #han e lo in%ormation %or %!n#tions' #hoose Rule Architect Change History Functions. In the displayed Functions-Change History Results s#reen' sele#t yo!r settin s and #hoose Execute to r!n a sear#h to )ie& the #han e lo res!lts. $he ;!n#tions Chan e Aistory Res!lts lo in#l!des:
Chan ed ,n: $he date and time Chan ed "y: $he !ser I;!n#tion <I-= Chan e $ype: $his is either Insert Function or Delete Functions 8ystem A#tion Item Cal!e 8tat!s

Comparison o% r!le sets


$he r!le sets #an "e #ompared in t&o &ays:
A #omparison o% j!st the risks in the desi nated r!le sets A #omparison o% risks and a#tions/permissions

$o per%orm a #omparison o% r!le sets' #hoose Rule Architect Rule Sets Compare. A #omparison o% risks is always per%ormed' and these res!lts are displayed initially. $he Summary "!tton on the risk #omparison s#reen drills do&n to an a#tion r!le #omparison. $he -etail "!tton in the

8,- 0hase B 4 Analysis


$he p!rpose o% this phase is to pro)ide "!siness pro#ess analysts and "!siness pro#ess o&ners &ith alternati)es %or #orre#tin or eliminatin risks "y: 0er%ormin a se#!rity analysis to #on%irm risks %or:
8imple roles Composite roles Users

Re)ie&in the role to determine ho& #ertain personnel mi ht "e restri#ted %rom per%ormin !ndesired a#ti)ities "y #he#kin :
,"je#ts ;ields Cal!es

Analysis * :(er#ise 1
:nter the %ollo&in in%ormation.

Role: DEGRC*O2C* Rule Set: Global Report Type: Permission Level Report Format: Summary

Choose Bac groun!. :nter "o# $ame: xx Risk Analysis GRC-O2C Choose Imme!iate Start. Choose Sche!ule.

Remediation :(er#ise as a %ollo&4!p to Analysis :(er#ise41


Lo on to 8A0 3!siness,"je#ts A##ess Control and per%orm a sim!lation on role le)el. 8im!late the remo)al o% the sin le role Z*GRC* !SC* %rom the #omposite role Z*GRC*O2C. Compare the res!lts &ith the %irst part o% this e(er#ise.

5iti ation
5iti ation #ontrols are reF!ired &hen it is not possi"le to se re ate d!ties &ithin the "!siness pro#ess. ;or e(ample' in a small o%%i#e' one person has to take o)er t&o roles &ithin the "!siness pro#ess' &hi#h #a!ses a missin 8o- #on%li#t. :(amples o% miti ation #ontrols:
Release strate ies and a!thori+ation limits Re)ie& o% !ser lo s Re)ie& o% e(#eption reports -etailed )arian#e analysis :sta"lish ins!ran#e to #o)er impa#t o% a se#!rity in#ident

$ypes o% 5iti ation #ontrols


0re)entati)e #ontrols
5inimi+e the likelihood or impa#t o% a risk "e%ore it a#t!ally o##!rs.

-ete#ti)e #ontrols
Alert &hen a risk takes pla#e and ena"le the responsi"le person to initiate #orre#ti)e meas!res.
Detective Reports Budget Review Plan vs Actual Reviews #ec nical logs Alerts

Preventative Configuration Custom Ob"ects Cser <(its and <n ancements !ecurity Dorkflow

8ettin !p miti ation #ontrols


-e%inition o% responsi"ilities -e%ine administrators and sele#t appli#a"le role.
Appro)er
Appro)e the #ontrol and identi%y appropriate miti ation monitors. :ns!re monitors are e(e#!tin appli#a"le #ontrols &ithin the period %reF!en#y stated in a miti ation #ontrol.

5onitor
0er%orm the a#tions identi%ied in the #ontrol to monitor !sers and identi%y inappropriate a#tions.

Risk4o&ner
Responsi"le %or monitorin the !se o% a#tions and permissions asso#iated &ith a risk

Control #reation
8pe#i%y #ontrol I-. 8ample namin #on)ention:
Chara#ter 1 . 3!siness area desi nation Chara#ter B . User or role ro!p letter Chara#ters 9 to 10 . 8eF!ential n!m"er

:nter des#ription.
-e%inition: 1ho / &hat / ho& o%ten / &hy <#ontrol o"je#ti)e=

Assi n "!siness !nit. Assi n appro)er %rom a)aila"le appro)ers %or the entered "!siness !nit. Assi n asso#iated risk I-s as pre4sele#tion. -o#!ment #ontrol monitorin :
Assi n one or more monitors. Assi n one or more miti ation reports <optional=.
8ele#t the system %rom &hi#h yo! &ill r!n the reports. :nter asso#iated a#tion. Assi n a monitor to ea#h report. $he %reF!en#y m!st "e esta"lished in n!m"er o% days' %or e(ample' enter "# %or monthly reports.

Alerts
As a temporary miti ation #ontrol $o display !sers a##essin m!ltiple #on%li#tin a#tions $o display !sers a##essin #riti#al a#tions $o ens!re e%%e#ti)eness o% miti ation #ontrol "y sho&in delays in startin miti ation reports

Alert 8et!p
:na"lement and s#hed!lin :
:nter an appli#ation ser)er lo#ation to store e(e#!ted a#tion in%ormation: Choose Con%iguration &iscellaneous.

8#hed!le "a#k ro!nd jo"s %or alert eneration:


A#tion lo Con%li#tin a#tion Criti#al a#tion 5iti ation monitorin

8#hed!le "a#k ro!nd jo"s %or alert noti%i#ation:


Risk o&ner assi ned to the asso#iated risk is noti%ied "y e4mail <maintained in &itigation ta"= 5onitors #an also re)ie& the list o% alerts thro! h the Alert mod!le

5iti ation :(er#ise


Create an appro)er %or the ne& miti ation #ontrol. 1. Create an appro)er %or the ne& miti ation #ontrol. a= Lo on to 8A0 3!siness,"je#ts A##ess Control &ith !ser GRC9004GG. "= 8ele#t the &itigation ta" and #hoose A!ministrators Create. #= :nter the %ollo&in in%ormation. A!ministrator ID: $$-A%%rover Full $ame: A%%rove& A%%rover $$ Email: 'n(er a )i*(i(ious mail a&&ress Role: A%%rover B. Create a monitor %or the ne& miti ation #ontrol. a= Lo on to 8A0 3!siness,"je#ts A##ess Control. "= 8ele#t the &itigation ta" and #hoose A!ministrators Create . #= :nter the %ollo&in in%ormation. A!ministrator ID: $$oni(or Full $ame: +a(*,inoni(or $$

5iti ation :(er#ise Contd.


9. -e%ine a "!siness !nit as #ontainer %or the miti ation #ontrols. a= Lo on to 8A0 3!siness,"je#ts A##ess Control. "= 8ele#t the &itigation ta" and #hoose Business 'nits Create. #= :nter the %ollo&in in%ormation. Business 'nit ID: PP$$ Description: G$ Pur*,ase-(o-Pay Appro(er ID: 'n(er (,e a%%rover !. (,a( you *rea(e& in (,e %revious s(e% &onitor ID: 'n(er (,e moni(or !. (,a( you *rea(e& in (,e %revious s(e%

8A0 o%%ers a d!al4#ontrol prin#iple to prote#t sensiti)e %ields in the )endor master re#ord %rom dire#t manip!lations per%ormed "y one !ser. $his pre)entati)e miti ation #ontrol #an "e !sed to miti ate the risk o% %ra!d!lent manip!lation o% "ank a##o!nts. A%ter the se#!rity meas!re is a#ti)ated in #!stomi+in "y the I$ department' the miti ation #ontrol needs to "e implemented in 8A0 3!siness,"je#ts A##ess Control. 1. Implement the miti ation #ontrol in 8A0 3!siness,"je#ts A##ess Control. a= Lo on to 8A0 3!siness,"je#ts A##ess Control. "= 8ele#t the &itigation ta" and #hoose &itigation Controls Create. #= &itigation Control ID: C/'0$$ $o ens!re the e%%e#ti)eness o% the #ontrol' the monitor needs to #he#k the #riti#al )endor on a &eekly "asis to in)esti ate the res!lt o% 8HALRH>I01B060 <-isplay / Con%irm #riti#al )endor #han es=. d= Description: A )endor master data %ield marked in #!stomi+in ta"le $055; as sensiti)e #an only "e #han ed a%ter it is #on%irmed "y a se#ond party. 3e%ore appro)al takes pla#e' a payment r!n "lo#k is a#ti)ated %or that a##o!nt' and the #on%irmation stat!s .$o "e #on%irmed. is set. ConseF!ently' the likelihood o% %ra!d!lent manip!lation is lo&er "e#a!se an e(tra #on%irmation is reF!ired. e= Business 'nit: PP$$ &anagement Appro(er: $$-A%%rover Ris ID: Choose all risks GGJJ yo! "!ilt in e(er#ise' Rule Buil!ing an! )ali!ation' #ontainin .)endor master data maintenan#e. as one o% the #on%li#tin %!n#tions &onitor ID: $$oni(or System: Sele*( (,e a%%ro%ria(e sys(em

5iti ation :(er#ise B

A%ter the se#!rity meas!re is a#ti)ated in #!stomi+in "y the I$ department' implement the miti ation #ontrol in 8A0 3!siness,"je#ts A##ess Control. a= 8ele#t the In%ormer ta" and #hoose Ris Analysis Role +e(el. :nter the %ollo&in data. Role: GRC"##-CR1P6RC7AS'18O1PA9-$$ Rule Set: Global Report Type: Permission Level Report Format: ana-emen( Summary "= In the res!ltin report' sele#t the risk yo! &ant to miti ate &ith the #ontrol and #hoose Execute. 7in(: It sho!ld #ontain K)endor master data maintenan#eL as one o% the #on%li#tin %!n#tions. $o see more details' to le to the 8!mmary report. #= 8ele#t the risk des#ription and sele#t &itigate the Ris in the ,ptions area. d= Choose Continue. In the Ris &itigation s#reen' and enter the %ollo&in data. &itigation Control: C/'0$$ &onitor ID: $$oni(or Status: 'nable

5iti ation :(er#ise B Contd.

Che#k the assi nment o% the miti ation #ontrol "y per%ormin a ne& risk analysis on GRC9004CRH0URCAA8:H$,H0AM4GG. a= 8ele#t the In%ormer ta" and #hoose Ris Analysis. "= :nter the %ollo&in data. Role Le)el Role: GRC"##-CR1P6RC7AS'18O1PA9-$$ Rule Set: Global Report Type: Permission Level Report Format: ana-emen( Summary #= Choose &ore ,ptions. d= 8et Ignore &itigation to 9'S to make the miti ated risks in)isi"le in the res!lt s#reen o% the analysis. e= Choose Execute. In the res!lts s#reen' all miti ated risks ha)e )anished and the #omposite role is m!#h #leaner than "e%ore o!r remediation and miti ation a#ti)ities started.

5iti ation :(er#ise B Contd.

Remediation rele)ant reportin


-emonstrate the A#tion Usa e "y Users report. a= Lo on on to Risk Analysis and Remediation )ia the 8A0 3!siness,"je#ts A##ess Control la!n#h pad. "= Choose In%ormer &iscellaneous. #= 8ele#t the A#tion Usa e "y Users report. d= In the sele#tion #riteria' enter the %ollo&in data. System 85#CL08#5# Date 6se &e)aul( Action S6#4 Report Type All e= Choose Execute. %= Look at the res!lts o% the sear#h.

5iti ations #ontrol report


-emonstrate the In)alid 5iti ation Controls report. a= Lo on to Risk Analysis and Remediation )ia the 8A0 3!siness,"je#ts A##ess Control la!n#h pad. "= Choose In%ormer Ris Analysis 'ser +e(el. #= In the sele#tion #riteria' enter the %ollo&in data. System 85#CL08#5# Ris ID 55#4* Report Type !nvali& i(i-a(ion Con(rols d= Choose Execute . I% yo! see a r!ntime &arnin ' #hoose ,-.

8,- Ciolations %rom #!stom pro rams


-emonstrate the 8o- Ciolations %rom C!stom 0ro rams report. 1. -emonstrate the 8o- Ciolations %rom C!stom 0ro rams report. a= Lo on to Risk Analysis and Remediation )ia the 8A0 3!siness,"je#ts A##ess Control la!n#h pad. "= Choose In%ormer Au!it Reports &iscellaneous.

CU0 * Ceri%i#ation o% install

CU0 A!th. 8ystem

Inte rate RAR and CU0


. Retrie)e the URL %or Risk Analysis 1e" ser)i#e #on%i !ration. a. ;rom the SA. $et/ea(er /e# Application Ser(er start pa e' #hoose /e# Ser(ice $a(igator. ". :(pand )irsaCCRis AnalysisSer(ice 1e" ser)i#e. #. Choose Document. d. Ri ht #li#k on the URL address !nder the 18-L headin to #opy as a short#!t. . Choose Compliant 'ser .ro(isioning' #hoose the Con%iguration ta"' and #hoose Ris Analysis. . In the Select Analysis an! Reme!iation )ersion pane' #hoose 012 /e# Ser(ice %rom the )ersion men!. . In the 'R+ %ield' enter the risk analysis URL. Mo! #an paste in the #opied short#!t yo! o"tained in the %irst step. . :nter a 'ser $ame and a .ass3or!. 0o(e: $his !ser m!st ha)e the Admin role %or Risk Analysis and Remediation. . Choose Sa(e.

-e%ine #onne#tors %or 8A0

Choose C'.' sele#t the Con%iguration ta"' and #hoose Connectors Create Connectors. In the Connector Type men!' #hoose SA.. In the $ame %ield' enter a name %or the #onne#tor. 0o(e: $he #onne#tor names are important &hen inte ratin &ith other A##ess Control Components and Central User Administration <CUA=. 5ake s!re that the #onne#tor name %or A##ess Control is the same as the one #on%i !red %or CUA. In the Short Description %ield' enter a "rie% des#ription o% the #onne#tor. In the Description %ield' enter a lon 4te(t des#ription o% the #onne#tor. In the Application %ield' enter the name o% the appli#ation or appli#ation ser)er. In the Application Ser(er Host %ield' enter the host name o% the appli#ation ser)er. In the System $um#er %ield' enter the n!m"er in the 8A0 system lo . In the Client %ield' enter the 8A0 #lient n!m"er. In the 'ser ID %ield' enter the !ser I- yo! are #on%i !rin to ha)e a##ess to the "a#k4end system. In the .ass3or! %ield' enter the spe#i%ied pass&ord %or the 8A0 !ser I-. In the System +anguage %ield' enter the lan !a e %or the system. In the &essage Ser(er $ame %ield' enter the name o% the messa e ser)er' &hi#h s !sed %or load "alan#in . In the &essage Ser(er 4roup %ield' enter the lo on ro!p name to &hi#h the messa e ser)er "elon s. In the &essage Ser(er Host %ield' enter the host name o% yo!r messa e ser)er. In the SA. )ersion men!' sele#t the appropriate 8A0 )ersion. CU0 s!pports 8A0 4.7C' 8A0 4.I' and 8A0 :CC 7.0. 8ele#t the S+D Connector #he#k"o( to ena"le the 8tandard Lands#ape -ire#tory.

-e%ine 8A0 #onne#tors %or CU0

CU0 Li%e#y#le

Ao& does CU0 &ork%lo& &ork

CU0 1ork%lo& #omponents

1ork%lo& e(ample

Appro)er -etermination

Appro)al 8ta e C!stomi+ation


$here are three #on%i !ration areas:
Joti%i#ation Con%i !ration Additional Con%i !ration Additional 8e#!rity Con%i !ration <Appro)al Rea%%irm=

I% the !ser' reF!estor' and appro)er are the same' ea#h re#ei)es m!ltiple e4 mail noti%i#ations. 1hen sendin an e4 mail noti%i#ation to the !ser and the reF!estor i% the !ser is the reF!estor' the system sends t&o e4mail noti%i#ations. I% the reF!estor and the mana er are the same !ser' that person re#ei)es t&o e4mails.

Joti%i#ation #on%i !ration


$he $oti%ication Con%iguration s#reen #on%i !res e4 mail noti%i#ations %or a sta e to determine &hether and to &hom the system sends noti%i#ations a"o!t the a#tions taken at this sta e. $here are %o!r possi"le a#tions: 1. Appro)ed: $he system sends the e4mail noti%i#ation #on%i !red on the Appro(e! ta" &hen the appro)er appro)es the reF!est. B. Reje#ted: $he system sends the e4mail noti%i#ation #on%i !red on the Re5ecte! ta" &hen the appro)er reje#ts or denies the reF!est. 9. :s#alation: $he system sends the e4mail noti%i#ation #on%i !red on the Escalation ta" &hen the appro)er %ails to respond to the reF!est &ithin the allotted &ait time and an es#alation has o##!rred. 4. Je(t Appro)er: $he system sends the e4mail noti%i#ation to the appro)er<s= o% the sta e &hen the reF!est enters this sta e. $he ne(t appro)er is

Additional Con%i !ration


Ris Analysis &an!atory: 8ele#t Mes or Jo to determine &hether the appro)er is reF!ired to per%orm a risk analysis "e%ore appro)in the reF!est. Change Re*uest Content: An appro)er has the a!thority to #han e the #ontent o% the reF!est. I% set to Mes' the A!! Roles %ield "e#omes a)aila"le %or sele#tion. 8ele#t Mes or Jo to allo& roles to "e added d!rin this sta e. I% set to Mes' the .ath E(aluation For $e3 Roles %ield "e#omes a)aila"le %or sele#tion. $his settin determines ho& the roles are e)al!ated to see i% they are on the #orre#t path <this is ne#essary only i% yo! #on%i !re yo!r initiators "y roles=. All Roles in :)al!ation 0ath: All roles are re4e)al!ated a ainst the initiators. Je& Roles ,nly: $hese ne& roles are analy+ed a ainst the initiators to determine i% another parallel &ork%lo& mist "e #reated %or the ne&ly added roles. I% the Change Re*uest Content #on%i !ration option is set to Mes "!t A!! Roles is set to Jo' the appro)er #an remo)e roles %rom the reF!est "!t not add additional roles. I% the Change Re*uest Content #on%i !ration option is set to Jo' the appro)er #annot #han e the roles on the reF!est. $hey #annot reje#t or remo)e roles' nor #an they add additional roles to the reF!est. Appro(al +e(el: $he appro)er has the a!thority to appro)e the reF!est at the ReF!est' Role' or 8ystem and Role le)els. Re5ect +e(el: $he appro)er has the a!thority to reje#t the reF!est at the ReF!est' Role' or 8ystem and Role le)els. Appro(al Type: 8ele#t &hether any one appro)er #an appro)e at this sta e. ,r &hether all appro)ers m!st appro)e at this sta e. %or the reF!est to mo)e on to the ne(t sta e. Email 4roup: $his %eat!re is no lon er !sed. It remains on the s#reen %or "a#k&ard #ompati"ility.

Re*uest Re5ection: I% yo! set this option to Mes' appro)er is allo&ed to reje#t entire reF!est. Re5ect "!tton appears ne(t to Appro(e "!tton' so appro)er #an reje#t the entire reF!est &itho!t indi)id!ally reje#tin ea#h role. I% Jo' the appro)ers #an reje#t roles on the reF!est &itho!t the a"ility to reje#t the entire reF!est. Re4Ro!te: Appro)er has a!thority to re4ro!te the reF!est to a pre)io!s sta e as an alternati)e to reje#tin the reF!est entirely. Re4ro!tin does not apply i% the appro)er #hooses to appro)e the reF!est. Con%irm Appro)al: Appro)er m!st ans&er an additional F!estion i% he or she &ants to #on%irm appro)al a#tion. Con%irm Reje#tion: Appro)er m!st ans&er an additional F!estion i% he/she &ants to #on%irm reje#tion a#tion. Reje#t "y :mail and Appro)e "y :mail: Appro)er #an reje#t or appro)e the reF!est "y e4 mail. I% yo! set this option to Mes' there #o!ld "e t&o additional links on e4mail &hen appro)er ets e4mail noti%i#ation %or this sta e statin that there is a reF!est &aitin %or a#tion. I% Appro(e #y Email is set to Mes' one link &ill "e the Appro(e Re*uest a#tion. I% Re5ect #y Email is set to Mes' another link &ill "e present %or Re5ect Re*uest. $hese "!ttons &ill trans%er the appro)er to Compliant User 0ro)isionin . $he appro)er m!st still "e the )alid appro)er %or this sta e o% the reF!est and m!st enter his or her !ser I- and pass&ord. Reje#t "y :mail: $he appro)er #an reje#t the reF!est "y e4mail. $his settin is not an option i% a#tions are reF!ired' %or e(ample' i% risk analysis or #omments are reF!ired. Appro)e "y :mail: ,ptions &ill allo& the appro)er to appro)e the reF!est "y e4mail. $his settin &ill not "e an option i% a#tions are reF!ired' %or instan#e' i% risk analysis or #omments are reF!ired. ;or&ard: $he appro)er has the a!thority to %or&ard the reF!est to someone else %or appro)al.

Additional Con%i !ration Contd.

CU0 1ork%lo& Con%i !ration :(er#ise 8et !p a "asi# &ork%lo& &ith one sta e to make a #han e to a !ser'

r!n an 8o- #he#k' then ha)e the #han e a!to4pro)isioned to an 8A0 system. Lo on to the "a#k4end system assi ned "y yo!r instr!#tor' into #lient >00 &ith yo!r !ser I-' and #reate the %ollo&in roles: a. DHGGH;350 and assi n transa#tion ;350 &ith %!ll a!thori+ations i. -es#ription: Pos( ;ournal 'n(ry ". DHGGH,35B and assi n transa#tion ,35B &ith %!ll a!thori+ations i. -es#ription: O%en an& Close A**oun(in- Perio& Lo on to 8A0 3!siness,"je#ts A##ess Control Compliant User 0ro)isionin thro! h http ://10.0.0.14:51000/&e"dynpro/dispat#her/sap.#om/ r#2a#app#omp/AC Choose Con%iguration Role Import and import the roles yo! #reated !sin the Selecte! Roles option. Lo on to the U5: !sin yo!r User I- and #reate the %ollo&in !sers in the U5::
5ana er<NN= &ith Role: A: Appro)er Role,&ner<NN= &ith Role: A: Appro)er 8e#!rity<NN= &ith Role: A: 8e#!rity 8o(<NN= &ith Role: A: Appro)er

Lo on to 8A0 3!siness,"je#ts A##ess Control Compliant User 0ro)isionin thro! h http ://10.0.0.14:51000/&e"dynpro/dispat#her/sap.#om/ r#2a#app#omp/AC

CU0 1ork%lo& e(er#ise #ontd.


Choose Con%iguration Roles Role Search and sele#t the roles imported into Compliant User 0ro)isionin in step 4 a"o)e. Ceri%y/assi n the %ollo&in :
DHGGH;350
3!siness 0ro#ess ;inan#e Criti#al Le)el Ai h Role Appro)er $a" Role,&ner <NN= 3!siness 0ro#ess ;inan#e Criti#al Le)el Ai h Role Appro)er $a" Role,&ner<NN=

DHGGH,35B

Go to the &ork%lo& #on%i !ration and #reate an initiator. Choose Con%iguration /or %lo3 Initiator. Choose Create and enter the %ollo&in data.
$ame $$1!ni(ia(or< Short Description $$1!ni(ia(or /or %lo3 Type Com%lian( 6ser Provisionin-< Attri#ute =un*(ional Area< )alue $$=!

Choose Sa(e to sa)e the initiator. Create three sta es. Choose Con%iguration /or %lo3 Stage. Choose Create and enter the %ollo&in data.
$ame $$1 ana-er< Short Description $$1 ana-er /or %lo3 Type Com%lian( 6ser Provisionin-< Appro(er Determinator ana-er $ame $$1RoleOwner< Short Description $$1RoleOwner /or %lo3 Type Com%lian( 6ser Provisionin-< Appro(er Determinator

CU0 1ork%lo& e(er#ise ;or the noti%i#ation #on%i #ontd. !ration' sele#t the $ext Appro(er ta" and %ill in the in%ormation %or appro)al.
8ele#t the %ollo&in options %or the A!!itional Con%iguration se#tion.
Ris Analysis &an!atory Mes Change Re*uest Content Jo A!! Role 8ho!ld not "e a"le to #han e. 1hy? Chan e ReF!est Content set to Jo. .ath Re(aluation %or $e3 Roles 8ho!ld not "e a"le to #han e. 1hy? Chan e ReF!est Content set to Jo. Appro(al +e(el set to ReF!est Re5ection +e(el set to ReF!est Appro(al Type Any one Appro)er Comments &an!atory Mes or no Re*uest re5ecte! Jo Re-route Jo Con%irm Appro(al Jo Con%irm Re5ection Jo Re5ect #y Email Jo Appro(e By Email Jo For3ar! Allo3e! Jo Appro(e Re*uest Despite Ris s Mes

Choose Sa(e to sa)e ea#h sta e.

CU0 1ork%lo& e(er#ise #ontd.


Create a path. Choose Con%iguration /or %lo3 .ath. Choose Create' then enter the %ollo&in data.
Jame $$1Pa(, 8hort -es#ription $$1Pa(, 1ork%lo& $ype Com%lian( 6ser ProvisioninJ!m"er o% 8ta es " Initiator $$1!ni(ia(or 3e s!re to make the path A#ti)e.

8ele#t the three sta es that yo! #reated in this e(er#ise. Choose Sa(e to sa)e the path. Create a C!stom Appro)er -eterminator %or deto!r. Choose Con%iguration /or %lo3 Custom Appro(er Determinators and #reate a #!stom appro)er determinator.
$ame $$1SO.1CA. Short Description $$1SO.1CA. CAD Type A((ribu(e /or %lo3 Type Com%lian( 6ser ProvisioninAttri#ute =un*(ional Area

Choose Sa(e. Choose the Appro(ers "!tton and #hoose A!!.


Functional Area $$=! Appro(er Sox$$ 6ser

-e%ine a sta e %or 8o- )iolation. Choose Con%iguration /or %lo3 Stage and enter the %ollo&in data.
$ame $$1 SO.1S(a-e< Short Description $$1 SO.1S(a-e /or %lo3 Type Com%lian( 6ser ProvisioninAppro(er Determinator $$1SO.1CA.

CU0 1ork%lo& e(er#ise #ontd.


$ame $$1.e(our< Short Description $$1.e(our /or %lo3 Type Com%lian( 6ser Provisionin$um#er o% Stages >>>2 Initiator 0one 3e s!re to make the path Acti(e Detour #he#k"o( 8ele#t 9es Stage 6 $$1SO.1S8AG' Stage 7 $$1Se*uri(y

-e%ine a deto!r path. Choose Con%iguration /or %lo3 .ath and #reate the %ollo&in path.

Choose Sa(e. -e%ine a deto!r %or 8o- )iolations. Choose Con%iguration /or %lo3
Detour8For and #reate a deto!r. /or %lo3 Type Com%lian( 6ser Provisionin.ath $$1Pa(, Stage $$1RoleOwner Action Save Con!ition SO. /iola(ions )alue 9es Detour .ath $$1.e(our

$est yo!r &ork%lo& "y #reatin se)eral reF!ests and )eri%y that the path and deto!r yo! #reated &ork properly.

You might also like