Scribd
Upload
722 views33 pages

SAP User Access Review - Direct Supervisor & Role Owner Quick Reference Guide

The document provides guidance for approvers on the SAP GRC UAM access request process at Sony Pictures Entertainment. It defines terminology related to UAM and describes the eight types of notifications approvers will receive. It also explains how to log on to the NetWeaver Business Client to access requests and view the key components of a request, including the user access, risk violations, users, audit log, comments, and attachments tabs.

Uploaded by

simo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
722 views33 pages

SAP User Access Review - Direct Supervisor & Role Owner Quick Reference Guide

The document provides guidance for approvers on the SAP GRC UAM access request process at Sony Pictures Entertainment. It defines terminology related to UAM and describes the eight types of notifications approvers will receive. It also explains how to log on to the NetWeaver Business Client to access requests and view the key components of a request, including the user access, risk violations, users, audit log, comments, and attachments tabs.

Uploaded by

simo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 33

SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Information Technology
User Access Management
SAP GRC 10

SAP GRC UAM


Approver guide

Integrated approach to SAP Security


SONY PICTURES ENTERTAINMENT
1
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Document History

Rev Description By Date Approved By


No.
1.0 Draft version Karolina Drzewiecka 05/28/2014 Beata Okaj
Rafał Storta

2. 0 Input from Beata Okaj Filip Nowak 06/12/2014 Beata Okaj

2
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Contents
1. UAM Terminology ................................................................................................................... 4
2. Notifications .............................................................................................................................. 5
3. Logon to the NetWeaver Business Client (NWBC) ................................................................. 9
4. Opening request from e-mail notification ............................................................................... 12
5. Request view ........................................................................................................................... 13
6. Make decisions on access request ........................................................................................... 15
6.1. Changing approval status for request and roles ............................................................... 15
6.2. Add new roles to the request ........................................................................................... 17
6.3. Performing risk analysis .................................................................................................. 18
6.4. Forwarding request .......................................................................................................... 21
6.5. User details ...................................................................................................................... 22
6.6. Audit log .......................................................................................................................... 23
6.7. Comments ........................................................................................................................ 24
6.8. Attachments ..................................................................................................................... 25
7. Delegating authority................................................................................................................ 27
8. Typical questions .................................................................................................................... 28
9. User interface elements ........................................................................................................... 29
10. Appendix ............................................................................................................................. 32

3
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

1. UAM Terminology
 UAM – User Access Management process. Objective of the process is to grant new,
extend or remove user access in SAP systems in a controlled way, ensuring all
compliance and security requirements are met.
 ARM – Access Request Management (ARM) module of Access Control automates and
documents the user access management proces. Solution provides a workflow-based
review and approval process.
 Access requestor – person who initiates User Access Management process by creating
user access request directly in SAP GRC.
 Administrator – person who maintains the configuration of UAM and performs
maintenance activities. Administrator can perform UAM - specific tasks, such as
cancelling UAM requests.
 User direct supervisor – person who executes first level of User Access Management
process by making decision in respect to user access request directly in SAP GRC.
 Role owner – person who executes second level of User Access Management process by
approving user access request for each corresponding role directly in SAP GRC.
 Compliance SoD champion – person who supports User Access Management process
from Segregation of duties risks perspective. This role actively participates in approving
access request when new SoD risk is identyfied during the course of access requesting
procses.
 NWBC – NetWeaver Business Client (accessible via Internet browser or dedicated
software client NWBC) is a User Interface client that offers a single point of entry to SAP
applications, especially harmonized access to existing SAP GUI transactions and newly
developed applications based on Web Dynpro.

4
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

2. Notifications
ARM application is sending eight types of notifications:
 When request is submitted,

 When approver receives new UAM request,

5
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

 When approver receives forward with user(s) from other approver,

 When request return from forward (forwarding with return),

6
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

 When request is approved on specified stage,

 When approver receives reminder after long time no decision making on UAM request,

7
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

 When request is escalated,

 When request is closed.

E-mail notifications contain useful links for Reviewer:


 Direct link to the request,
 Direct link to the SAP GRC application,
 Direct link to the training materials for User Access Management.

8
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

3. Logon to the NetWeaver Business Client (NWBC)


Logon using web interface

Use direct link to GRC Production environment (GPR) in IE web browser (Mozilla Firefox is
recommended):
https://sppgrc01.spe.sony.com:8081/nwbc

Enter your user name and password, and choose Log On.

9
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Logon using NetWeaver Business Client


Login to selected system in NetWeaver Business Client.

Logon using SAP GUI

Login to the ABAP GRC 10 production client and enter Username and Password. If you are
missing SAP GUI logon data please contact SAP Security team.

Next to work with SAP GRC ARM data enter NWBC in the transaction field, then click the System
OK icon.

10
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

To open the request go to the My Home tab, open Work Inbox and click on the request subject.

11
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

4. Opening request from e-mail notification


To open request from e-mail notification user must click on direct link to request.

In next step user will be asked to login to the system using SAP username and password.

Request will be displayed automatically after login.

12
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

5. Request view
Access request consists of header, with general request information and six tabs:
 User access - information on line items,
 Risk Violations - information on risks arising from roles in access request,
 Users - users for whom request is created,
 Audit log - detailed information on request,
 Comments - comments added to the request,
 Attachments - files attached to the request.

13
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Roles (line items) used in access request are described in User Access tab by following
attributes:
 Approval status - approve or remove on selected stage in approval path,
 Assignment - name of the role in access request,
 System in which role will be assigned,
 Risk violation - result of risk analysis,
 Role type,
 Requested role validity,
 Role owner,
 Comments,
 Provisioning actions - determines if role will be assigned, removed or retained.

14
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

6. Make decisions on access request


User can made various decisions on the request:

 Approve selected role by clicking on button,


 Reject selected role by clicking on button,

 Approve all decisions contained in the User Access tab by clicking on the button,
 Reject whole request by clicking button and selecting Reject action,
 Forward request by clicking button and selecting Forward Request action,

 Show all roles currently assigned to the user by clicking on button,

 Add new role using the button,

IMPORTANT: Only user direct supervisor can add or remove roles to the request.
 Remove role from the request by clicking button,

IMPORTANT: Only roles added by supervisor can be removed from request.

 Perform risk analysis by clicking button.

6.1. Changing approval status for request and roles

Approver has ability to change approval status for selected roles. Every role can be approved or

rejected. To change approval status select role and click or button in User Access
tab to make decision. Decision can be also made by selecting appropriate action from drop-
down list located in Approval Status column. Selected decisions can be approved by clicking on

button. User can also reject whole request using button and selecting
Reject option. User has possibility to check role details by clicking on role name.

15
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

In new window system will display detailed information on selected roles.

List of transactions contained in role can be found in Actions tab.

16
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

6.2. Add new roles to the request


User direct supervisor has ability to add roles to the request. To add new roles:

 Click on button and select Roles option, new selection window will pop-up on the screen,

IMPORTANT: Only user direct supervisor can add or remove roles to the request.

 Role search criteria can be adjusted to your needs. For each role search you can extend (using

) or limit (using ) search criteria. To see list of available search criteria click on first drop-
down field and select appropriate filter,
 Click on button. System will provide list of all roles available for selected criteria.
 Using role selection buttons you can select one, all or multiple roles (using CRTL + mouse click).

Role selection buttons:

- Single

17
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

- All

 Click on button to add selected roles to the request.

Added roles can be removed by button.

IMPORTANT: Only roles added by supervisor can be removed from request.

6.3. Performing risk analysis


Approver has possibility to perform risk analysis to check how new roles will impact on user
access. Executing risk analysis is optional step for request approval.

IMPORTANT: Performing risk analysis is mandatory in case when new roles are added to the
request. After risk analysis on role tab roles causing risk will be red lighted and if you need
additional input to find out which transactions causing conflict you can also contact SAP
Security team.

To run Risk Analysis:


 Select System: RPR500 – SAP ECC production system
 Select Result Options:
Executive summary – to list the SoD risks (recommended)
Management summary – to list the SoD risks and users
Summary – provides information about transaction code
Detail – most detailed result option -provides information about SAP roles which is
causing the conflict

 Click on to see if any SoD risks exists

18
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Risk Analysis - Executive Summary view

IMPORTANT: If you need additional input to find out which transactions are causing conflict,
you can also contact SAP Security team.

19
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Risk Analysis - Management summary view

Risk Analysis - Summary view

20
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Risk Analysis - Detail view

IMPORTANT: If you need additional input to find out which transactions/authorization are
causing conflict, you can also contact SAP Security team.

6.4. Forwarding request


User has ability to forward request to other approver for making decision. To forward request
click on button and select Forward Request option. After choosing alternative
approver application proposes two types of forwarding:
 Forwarding with return (check box selected),
 Forwarding without return (check box not selected).

21
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Forward with return sends user to second approver for draft decision to be made, after this user
is forwarded back to the first approver. The final decision is always taken by the first approver,
regardless to the decision of the second, which is supporting information only.

Forward without return sends user to second approver. The decision of second approver is final.

6.5. User details


User Details tab provides information on user for whom the request is submitted.

22
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

User details tab provides detailed information on user for which request is created. Tab is
divided on 5 areas:
 Personal section provides general information on selected user
 Communication section provides user contact data
 Organization data provides user basic HR data such as manager or personnel number
 Location section provides information on place where user is working
 Company section provides information on users company and function

IMPORTANT: User Details are imported by LDAP from HR system. If they are incorrect or
incomplete you can raise IDM incident in Global Service Desk.

6.6. Audit log


Audit log tab contain full request history. It presents for example: approval path, current and
previous approvers, forwards, roles master data and administrative tasks executed on request.

23
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

6.7. Comments

Comments tab gives ability to provide additional information on request.

24
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

6.8. Attachments

Attachments tab gives possibility to preview previously added attachments and add new ones.
Approver has possibility to add files or links to the request. To add attachment:
 Go to Attachment tab

 Press button to add attachment to the request


 Choose Add file or Add link
 Add link or file

 Press button to insert attachment in the request

Important: When SoD risks are identified SoD compensating control worksheet (See:
Appendix) need to be attached by supervisor to the request to facilitate Compliance request
review. Document is stored on dedicated GRC training page: link
25
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Attachment tab consists of following elements:

26
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

7. Delegating authority
Approver can delegate his authority to approve requests to other user. To delegate authority:
 Go to My Home  Approver Delegation,

 Click on button,
 Select user to whom you will be delegating requests,
 Enter delegation validity and status.

IMPORTANT: Selected user will have access to all requests in approver Work Inbox.

27
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

8. Typical questions
Question Action Section link
What steps I should do as 1. Ensure what transactions are needed by Performing risk analysis
supervisor if request was user.
submitted with SoD 2. Check if there is possibility to reject role Attachments
with SoD violations or replace it with role
violations?
without SoD violations.
3. If risk cannot be mitigated attach SoD
compensating control worksheet document
and submit the request. It'll be routed to
the SoD compliance team.
I have received request in Supervisor should not approve requests for Changing approval status for
supervisor stage. I'm not users that he doesn't know. Request with request and roles
supervisor of user in incorrect approver should be rejected with
appropriate comment. Comments
request. What should I
do?
How to ensure what Clicking on role name in request will open Changing approval status for
transactions are in new window with role details. Transactions request and roles
requested role? can be found in the Actions tab in this
window.
How much time I have to Approver has 14 days for making decisions
make decisions on the on the request. The due date is displayed
request? in request header. If no decision will be
made within 14 days request will be
escalated to ARM administrator.
I will not have access to In case when user knows that he will be Delegating authority
computer for longer time. offline for longer time it's required to
What should I do? delegate authority to approve requests to
other user.
Where SOD Compensating See hyperlink to GRC main training page:
Control Work Sheet link
document is stored?

28
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

9. User interface elements


Filtering

Query results can be filtered.

29
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Sorting

The column can be sorted in ascending or descending order by clicking the column name.

Active Query

Check if the entered information is displayed. If the information does not display, click Refresh
at the bottom of the query.

30
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

Hide and Rearrange Columns

Columns can be hidden and the sequence can be changed.


To change the presentation, click on Settings.

To hide, display or change the order of the columns, select the name of the header, and then
use the appropriate button.

The Sorting, Calculation, Filter, Display, and Print Settings can be maintained and saved as user
specific view.

31
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

10. Appendix
Sony SOD Compensating Control Work Sheet

Document Purpose: This worksheet will document management’s reliance on compensating internal
controls where conflicts have been identified and either cannot or will not be
remediated.

SPE Division:

Location:

Business Process:

Applications(s):

User(s):

Duration:

Conflict Matrix
SOD Conflict #1:
 Risk Statement
 Functions
 Tcodes

SOD Conflict #2:


 Risk Statement
 Functions
 Tcodes

SOD Conflict #3
 Risk Statement
 Functions
 Tcodes

Compensating Controls

32
SONY PICTURES ENTERTAINMENT

SAP GRC UAM Approver guide

ID Control Control Description Frequency Management Who Performs


Name Assertions Control
1
2
3

Sign-Off
Prepared By: Date:
Reviewed By: Date:
Reference(s):

33

You might also like