SAP Security Overview For BT: July 13, 2007 Ravi Koppakula
SAP Security Overview For BT: July 13, 2007 Ravi Koppakula
SAP Security Overview For BT: July 13, 2007 Ravi Koppakula
Page 2
Agenda
Role development approach Role construction Roles - Single, Composite, Master, Derived (Spin) Role Naming Convention Segregation of Duties SAP GRC (Virsa) Compliance Calibrator Q&A
Applied Materials Confidential/Business Transformation
Page 3
Introduction
Provide access for employees to the information and actions needed to execute their responsibilities. Restrict unauthorized access, protecting corporate information and maintaining the integrity of the SAP system Create a flexible, integrated and simplified security structure that will allow quick response for changes in the future
3
Applied Materials Confidential/Business Transformation
Page 4
Security Overview
SAP security is based on granting access to various authorizations within the different object classes. The groundwork of the design will be based on granting access to select transactions which will limit the employees access. The next step is to control the locations that the employee has access to, either logical or physical, these locations are referred to as Hierarchy Elements or Organizational Values. The final step is controlling access to Key Objects which can be used to further allocate access to specific sub functions of a process. Hierarchy Elements / Organizational Values = Company Codes, Sale Organizations, Plants, Warehouses, Purchasing Groups, Storage Locations, Shipping Points, and Business Areas are all customer defined as needed Key Objects = Order Types, Document Types, Movement Types, Account Types and Authorization Groups
4
Applied Materials Confidential/Business Transformation
Page 5
5
Applied Materials Confidential/Business Transformation
Page 6
Role Construction
Analysis Security team along with Function and Business team will put together the requirements. Impact analysis will be done. Design Security team will do the design, which included creating new roles, change in SU24, Creating new t-code for reports. Construction The building process of the end user roles will utilize SAPs authorization concept and the Profile Generator. After the initial roles are created a SOD tool will be used to identify conflicts within the Role, so that Organizational Alignment, Internal Audit and Functional Management can review issues before the final design is approved. During this process the roles will be tested and moved to QA. Following guidelines will be followed while creating or modifying roles T-code will be added using User Menu. No object will be manually added to the role. Roles will be generated and re-organized when required. Derived role will only have Org. Element changes
6
Applied Materials Confidential/Business Transformation
Page 7
7
Applied Materials Confidential/Business Transformation
Page 8
8
Applied Materials Confidential/Business Transformation
Page 9
Composite Role
9
Applied Materials Confidential/Business Transformation
Page 10
10
Applied Materials Confidential/Business Transformation
Page 11
11
Applied Materials Confidential/Business Transformation
Page 12
Segregation of Duties
Segregation of duties (SOD) is a type of control needed in business processes to insure that fraud or unintended financial transactions do not occur. Functionality versus Confidentiality Broadly speaking, SoD encompasses both the functions available to an employee (i.e., what a person can do) and the information available to an employee (i.e., what a person can see). Our focus is at the technology level; we focus on the functionality component of SoD and this aspect is most relevant to the financial reporting process.
The SoD review focuses on core business processes including: Revenue Procurement Inventory Management Asset Management General Ledger Accounting HR/Payroll etc., SoD conflicts can happen within a manual process and an SAP or other application process.
12
Applied Materials Confidential/Business Transformation
Page 13
SOD contd
Segregation of duties conflicts occur at 2 levels in Enterprise Applications: 1) Security Role/Profile - When conflicting transactions are configured into one security role or profile and are assigned to an end user. Resolution: Security role/profile is redesigned to remove the conflicting transaction codes. 2) End User Assignments -When an end user is assigned multiple security roles or profiles and the transaction codes within and between the roles cause a conflict. Resolution: One or more conflicting roles are removed from the End User or a compensating control is designed, documented, approved and implemented by business.
13
Applied Materials Confidential/Business Transformation
Page 14
14
Applied Materials Confidential/Business Transformation
Page 15
Q&A
15
Applied Materials Confidential/Business Transformation