View
223
Download
1
Category
Preview:
Citation preview
7/29/2019 Basics for GRC
1/42
SAP GRC (Basic),
Biju (jays)
http://sapsecurity.info
a e : - pr-
1 GRC Basic
7/29/2019 Basics for GRC
2/42
Time Section Topics
Introduction Welcome
SAP Security Overview
SOX Overview
Access Control Solution Overview
Compliance Calibrator Overview
Rules Architect
Contents:
Mitigation Controls
Alerts
Compliance Configuration
Firefighter Overview
Access Enforcer Overview
Module Breakdown
Process Walkthrough
Role Expert Overview
Module Breakdown
2 GRC Basic
7/29/2019 Basics for GRC
3/42
Process
Sub-Process
Sub-Process
ActivityRole:
performsone or more
Position:performs
one ormore roles
Employee
Business Processes
Role
Job:General category
For jobs
Org Unit:
Division
Role Mapping
CompositeRole
Role
Security Design
Example R/3 Role Design model
Activity
Workstep
Workstep
Workstep
Transaction:SAP worksteps
transactions
3 GRC Basic
7/29/2019 Basics for GRC
4/42
SAP Security The major elements of the SAP authorization concept
Users Composite Profiles Simple profiles Authorization Objects Authorizations Fields Values (Activities, Organizational elements) Transactions
User Profile
User Profile
Composite
Profile
Composite
Profile
Composite
Profile
Composite
Profile
Users
SAP Security
To address this complexity and flexibility,SAP has developed a solution called SAP GRC-
Access Controls Suite.
We will guide through how CC addresses someof these issues.
Simple
Profile
Simple
Profile
Simple
Profile
Simple
Profile
Authorization
Authorization
Roles
Object Access
andRestrictions
Authorization
Authorization
Objects Objects
Authorization
Transactions Authorization
Transactions
4 GRC Basic
7/29/2019 Basics for GRC
5/42
Securing Financial Applications Systems for SOX Compliance
SOX.
The Sarbanes-Oxley Act of 2002 also called as Public Company Accounting Reform andInvestor Protection Act of 2002 and commonly called SOX or Sarbox in response to majorcorporate scandals like Enron..
Enron Corporation was an American energy company based in Houston, Texas.
Enron figures in late 2001
Enron employed around 22,000 people (McLean & Elkind, 2003)
Claimed revenues of $111 billion in 2000
Fortune named Enron "America's Most Innovative Company" for six consecutive years
At the end of 2001
It was revealed that its reported financial condition was sustained substantially byinstitutionalized, systematic, and creatively planned accounting fraud
Enron filed for bankruptcy protection in the Southern District of New York
5 GRC Basic
7/29/2019 Basics for GRC
6/42
Some interesting facts
6 GRC Basic
7/29/2019 Basics for GRC
7/42
Present access and authorizations approach
ITdoesnotowntheresponsibilityforpropersegregationofduties.Theycantunderstandhurdleson
businessside,astheylackthecollaborationtoolsandlanguagetoefficientlycollaboratewiththebusiness
owners.
LinesofthebusinessmanagersareresponsibleforSoD,buttheylackthetechnicaldepthtomanageuseraccess,sotheyrelyonIT
InternalauditorsaretryingdesperatelytostayontopoftheSoDissue.Howeverwithmanuallymaintained
spreadsheetslistingtheaccessandauthorizationsofallemployees,contractors,andpartnersandsoon,
theycanonlyperformaverylimitedauditataveryhighcost.
7 GRC Basic
7/29/2019 Basics for GRC
8/42
Sarbanes Oxley and SAP - Top 7 Control Deficiencies in SAP
1. Segregation of Duties - segregation of duties as the most important point of control focus or
deficiency.
2. Inconsistent Business Process Procedures - Business procedures not matching the actual process is
another problem area in many SAP implementations.
3. Unsecured Customized Programs - Many customized 'Z' transactions or 'Y' transactions built in to
suit the business process.
4.Unauthorized Access to SAP BASIS - Many companies make the mistake of giving access to
sensitive BASIS transactions like SE13, SE38, SM49, SU10, SU12, SM13, SC38, SM59, KE54 etc
.
Such unrestricted access can lead to a potential control deficiency under Sarbanes Oxley.
5. Unrestricted Posting Periods - Allowing unrestricted access to open Posting periods in SAP can
result in unauthorized entires in previous open periods. This can become a severe control deficiency
under SOX
6. SAP Access to Terminated Employees - SAP access had not been revoked for employees who had
been terminated. This can potentially lead to control deficiency
7. Database and OS Hardening - The data in SAP sits on databases like Oracle etc and SAP Portal as
such runs on an operating system. If databases and operating systems are not hardened, the whole
SAP environment is put at risk.
8 GRC Basic
7/29/2019 Basics for GRC
9/42
GRC Governance Risk Compliance
SAP Compliance Calibrator
Business Challenges
- Identifying risks arising through user access privileges.
- Knowing when users have executed transactions that constitute a risk
- Developing solutions for risk management and control.-
IT / Security Challenges
- Stopping risk from being introduced into the production system through change updates.
- Prohibiting and controlling access to critical basis, developer and sensitive businesstransaction.
.
- Prohibiting and controlling access to critical basis, developer and sensitive businesstransaction.
- Ensuring that mitigating controls exists for user access risks and are executed.
9 GRC Basic
7/29/2019 Basics for GRC
10/42
Segregation of duties in applications SOD
The basic premise of segregation of duties is that users should not be in a position to initiate andauthorize their own transactions.
Modern IT applications ERPs like SAP, Oracle Apps, J D Edwards, Peoplesoft can be configured based
on roles. .
Access to specific transactions in the system can be restricted based on user roles and profiles.
Segregation of duties in applications can act as a major antifraud controls and lead to better SOX
compliance.
IT Based Antifraud Controls - SOD & SAT
SATs coupled with SODs can act as the foundation for IT based antifraud controls.
The other important antifraud control is restricting user access to sensitive transaction in the system.
From an IT perspective users have access to a lot of information such as payroll data, balance sheet,
profit and loss account etc.
This sensitive information can be misused. It is therefore important to restrict users access to this
sensitive information in applications.
10 GRC Basic
7/29/2019 Basics for GRC
11/42
MM SoD Conflicts Sample dataSoD Controls (Functions that should be segragated) RisksRISK LEVEL
Post Goods Receipt and Post Payments
A user could post or change a fictitious or incorrect goods receiptand set up a fraudulent automatic payment or create a fraudulentcheck. H
Post Goods Receipt and Process Outgoing Payments
A user could post or change a fictitious or incorrect goods receiptand post a fraudulent payment or clear the invoice to hide the
deception. H
A user could post or change a fictitious or incorrect goods receipt
Post Goods Receipt and Process Inventory
and create/change an inventory document/count to hide thedeception or clear the inventory count to hide the deception. H
Post Goods Receipt and Process Inventory Documents
A user could post or change a fictitious or incorrect goods receiptand create/change an inventory document/count to hide thedeception or clear the inventory count to hide the deception. H
Post Goods Receipt and Goods Issue
A user could post or change a fictitious or incorrect goods receiptand then use a goods issue to hide the deception. The vendor
would be paid for the excess recorded receipt. H
Post Goods Receipt and Process MaterialsA user could create or change a fictitious receipt and create/change
a material document to hide the deception. H
11
7/29/2019 Basics for GRC
12/42
Compliance Calibrator Key Terms
Business Process Used to classify risks, rules and rule sets by business function e.g. Order toCash, Purchase to Pay, Record to Report are all types of Business Processes. All risks and functionsare assigned to business functions.
Function - Identifies the tasks an employee performs to accomplish a specific portion of their jobresponsibilities. This can be analogous to a role, but more often a role comprises multiple functions.
Action- Known as Transactions in SAP. To perform a function, more than one action may be requiredto be performed.
Permission Object in SAP, which form as part of Actions.
Risks Identify potential problems your enterprise may encounter, which could cause error orirregularities within the system.
Rule SetsCcategorize and aggregate the rules generated from a risk. when you define a risk, you
attribute one or more rule sets to that risk. Similar to business process.
SoD Segregation of Duties, are primary internal controls intended to prevent, or decrease the risk oferrors or regulatory irregularities, identify problems, and ensure corrective action is taken. This isachieved by assuring no single individual has control over separate phases of a business transaction.
.
12 GRC Basic
7/29/2019 Basics for GRC
13/42
Definitions Function, Business Process, Action,
Permissions & Activities
3
21
51. Function
2. Business process
3. Action
4. Permissions
5. Activities
4
13 GRC Basic
7/29/2019 Basics for GRC
14/42
RoleMaintenance(preventative)
Request Rolechange
Analyse &Approve Rolechange
BuildChange
RiskAnalysis
ApproveChange
DeployChange
SAP CC is used to identify SOD conflicts before the change enters production. This allows control leads to reject theintroduction of risk or assign / implement a mit igating control before risk is apparent.
Note: Rules have to be pre-defined before Risk Analysis is performed.
SAP Compliance Calibrator
Process Overview
UserProvisioning
(preventative)
RequestAccess
IdentifyRisks
BusinessApproval
Updateuser
ExecuteControls
.
SecurityControls
(detective)
AnalyseSODconflicts
AnalyseCriticalTransactions
.. ..
AlertSODviolations
AlertCTusage
..
Deeper understanding of risks inherent in the security design allows business approvers to make a proactive choice asto whether they allow a user to have an SOD risk or critical transaction.
SAP CC is used to execute security controls for period review and approval for SOD conflict and critical transactionrisks. The alert monitoring can also be used to identify business or control leads when a SOD violation occurs or acritical transaction is used.
14 GRC Basic
7/29/2019 Basics for GRC
15/42
Rules Architect SOD risk
SAP Compliance Calibrator
Rules are created in compliance calibrator based on the risks you define.
Rules are logical constructions composed of a circumstance or condition, and the appropriate response to thatcondition. This is commonly represented as an If-Then statement.
IF
Employee X can Create a Vendor &
Employee X can Authorize Pay vendor
Then
Employee X has been granted High Risk Conflicting Roles
This is an example of a SOD risk.
RisksComplianceCalibrator
Rules15 GRC Basic
7/29/2019 Basics for GRC
16/42
Rules Architect The Rules Library
The core engine of SAP CC contains a rules library that maintains the risks for SOD conflicts. This library will contain conflicting
transactions, grouped into functions, including the object and activity settings and runs to 1000s of records.
For each identified risk the rules need to be configured so that the risk is properly recorded, in essence this means the removal of false
positives. False positives are identified when at the object level potential risk is not realized e.g. the action is to read only.
Building rule sets
1. Set up functions (groups of activitiesthat users perform to carry out their
SAP Compliance Calibrator
.
2. Map two or more functions togetherto define a risk
3. SAP CC creates rules based on therisks which are used for risk analysisreporting and alert monitoring.
4. Business process can also be
defined and mapped to risks for easeof reporting e.g. Finance Accounting.
5. Multiple rule sets can also be set upto act as reporting filters, versioncontrol and other uses.
16 GRC Basic
7/29/2019 Basics for GRC
17/42
Rules Architect- Key Drivers
Building rule sets can be complex and time consuming. Typically three distinct roles and
skills are involved.
Internal Controls Expert
Provides information on SOD risks, criticality and represents business (process) owners in decisions to mitigate or
remove risks.
SAP Compliance Calibrator
InternalControl
SAP Functional Expert Provides expertise on the business
Expert
SAPFunctionalExpert
SAPCCExpert
,on objects and activity values. Helps to setthe configuration data for the rule setlibrary. Helps identify false positives.
SAP CC Expert
Provides knowledge on rulessetting in SAP CC performing massupload changes and risk analysis.
RulesGeneration
17 GRC Basic
7/29/2019 Basics for GRC
18/42
Risk Analysis
Once the rule set has been defined and implemented risk analysis can be performed to identify the SOD
conflict and critical transaction risks in the staging and production system.
Risk analysis can be performed at the user or role level. Risk Analysis and remediation is most efficient when
a structured authorizations concept is implemented that maps roles to job and people. In these
circumstance remedial efforts correct risks for large groups of users.
SAP Compliance Calibrator
1. During the project lifecycle before users areallowed in the production system.
2. Before each change request for rolemaintenance is deployed to production.
3. Before provisioning exceptional roles to
individual users4. To execute periodic security controls.
18 GRC Basic
7/29/2019 Basics for GRC
19/42
Risk Analysis Types of risks
Segregation of Duties (SoD) risk
A combination of two or more actions or permissions that, when assigned to a single employee, create a vulnerability. That is to say, in the case
of two conflicting actions an employee may have permission to perform one of these actions, but not both.
Critical Action riskCertain actions are, by their nature, inherently risky. Any employee who has permission to perform one of these actions automatically poses a
risk. Definin a critical action risk ensures that an em lo ee assi ned this ermission is identified b the risk anal sis rocess.. .
Critical Permission risk
Just as some individual actions can be critical, the same is true for some permissions. Defining a critical permission risk ensures that risk analysis
identifies any employee who has been assigned an action that includes a potentially risky permission.
The severity of a risk can be categorized as either:
Low
Medium
High
Critical
You use the Risk Level to categorize risksand the rules they generateby severity. What determines, for example, a critical risk is according
to your company policies.
19 GRC Basic
7/29/2019 Basics for GRC
20/42
InformerInformerallows a appropriate user to access specific reports. In addition to the default report formats, there are specific user-selectedfocus areas available on many of the reports.
Informer tab report types include:
Management View- Can view reports in the following types: Risk Violations, Users Analysis, Role Analysis, Comparisons,Alerts, Rules Library, Controls Library
Risk Analysis- Performed to see if any User, Role, HR Object or Organization has access to two or more conflicting actions.
Audit Reports- Provides report headings covering different aspects of the enterprise. Each Audit report menu item contains linksto reports that may be user modified to fit needs requested.
Security Reports - Provides an access point for reports on every aspect of product and enterprise security compliance issue.
Background Job - Allows SoD conflicts to be analyzed for a large number of Users, Roles, HR Objects or Organizations.
20 GRC Basic
7/29/2019 Basics for GRC
21/42
Informer
Compliance Calibrator provides Interactive visual analysis in the form of Bar charts, Pie Charts and Line Charts
By clicking upona certain chartarea, detailedstatistics areaccessed
21 GRC Basic
7/29/2019 Basics for GRC
22/42
SAP Compliance Calibrator
You can generate reports for Users, User Groups, Roles, Profiles, HR Objects and Organizational Levels
Informer
22 GRC Basic
7/29/2019 Basics for GRC
23/42
Mitigation Control
Mitigation Controls- Rather than remove the cause of the risk, you may want to control certain risk violations that you want available to specific users, roles,or profiles.
Monitor ID - The ID of the User who is assigned as a Monitor, who is assigned the specific Controls.
Where risks are accepted in the system, a mitigating control should be implemented and executed. An example is a supervisory review and sign off.
SAP CC gives you the functionality to document the mitigating controls for each risk. Once documented and assigned to a Monitor the tool can be used to trackexecution of the control or non compliance.
Many clients will have separate cross-enterprise process controls software and we suggest three options for implementation:
1) Simplest option, identify risk as controlled. Risk is removed from risk reporting.2) Associate the risk with a mitigating control in an alternate repository e.g. process control software.
u y ocumen e m ga ng con ro w n e omp ance a ra or.
A choice also exists on who to give responsibility for maintaining data in the SAP CC tool. This can be centralized in IT or Controls or fully distributed to thebusiness.
Controls Library option lists all the existingMitigation Controls (active/inactive). The
Controls Library displays the Controls by Risklevel and are sorted by:RiskRisk Level (Low, Medium, High)Business UnitMonitorUser, Role, Profiles, or HR Object
23 GRC Basic
7/29/2019 Basics for GRC
24/42
Alerts Monitor
Compliance Calibrator includes functionality which can alert business and controls leads by email when a critical orconflicting action is executed.
Alerts are available within the following risk areas:
Conflicting and Critical Actions When a user performs both transactions in an SOD rule or uses a criticaltransaction.
Miti ation monitorin If a Monitor does not execute a control to a s ecified fre uenc then an alert will begenerated which is sent to the Monitor and visible to the control leads.
Cleared alerts- When an alert message has been delivered and cleared. Alerts remain as an archived record and can stillbe tracked and monitored.
24 GRC Basic
7/29/2019 Basics for GRC
25/42
SAP Compliance Configuration
The configuration Tab is the main starting point for post installation setup.
NOTE: Only an User with Administrative authority can access and use this aspect of Compliance calibrator.
The Java Connector (JCO) acts as the integration point between the Java application and the SAP system to be monitored / analyzed.
The User Management Engine provides for out-of the box J2EE Administrator profiles to be defined or activated .
The Rule set upload function is used to load the standard rules or customized rule set e.g. critical transaction codes, critical objects etcetera. Thesecharacteristics are the foundations of the SoD rules.
The Workflow com onent is used to tri er email alerts to named Process Owners within the User Provisionin . It is an inte rated art of the AccessEnforcer solution.
Background Job Scheduling is used for activating Monitoring e.g.. frequency of SoD analysis, Risk Violations.
25 GRC Basic
7/29/2019 Basics for GRC
26/42
STANDARD GRC RULESET
SAP Compliance Configuration
SCHEDULING RISK ANALYSIS
26 GRC Basic
7/29/2019 Basics for GRC
27/42
Major Activities Walkthrough
Activity SAP Compliance Calibrator
Install and set up SAP CC Technical installation Core ECC, RFC connections to Modules, Assembly Test.
Agree security design principles anddependencies with SAP CC
Establish design concepts and principles for mapping roles to jobs and users e.g. 1Composite role to each user
Confirm Project governance and highlevel processes
Agree business owners, Business Approvers, Control Approvers, RoleMaintenance and UP processes. Define Security controls.
Master data and functional set up. Test
functionality
Agree master data definitions; Organization; Business Process; Risk Descriptions;
Monitors and Control Approvers.Define risks and configure risk rule set Agree SODs conflicts and critical transactions. Categorise risk (H/M/L). Update
risks rule set. Test risks.
Run Risk analysis Run risk analysis in staging environment. Run Risk Analysis in productionenvironment. Export reports and update Risk Logs.
Remedial actions Identify and remove false positives. Agree whether to accept or reject risks. Planauthorization changes, update security design templates and raise change requestto security maintenance. Re-run risk analysis.
Mitigate Accepted Risks Agree mitigating controls for each risk. Agree control owners and businessapprovers (execution). Update mitigating controls in tool.
Update procedures and security controls. Update procedures to introduce SAP CC as a preventative control and reflectgovernance for business ownership.
Transition to live Train and enable operations staff, business approvers, control owners. Deploy newprocedures. Stabilization support
27 GRC Basic
7/29/2019 Basics for GRC
28/42
28 GRC Basic
7/29/2019 Basics for GRC
29/42
F i r e - f i g h t e r
The Firefighter application allows a user to take responsibility for tasks outside their normal job function, in aemergency situation.
Enables users to perform duties not included in the roles or profiles assigned to their user IDs.
Provides this extended capability to users while creating an auditing layer to monitor and record Firefighter usage,providing the capability to review activities used during an emergency situation.
Role 1
Before users can access Firefighter, they must be assigned a Firefighter ID. For each Firefighter ID you define thefollowing roles.
Owner Owners can assign Firefighter IDs to Firefighters
Controllers Receives email notification and reviews the Firefighter Log report.In addition the Administrator perform the creation of Firefighter ID and assign authorization roles.
Role 2 Firefighter ID 1 User 1
Role 3
29 GRC Basic
7/29/2019 Basics for GRC
30/42
Process Overview
Requestaccess toproduction
Request accessto Production.
ApproveRequest
AssignFirefighteraccount
UpdateProduction
ReviewControlLog
Firefighter enables users to perform duties not included in the roles or profiles assigned to theiruserIDs. Firefighter provides this extended capability to users while creating an auditing layer tomonitor and record Firefighter usage.
Through automated emergency access administration, Firefighter tracks, monitors, and logs all
SAP Firefighter
emergency access ac v es
Example
If the employee who normally works with vendor accounting, but is on vacation or sick leave, anotheremployee who usually verifies invoices may be assigned a Firefighter ID to perform this tasktemporarily.
Benefits of Firefighter are:
Avoid business obstructions with faster emergency response
Reduce audit time
Reduce time to perform critical tasks
30 GRC Basic
7/29/2019 Basics for GRC
31/42
Firefighter dashboard
Firefighter Log Report
F i r e - f i g h t e r
31 GRC Basic
7/29/2019 Basics for GRC
32/42
32 GRC Basic
7/29/2019 Basics for GRC
33/42
Access Enforcer is a web-based application within J2EE and NetWeaver environments. It is connected tomultiple data sources such as an LDAP and SAP backend system.
Access Enforcer automates the end-to-end access provisioning approval process by combining roles andpermissions with workflow.
When a user requests access to resources for which they do not have permission, Access Enforcer automaticallyforwards the access request to designated managers and approvers within a pre-defined workflow. This
Access - Enforcer
.
Roles and permissions are automatically applied to the enterprise directories when the access request areapproved.
Access Enforcer automates the role provisioning process within the identity management environment. Itensures corporate accountability and compliance with Sarbanes-Oxley along with other laws and regulations.
33 GRC Basic
7/29/2019 Basics for GRC
34/42
Access Enforcer
Access Enforcer has four task modules for specific usage. They include:
Requestors The Requestors module is for end-users who are requesting access to SAP and non-SAP backendsystems.
Approvers The Approvers module is for approvers who approve access requests. Approvers can also requestaccess for other end-users. Approvers include line managers and IT security.
Informer The Informer module is a reporting tool that provides graphical and analytical reports for managers.
Configuration The Configuration module is for Access Enforcer Administrators who define defaults, workflow,and other attributes that are based on their corporate business processes and policies.
34 GRC Basic
7/29/2019 Basics for GRC
35/42
Access Enforcer Module Breakdown
Approver Requestor Informer
Access Enforcer provides three standard Approvertypes. Depending on your organizational hierarchyand process, there may be other Approver typesthat can be added to Access Enforcer. The standard
Approver types are:
Manager Approveris usually the requestorsmanager. Manager can review and approve their
As a Requestor, you use theRequestor module to createvarious access requests for anSAP backend system, non-SAPsystem, or other application(server). There are three types ofRequestors:
Access Enforcer provides theability to generate various reportsfor the purpose of viewing andanalyzing request approvalactivities. Reports are divided intotwo categories:
Analytical lets you drill down to.
Role Owner Approverhas the authority to approveor reject a request. The Approver can put a requeston hold and add additional roles to the request, ifnecessary. An Approver can only approve or rejectrequests that they own and cannot approverequests for other approvers unless they areassigned as a alternate approver.
Security Approveris usually the last approver in atypical workflow. The Security Approver canprovision access to the target system that has beenrequested.
requests for access permissions orroles, for themselves or for theirteam members
Managers Creates requests forroles for their subordinates
Approvers Other managers canalso create requests
permission requests.
Chart generates a graphical viewof the request approvalinformation, which can be used toanalyze various activities.
35 GRC Basic
7/29/2019 Basics for GRC
36/42
Access Enforcer Screenshots
Request for Approval List- displays pending requestsassigned to you.
Request Approver Page for a request submitted.
36 GRC Basic
7/29/2019 Basics for GRC
37/42
Access Enforcer Walkthrough
1 Makes access Request for specific application,for which they do not have the necessary roles
Requestor
SAP
Access
Enforcer
2. Provides Access Request page, which can be set to specificor multiple data sources (e.g. SAP HR system or non-SAP systems)
to complete the request process
3. Submits completed Access request page. This triggers a Workflow process, whichis made up of several pre-defined approval stages and is customized to reflect
the business and security policies and procedures.
Approver
4. Receives email notification of access request at each approval stage.Performs Risk analysis and SOD assessments.
When conflict arises, approver can mitigate the problem or reject the Request.
5. Upon approval, access request is routed to next stage, which could involvethe IT security team for entry to the SAP backend system or application server.
Automatic provisioning to the target system could take place.
37 GRC Basic
7/29/2019 Basics for GRC
38/42
Access Enforcer - Benefits
38 GRC Basic
7/29/2019 Basics for GRC
39/42
39 GRC Basic
7/29/2019 Basics for GRC
40/42
Role Expert
Role Expert is a solution for compliant enterprise role management, allowing role owners to define,
document, and manage roles across multiple enterprise applications ad enforces best practices, resulting in
lower ongoing maintenance and effortless knowledge transfer
Automatically analyzes roles for potential security risks (audit and SoD issues), tracks changes, and facilitates
approval workflow, eliminating the inefficient back-and-forth exchanges between business managers and IT.
Role Expert provides a complete audit trail, covering role definition, detailed change history, and control test
results and allows SAP security administrators and Role Owners to document important role information that
can be of great value for better role management such as:
rac ng progress ur ng ro e mp ementat on
Monitoring the overall quality of the implementation
Performing risk analysis at role design time
Setting up a workflow for role approval
Providing an audit trail for all role modifications
Maintaining roles after they are generated to keep role information current
40 GRC Basic
7/29/2019 Basics for GRC
41/42
Role ExpertRole Library- Dashboard of all the roles in Role Expert. Displays an interactive graphical interface of the rolesbroken down by system landscape, role owner, or business process. It also shows the number of roles withviolations and roles belonging to different role types.
Role designer- Provides you with a step-by-step guide for designing roles across your enterprise. Role Designerallows you to define:
Role Building MethodologyNaming ConventionsRole AttributesOrg. Value MappingApproval Criteria
Or Level- Ma s the hierarchical
structuring of organization,
enabling to manage roles
effectively.
Change history provides you with
an audit trail for all the changes
made to roles within Role Expert
or your SAP system
Mass Maintenance- Allows you to
synchronize the SAP Back-end
systems with Role Expert by
importing roles that already exist
in the SAP system.
41 GRC Basic
7/29/2019 Basics for GRC
42/42
Please let me know if any concerns.ThanksBiju
42 GRC Basic
Recommended