GR2 - Access Risk Management

Process Diagram

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 2

Purpose, Benefits, and Key Process Steps

Purpose This scenario describes effective collaboration between business users in Access Risk Management

Process .

Benefits Real time access risk analysis to monitor latest user access risks

Batch jobs scheduled for Dashboard update per business needs

Detecting violation/risks triggers remediation actions (Mitigation Control, Removing role) quickly in a very straightforward way

Deep integration of Segregation of Duty (SoD) and User Access Review (UAR)

Key Process Steps Regular access risk analysis and remediation

Periodic access analysis and remediation : SoD review

Periodic access analysis and remediation : UAR review

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 3

Required SAP Applications and Company Roles

Required SAP Applications

SAP Access Control 10.1

Company Roles

Compliance Officer

Manager

Risk Owner

Role Owner

Mitigating Control Owner

Mitigation Control Monitor

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 4

Detailed Process Description (1/2)

GR2 - Access Risk Management

Regular access risk analysis and remediation:

•Compliance Officer Review High-level Access Violation Report

•Risk Owner Perform Real-time Risk Analysis

•Perform Remediation Activities:

• Risk Owner Assign Existing Mitigation Control

• Risk Owner Assign Newly Created Mitigation Control:

-Risk Owner Create New Mitigation Control

- Mitigation Control Owner Approve new Mitigation Control

- Risk Owner Assign New Mitigation Control

• Mitigation Control Owner Review Mitigated User List

• Remove Role via User Level Risk Violation Report

• - Risk Owner Create De-provision Request

• - Manager Approve De-provision Request

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 5

Detailed Process Description (2/2)

• Perform

• - Role Owner Approve De-provision Request

• Compliance Officer Review High-level Violation Report

Periodic access analysis and remediation:

• Segregation of Duty Review

• Schedule Segregation of Duty(SoD) Review

• Preview and Check SoD Review Request

• Update Workflow Job

• Review and Remediate SoD Issues

• User Access Review

• Schedule User Access Request (UAR) Review

• Preview and Check UAR Review Request

• Update Workflow Job

• Review and Remediate UAR Issues

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 6

GR2 Access Risk Management

(Regular Access Risk Analysis and Remediation 1/1 )

SAP Access Control

Compliance OfficerMitigating Control

OwnerRisk Owner Manager Role Owner

Reviewing High-Level Access Violation Reports

A

Reviewing High-Level Access Violation Reports –(Technical/Business/Remediation View)

B

Remediation –Assign Existing

Mitigation Control

CRemediation –Assign Newly

Created Mitigation Control

Create New Mitigation Control

D

Assign Existing or New Created

Mitigation Control

F

Approve New Mitigation Control

E

Review Mitigated Users List

G

Reviewing High-Level Violation

Reports

K

Approve De-provision Request

I

Approve De-

provision Request

J

Relevant Role

Removed for User

Remediation –Remove Role via Use Risk Violation

Report

1

2

SAP ERP

3

Create De-provision Request (via

Remediation View)

H

1 Regular Access Risk Analysis

and Remediation

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 7

GR2 Access Risk Management

(Periodic Access Analysis and Remediation) 1/1

SAP Access Control

Reviewer (Risk Owner) Reviewer (Manager) SAP ERP

Scheduling SoD Review

L

Previewing and Checking Requests

M

Updating Workflow Job for SoD Review

N

Reviewing and Remediating SoD Issues

O

Scheduling UAR Review

P

Previewing and Checking Requests

Q

Updating Workflow Job for UAR Review

R

Reviewing and Remediating UAR Issues

S

5

4

Compliance Officer

Relevant Role Removed for User

2

2

Periodic Access Risk Analysis

and Remediation – SoD Review

Periodic Access Risk Analysis and

Remediation – UAR Review

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 8

GR2 – Access Risk Management

Regular Access Risk Analysis and Remediation

Icon Legend

Icon Name

Regular Access Analysis and Remediation

Log on as Compliance Officer.

SAP GRC AC NWBC: Reports and Analytics -> Access Dashboards -> Risk Violations

Log on as Risk Owner.

SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User Level

Log on as Risk Owner.

SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User Level

Log on as Risk Owner.

SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User Level

Log on as MC Owner.

SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox

Log on as Risk Owner.

SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User Level

Log on as MC Owner.

SAP GRC AC NWBC: Access Management -> Mitigated Access -> Mitigated Users

Log on as Risk Owner. Must choose Remediation View.

SAP GRC AC NWBC: Access Management -> Access Risk Analysis -> User Level

Log on as Manager.

SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox

Log on as Role Owner.

SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox

Log on Compliance Officer.

SAP GRC AC NWBC: Reports and Analytics -> Access Dashboards -> User Analysis

A

B

C

D

E

F

G

H

I

J

1

K

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 9

GR2 – Access Risk Management

Periodic Access Risk Analysis and Remediation

Icon Legend

Icon Name

Periodic Access Analysis and Remediation

Log on as Compliance Officer.

SAP GRC AC NWBC: Access Management -> Scheduling -> Background Scheduler

Log on as Compliance Officer.

SAP GRC AC NWBC: Access Management -> Compliance Certification Reviews -> Request Review

Log on as Compliance Officer.

SAP GRC AC NWBC: Access Management -> Scheduling -> Background Scheduler

Log on as Risk Owner.

SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox

Log on as Compliance Officer.

SAP GRC AC NWBC: Access Management -> Scheduling -> Background Scheduler

Log on as Compliance Officer.

SAP GRC AC NWBC: Access Management -> Compliance Certification Reviews -> Request Review

Log on as Compliance Officer.

SAP GRC AC NWBC: Access Management -> Scheduling -> Background Scheduler

Log on as Manager.

SAP GRC AC NWBC: My Home -> Work Inbox -> Work Inbox

L

M

N

O

P

Q

R

S

2

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 10

GR2 - Access Risk Management

Icon Legend

Icon Name

Mitigation Control Owner receives an Email that there is a new mitigation control request needs to be approved

Manager receives an Email that that there is a de-provision request needs to be approved or rejected after review.

Role Owner receives an Email that that there is a de-provision request needs to be approved or rejected after review.

Risk Owner receives an Email notifying risk review request.

Manager receives an email notifying user access review request.

Email 1

Email 2

Email 3

Email 4

Email 5

Appendix

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 12

Process Diagram Legend

User Role

<name>*

≈≈

* <name>: SAP System (PPMS name), or non-SAP System, or lane for steps outside software

Lane Process Step

Process Step Outside Software

Optional Process Step Outside Software

Optional Automatic Process Step

1

Automatic Process Step

1

Process Step (manual or automatic)

1A

Optional Process Step (manual or automatic)

1A

Optional Manual Process Step

A

Manual Process Step

A

Process Step Outside Scope Item Scope

A

Interface

User Interface (UI)

Batch Script

Interface (like A2A/

B2B Message)

1

A

1

Sequence flow

Connection Documents GatewaysEvents

Data flow

Inline / Standalone

Output Document

1

1

1

1

AccountingDocument

A

Link to SAP Best

Practice Processes

or scope items

Page Link

(<BBID>) Link to SAP Best

Practice Process

Link

Incoming Link

Outgoing Link

Timer Event

Message

XOR

OR

AND

Complex

Thank you

© 2015 SAP SE or an SAP affiliate company. All rights reserved. 14

© 2015 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an

SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE

(or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional

trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind,

and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or

SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and

services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related

presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated

companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be

changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment,

promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties

that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking

statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.