Pwc Presentations

www.pwc.com

Strategic Tips to Align SAP Solutions for GRC with Your Enterprise Identity and Access Management Solution and Bridge the Gap Between Compliance and Security Sandeep Poonen PwC

PwC

In this session …

• This session will provide information about integrating and extending the automated provisioning of SAP GRC with other applications in the enterprise landscape

• We will examine:

- Putting SAP GRC in the context of the enterprise IT landscape

- Key functions and capabilities that are available in SAP GRC that assist in integration with IAM solutions

- Ways in which to make your SAP Access Control with IdM integration successful

- Increase visibility of your GRC program to the enterprise level

2

PwC

What we’ll cover …

Introduction

The business need for integrating SAP Access Control with an enterprise IdM solution

Architectural aspects of integration between SAP GRC and enterprise IdM products

Making an SAP Access Control with IdM integration successful

Wrap-up

3

PwC

Introduction

4

PwC

Introduction

• Enterprise technology – GRC maturity

• Key terms

5

PwC

Enterprise technology — GRC maturity

6

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

SoD & SA mgmt.

Emergency access

User provisioning

SAP roles mgmt.

75% of companies use Access Control technology to manage segregation of duties, critical and emergency access only

45% have implemented Access Control technology to manage user provisioning

PwC

Key terms

• SAP GRC = SAP Governance, Risk, and Compliance

• IdM = Identity Management

- LDAP = Lightweight Directory Access Protocol

• IAM = Identity and Access Management

• Roles

- Single roles

- Composite roles

- Business roles

- Enterprise roles

7

PwC

The business need for integrating SAP Access Control with an enterprise IdM solution

8

PwC

The business need for integrating SAP Access Control with an enterprise IdM Solution

• SAP Access Control 10.0 overview

• Questions for your SAP Access Control implementation

• Benefits of an Integrated Access Management (IAM) program

• How SAP GRC and IdM complement each other

9

PwC

SAP Access Control 10.0 overview

10

SAP GRC

Access

Control

platform

Centralized platform for

managing and reviewing

emergency access activities

Centralized request

and approval process

from hire to retire access.

Automated certification of

existing access

Centralized management of

business roles

Centralized analysis and

mitigation of access risks.

Access Risk

Analysis (SoD)

Super User

Privilege

Management

Business Role

Management

Access Risk

Management

(Compliant

User

Provisioning)

PwC

Questions for your SAP Access Control implementation

• Do you have non-SAP applications and IT systems?

• How do you provision non-SAP systems?

• How do you provisioning SAP and non-SAP systems?

• How do you gain an enterprise view of a user’s access?

• How do you enforce control over a user’s enterprise access?

11

PwC

Benefits of an integrated Access management program

• Reduction in audit (internal and external) and compliance costs

• Reduction in ad-hoc requests to IT for information extracts to support compliance requests

• Greater comfort over fraud prevention

• More automation of compliance and control activities

• Improve service levels for access provisioning

• Provide more holistic analysis information for risk violations in access requested

• Proactively prevent the introduction of new risks when provisioning user access

• Allow for more options in building workflows with dynamic and conditional routing and detours

• Continuous audit trail maintained for the entire life cycle of user access

12

PwC

How SAP GRC and IdM complement each other

13

SAP GRC

Strategy

IdM

Strategy

Integrated IdM/

SAP GRC Solution

Improved

end-user

experience

Support for

dynamic

secondary

approvals

Better SoD

information

Increased

metrics

and visibility

Alignment

with both

the business and IT

strategic directions

Allows a consistent

look and feel. IdM

end-user interface

integrated with the

SAP GRC SoD and

workflow routing

capabilities

Optimal solution to

meet the critical

business

requirements

PwC

Architectural aspects of integration between SAP GRC and enterprise IdM products

14

PwC

Architectural aspects of integration

• Typical provisioning process

• Potential integration scenario

• Key questions to address

15

PwC

Typical provisioning process

16

Access

Request

Manager

approval

Role owner

Analysis

Risk

Analysis

SOD

Review Remediation Provisioning

Birthright roles and

other org-based roles

(based on HR triggers)

Conflicting access

either removed

or mitigated

Affirms that

request is

legitimate

Affirms that

data access

is acceptable

Analysis and

review done to

authorization level

Automatically

performed

PwC

Key questions to address

17

Question Question to ask

Initiation Point What will be the starting point of the user access

management request?

Notes

Companies have chosen to use either IdM or SAP Access Control for supervisors to approve user access

management requests.

Factors determining which product is used:

• Breadth of applications being provisioned

• Maturity of the IdM product within the enterprise

• Overall IT landscape

For companies that have a multi-application environment, access management requests should ideally be initiated in

IdM. But for smaller companies with a heavily-weighted SAP footprint, SAP Access Control can also be used.

PwC

Key questions to address (continued)

18


Supervisor Approval Where will a user’s manager approve the request?

Notes


management requests.


• Application that stores HR organizational reporting relationships

• Level of integration of HR with provisioning products

• Does the company have an enterprise-wide directory (e.g., Active Directory) that also houses the managerial

approval relationships synched with HR

Major IdM solutions and SAP Access Control integrate with Enterprise Directory systems

PwC


19


Role Approval Where will a role approver approve the request?

Notes


management requests, although the majority seem to rely on SAP Access Control


• SAP Access Control 10 or 5.3

- “Harmonization” of four sub-products of SAP Access Control 10 facilitates integration.

- To implement Access Request Management (ARM) in SAP Access Control 10, basic role information needs to

be set up through Business Role Management (BRM)

• Distribution of role approvers throughout organization

- IdM for supervisor and SAP role approvals provide a consistency in user experience

PwC


20


Risk Analysis Where will the risk analysis review and mitigation

process occur?

Notes

SAP Access Control is equipped to seamlessly perform a detailed real-time SoD analysis that goes all the way down to

the authorization objects. Implementation questions to be asked:

• Is Risk Analysis required before request submission?

• Who will be SOD approvers?

• Can a request be approved and closed with unresolved SODs still present?

• Who provides the mitigating controls?

Deployment Options:

• SAP GRC ARM is set up with a risk remediation and mitigation workflow

- SAP GRC provides a final “result” back to IdM

• IdM can retrieve SoD results by polling the risk analysis Web service, and any mitigation process is

managed manually

Most companies seem to implement this automation workflow with SAP GRC ARM

PwC


21


Provisioning Roles Who performs the actions in the back-end SAP systems?

Notes

Companies have chosen to use either IdM or SAP Access Control for supervisors to perform the “commit” action for

user access management requests.


• What does it take for the IdM product to have “connectors” to each of the back-end SAP systems where users

need access to?

• Does the enterprise architecture philosophy prefer a centralized provisioning concept or a more distributed

provisioning concept?

PwC


22


Role Source Which system is considered as the official source for

SAP Roles?

Notes

Both SAP GRC 10 and IdM offer functionality to address this:

Options:

• SAP GRC 10

- SAP GRC 10 offers Business Roles functionality, allowing for various roles across the different systems

connected to SAP GRC to be combined

• IdM

- SAP Roles can be associated to “groups” with LDAP

- IAM solutions include Enterprise Role Management capabilities

PwC


23


Request Status Which system contains the latest status of a

change request?

Notes

Implementation questions to be asked:

• Which fields are required to be viewed natively in SAP GRC versus IdM?

• Where will the audit trail for user requests reside (IdM, SAP GRC, or both)?

PwC

Potential integration scenarios − Model 1

24

Key Use-

Cases

Workflow Key Steps/Functionalities

Access

request

Manager/

Owner

Approval

Role Owner

Approval

Risk Analysis SOD review

and Risk

Mitigation

Automated

Provisioning

Auditing

Request New

SAP Access

Modify

Existing

SAP Access

De-provision/

Revoke

Access

Request Fire

Fighter ID

Access

GRC IDM

IDM

IDM

IDM

GRC GRC GRC

GRC

IDM

GRC

IDM

GRC

IDM

GRC

IDM IDM

IDM

IDM GRC GRC GRC GRC

GRC

GRC

IDM

GRC

PwC

Potential integration scenarios − Model 2

25

Key Use-

Cases

Workflow Key Steps/Functionalities

Access

request

Manager/

Owner

Approval

Role Owner

Approval

Risk Analysis SOD review

and Risk

Mitigation

Automated

Provisioning

Auditing

Request New

SAP Access

Modify

Existing

SAP Access

De-provision/

Revoke

Access

Request Fire

Fighter ID

Access

GRC IDM

IDM

IDM

GRC GRC IDM

GRC

IDM

GRC

IDM

GRC

IDM

GRC

IDM

IDM

IDM GRC GRC GRC IDM

IDM

GRC

IDM

GRC

GRC GRC

GRC Key changes from the Model 1

PwC


26

PwC


• Clearly identify the people, processes, and technology prerequisites for the implementation

• Have a clear grasp of the GRC Access Control web services

• Managing typical implementation challenges

• Understanding that integrating SAP Access control with IdM is just the beginning

27

PwC

Typical prerequisites for implementation

• A data source is available for user authentication

• A naming convention has been established and deployed to uniquely define SAP user IDs

• Synchronization between the Enterprise Directory user name and the SAP user name

• SAP Access Control (preferably 10.0) is installed and connectors are configured to integrate with the SAP back-end systems

• GRC plug-ins are installed within the in-scope SAP systems for automated provisioning

28

Lesson

PwC

Typical prerequisites for implementation (continued)

• The following areas have owners who have been clearly identified:

- Technological ownership of the SAP GRC tool

- Ownership of the SAP business risks

- Ownership of the SAP target system roles

- Ownership of the mitigating controls

• Access Risk Analysis (ARA) is configured to have a functional SAP GRC rule set

• Mitigating controls have been identified for risks and the master data configured in ARA

29

Lesson

PwC

Typical prerequisites for implementation (continued)

• There should not be any unmitigated SoD in the SAP roles

- All SoD violations at the individual role level have been completely addressed

- Best practice would be to remediate (separate) SoD actions that exist within a single SAP role

• All existing users should be either remediated or mitigated manually in ARA for any known SoD before deployment of the integration

30

Lesson

PwC

SAP GRC 10 Web services − General

31

Web Service Web Service Technical Name Web Service Description

Lookup GRAC_LOOKUP_WS Returns possible values for a

particular object (e.g., Request Status) -

Lookup feature

Select

Applications

GRAC_SELECT_APPL_WS Returns a list of application systems

configured within SAP GRC

Search Roles GRAC_SEARCH_ROLES_WS Returns SAP roles before submitting

a request to SAP GRC. Additional

filtration capabilities are also provided to

narrow down the search as a part of this

Web service

Search

Role Details

GRAC_ROLE_DETAILS_WS Returns the detailed role description

and other attributes for a particular role

User Existing

Assignments

GRAC_USER_EXISTING_ASSGN_WS Returns detailed information about

the existing user's roles in SAP back-

end systems

PwC

SAP GRC 10 Web services − Overall request

32


User Access

Request

GRAC_USER_ACCES_WS Submits an access request in SAP GRC

User Access

Request Status

GRAC_REQUEST_STATUS_WS Returns the request information

(creation date, priority, current status,

list of approvers, etc.) for the

selected request

User Access

Request Details

GRAC_REQUEST_DETAILS_WS Returns the request information

(creation date, priority, current status,

list of approvers, etc.) for the selected

request – Along with the Risk Analysis

as well

Exit from IdM GRAC_EXIT_FROM_IDM_WS Service called by SAP GRC to inform

IdM about provisioning results

PwC

SAP GRC 10 Web services − Risk analysis and audit

33


Risk Analysis

with Request

Number

GRAC_RISK_ANALYSIS_WITH_NO_WS Performs Segregation of Duties (SoD)

analysis at the user or role level, along

with Request information

Risk Analysis

without Request

Number

GRAC_RISK_ANALYSIS_WOUT_NO_W

S

Performs Segregation of Duties (SoD)

analysis at the user or role level

Provision Logs GRAC_PROV_LOGS_WS Returns all the provisioning information

for a user – User ID changes, role

assignment changes, etc.

Audit Trails GRAC_AUDIT_LOGS_WS Returns workflow (paths, stages,

stage approvers, etc.) and

provisioning information

PwC

SAP GRC 10 Web services − Additional

34


Org

Assignments

GRAC_ORG_ASSGN_REQUEST_WS Enables the assignment of roles to HR-

OM Objects such as Organizational

Unit, Job, and Position

Firefighter GRAC_FIRE_FIGHTER_WS Returns the list of Firefighter IDs and

the Firefighter Owner details

EUP

Configuration

GRAC_EUP_CONFIG_DATA_WS Returns End User Personalization

configuration details for a user

PwC

Managing typical implementation challenges

• Scope

- Which systems will be managed in SAP GRC?

- Are there SAP back-end systems that do not natively integrate with SAP GRC?

- What is the implementation approach to manage cross-system SoD risks?

• Requirements to Reality

- Is the implementation subtly promising more than the technology is capable of delivering?

- Can the enterprise architecture support the proposed design?

35

Caution

PwC

Managing typical implementation challenges (continued)

• Integration

- How will data be transferred between SAP GRC and IdM?

- How is data leakage prevented?

- Have you ensured that data elements have a single source of record?

• Security

- Are communications between applications and end users properly secured?

- Are roles clearly defined to protect the integrity of the process?

• Change Management and Training

- Are users up to speed on potential changes in the access management process?

- Has training documentation been updated?

- Has a support team been established to ease the transition?

36

Caution

PwC

Integrating GRC Access Control with IdM Is Just the beginning

• Provisioning

- One provisioning source for all enterprise logical access – Extend to non-SAP applications as well

- One provisioning source for all enterprise physical access – Swipe access cards, badges, etc.

• Roles

- A holistic view of role access – with Enterprise roles

• Controls

- One controls system that manages risk, controls, and compliance for all applications – SAP GRC 10!

37

! Heads-Up

PwC

Wrap-up

38

PwC

Where to find more information

• GRC How-to Guides:

- www.sdn.sap.com/irj/scn/articles-grc-all

• SAP GRC Help

- https://help.sap.com/grc

• SAP Community Network:

- www.sdn.sap.com

◦ Solutions Analytics Governance, Risk and Compliance

• SAP Netweaver IdM documentation

- help.sap.com/content/documentation/netweaver/ docu_nw_idm_design.htm#idm72

39

mailto:www.sdn.sap.com/irj/scn/articles-grc-all





mailto:https://help.sap.com/grc

mailto:www.sdn.sap.com

PwC

7 key points to take home

• Your IdM solution and SAP GRC are not in competition

• There are significant advantages to be gained for the business community by integrating SAP GRC with IdM

• Design the overall process to let SAP GRC do what it does best, and let the IdM solutions do what they do best.

• Clearly determine the integration points between SAP GRC and IdM early on, and continuously review them

• Leverage HR data as a source of record for user information

• Avoid duplication of data across IdM and SAP GRC

• Considered other integration options as well

40

PwC

Your turn!

41

How to contact me:

Sandeep Poonen

[email protected]

Please remember to complete your session evaluation

?

Questions?

Disclaimer

© 2013 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each

member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

Documents

Pwc Presentations