Upload
hoangque
View
219
Download
4
Embed Size (px)
Citation preview
SAP User Access Reviews
Chris Haigh
Global SAP Security Specialist
12 years SAP security experience
ABAP, Basis and Security for initial SAP projects
at Woolwich plc in 1999 (R/3 4.0 and 4.6c)
Barclays SAP program Security & Integration
BI authorisations
In-house SAP Security specialist at
Brakes Foodservice, outsourced to Atos Origin
(RS Components, United Biscuits)
SAP Security Capability lead at Axon Solutions
BI 7.0 specialism
(AA, BP, Davis Langdon, Harrow Council,
Northern Rail, NPIA, SHS, TfL, UBS)
K-C since May 2008
BW
APO
BOBJ
CRM
ECC
MDM
PI
portal
SCM
SRM
SolMan
Our Product Areas
Health Care
Consumer Tissue
K-C Professional
Personal Care
SOX Requirement
• Processes for allocation of access
• Changes to access (allocation or functionality)
• Reviewing access periodically.
Access Reviews now part of GRC 10.0
• Other vendors offering Access Review functions.
2007 and 2008 Audit Finding
7,700
4,500
5,800
17,200
Asia Pacific
EMEA
LAO
North America
Original Process
• System based (30 production systems)
• Role focussed (30,000+ roles)
• Many visits for the same users
– For each system
– For each role
• Access changes requested and processed manually.
Very Repetitive…
Role n
Role 2
Role 1
Excel Based
• Export role allocations from SAP to Excel
• Add role owner information from SQL
• Add team structure information from HR
• Sent to team leaders by role owners by e-mail
• LAO were taking 3 months to complete a review
How to fix the Audit Finding?
Risk Based Reviews
• Over 30,000 roles globally
• Not all roles need reviewing
• Only review the ‘important’ roles
• Assess risk of each role.
Role Classification
• Role owners often unaware of some of risk
• Wanted a ‘scientific’ approach
• Key transactions
– Critical / Sensitive functions
– Critical authorisation values
– Key business processes
– Contributing to SoD concerns.
Confidential or Internal
• Confidential
– Roles contain important access or could contribute to a segregation of duties concern
– Role allocations must be reviewed.
• Internal
– If role allocations not reviewed, these would not expose Kimberly-Clark to any significant risk.
Use of Virsa
• Assess role contents at role change time
• Technical checks if critical values being introduced
• SoD contributing transactions
• Role classification updated as necessary.
Virsa Process
Assess current risks
in role
Change role contents
Re-Assess to see if risks
have changed
• Internal roles changing their classification
• Confidential roles rarely lose access
• Internal roles won’t be reviewed.
• As part of role change management
Classifications into SAP Role Database
A New Process for Access Reviews
• Fewer roles to review
– Still more than we expected!
• Fewer users to review
– Some only have Internal roles
• Reduced effort to manage review process
• GRC 10.0 didn’t exist in 2009.
Because of our SAP history
• Fire fight and Virsa
• Developed in-house solution
• Caters for some unique K-C issues
• Most cost effective, given planned initiatives.
The SAP Access Review System
• SQL database, with Intranet based pages
• Weekly extracts of data
– SAP (AGR_USERS table)
– active directory
– contractor database and
– Education Management System
• Data in .CSV format, leveraging old process.
A True Team Structure
• Permanent employees
– Based on HR organisation structure
• Contract staff
– Not in HR structure
– Have a K-C sponsor
– Sponsor considered their team leader.
Main Review Screen
Multi-Language
Team Leader Focussed Reviews
• All SAP access for the team members
• Each SAP system regardless of region
• Shows the confidential roles first.
Confidential Role Display
Full Role Display
Drill Through to Role Info
Team Leader Focussed Reviews
• Allows removal of roles no longer required
• Allows team structure to be amended.
• All SAP access for the team members
• Each SAP system regardless of region
• Shows the confidential roles first.
Removing Team Members / Roles
System Retains History of Review
• Once team members and roles have been checked
– Including any team changes
– Role removals
• Last two reviews held in system
• Latest review visibile.
Review History
Delegating the Task
• Team Leaders have the responsibility to ensure their team reviewed
– Can delegate to a member of their team
– Can delegate to a ‘trusted’ third party
– Team leaders can set 2 delegates
• People can request to be a delegate
• Admin can set their delegates to any team.
Delegation
Delegation
Reporting
• Mainly for people supporting system
– Orphan Users
– Review History
– Role Centric
– User Not Reviewed
– User Centric View.
Reporting – Role Centric View
Orphans
• Team members without a team leader
• Some due to ‘timing’ issues in team structure
• Some truly missing a manager
• Contractors moving teams
• Team leaders leaving.
Orphan User Report
Built-In Help / Tutorial
Some Numbers
• 4,140 Team Leaders
• 35,000 Team Members
• Initially 700+ Orphans!
• Over 500,000 user-role allocations
• 95% completion in active regions.
Chasing Up
• Team leaders responsible for completing reviews
• Regional Internal Controls oversee process
• Some changes needed to system, as not designed to be administer centrally
• Culture change necessary to stop ‘handholding’.
Lessons Learnt
• Organisation data for many teams wrong
• Time wasted on correcting team info, not doing reviews
• Some team leaders would complain longer about doing a review than review took them!
Future Changes
• Workday being rolled out globally
– ‘true Global’ HR system
– K-C employees
– Contract staff
• CA Identity Manager
– Managing user accounts
– SAP role allocations.
?