SAP User Access Reviews

Chris Haigh

Global SAP Security Specialist

12 years SAP security experience

ABAP, Basis and Security for initial SAP projects

at Woolwich plc in 1999 (R/3 4.0 and 4.6c)

Barclays SAP program Security & Integration

BI authorisations

In-house SAP Security specialist at

Brakes Foodservice, outsourced to Atos Origin

(RS Components, United Biscuits)

SAP Security Capability lead at Axon Solutions

BI 7.0 specialism

(AA, BP, Davis Langdon, Harrow Council,

Northern Rail, NPIA, SHS, TfL, UBS)

K-C since May 2008

BW

APO

BOBJ

CRM

ECC

MDM

PI

portal

SCM

SRM

SolMan

Our Product Areas

Health Care

Consumer Tissue

K-C Professional

Personal Care

SOX Requirement

• Processes for allocation of access

• Changes to access (allocation or functionality)

• Reviewing access periodically.

Access Reviews now part of GRC 10.0

• Other vendors offering Access Review functions.

2007 and 2008 Audit Finding

7,700

4,500

5,800

17,200

Asia Pacific

EMEA

LAO

North America

Original Process

• System based (30 production systems)

• Role focussed (30,000+ roles)

• Many visits for the same users

– For each system

– For each role

• Access changes requested and processed manually.

Very Repetitive…

Role n

Role 2

Role 1

Excel Based

• Export role allocations from SAP to Excel

• Add role owner information from SQL

• Add team structure information from HR

• Sent to team leaders by role owners by e-mail

• LAO were taking 3 months to complete a review

How to fix the Audit Finding?

Risk Based Reviews

• Over 30,000 roles globally

• Not all roles need reviewing

• Only review the ‘important’ roles

• Assess risk of each role.

Role Classification

• Role owners often unaware of some of risk

• Wanted a ‘scientific’ approach

• Key transactions

– Critical / Sensitive functions

– Critical authorisation values

– Key business processes

– Contributing to SoD concerns.

Confidential or Internal

• Confidential

– Roles contain important access or could contribute to a segregation of duties concern

– Role allocations must be reviewed.

• Internal

– If role allocations not reviewed, these would not expose Kimberly-Clark to any significant risk.

Use of Virsa

• Assess role contents at role change time

• Technical checks if critical values being introduced

• SoD contributing transactions

• Role classification updated as necessary.

Virsa Process

Assess current risks

in role

Change role contents

Re-Assess to see if risks

have changed

• Internal roles changing their classification

• Confidential roles rarely lose access

• Internal roles won’t be reviewed.

• As part of role change management

Classifications into SAP Role Database

A New Process for Access Reviews

• Fewer roles to review

– Still more than we expected!

• Fewer users to review

– Some only have Internal roles

• Reduced effort to manage review process

• GRC 10.0 didn’t exist in 2009.

Because of our SAP history

• Fire fight and Virsa

• Developed in-house solution

• Caters for some unique K-C issues

• Most cost effective, given planned initiatives.

The SAP Access Review System

• SQL database, with Intranet based pages

• Weekly extracts of data

– SAP (AGR_USERS table)

– active directory

– contractor database and

– Education Management System

• Data in .CSV format, leveraging old process.

A True Team Structure

• Permanent employees

– Based on HR organisation structure

• Contract staff

– Not in HR structure

– Have a K-C sponsor

– Sponsor considered their team leader.

Main Review Screen

Multi-Language

Team Leader Focussed Reviews

• All SAP access for the team members

• Each SAP system regardless of region

• Shows the confidential roles first.

Confidential Role Display

Full Role Display

Drill Through to Role Info

Team Leader Focussed Reviews

• Allows removal of roles no longer required

• Allows team structure to be amended.

• All SAP access for the team members

• Each SAP system regardless of region

• Shows the confidential roles first.

Removing Team Members / Roles

System Retains History of Review

• Once team members and roles have been checked

– Including any team changes

– Role removals

• Last two reviews held in system

• Latest review visibile.

Review History

Delegating the Task

• Team Leaders have the responsibility to ensure their team reviewed

– Can delegate to a member of their team

– Can delegate to a ‘trusted’ third party

– Team leaders can set 2 delegates

• People can request to be a delegate

• Admin can set their delegates to any team.

Delegation

Delegation

Reporting

• Mainly for people supporting system

– Orphan Users

– Review History

– Role Centric

– User Not Reviewed

– User Centric View.

Reporting – Role Centric View

Orphans

• Team members without a team leader

• Some due to ‘timing’ issues in team structure

• Some truly missing a manager

• Contractors moving teams

• Team leaders leaving.

Orphan User Report

Built-In Help / Tutorial

Some Numbers

• 4,140 Team Leaders

• 35,000 Team Members

• Initially 700+ Orphans!

• Over 500,000 user-role allocations

• 95% completion in active regions.

Chasing Up

• Team leaders responsible for completing reviews

• Regional Internal Controls oversee process

• Some changes needed to system, as not designed to be administer centrally

• Culture change necessary to stop ‘handholding’.

Lessons Learnt

• Organisation data for many teams wrong

• Time wasted on correcting team info, not doing reviews

• Some team leaders would complain longer about doing a review than review took them!

Future Changes

• Workday being rolled out globally

– ‘true Global’ HR system

– K-C employees

– Contract staff

• CA Identity Manager

– Managing user accounts

– SAP role allocations.

?