SAP GRC AC ARA
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

Fahri Batur PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on
  • Presentation posted in: General

SAP GRC AC ARA Access Risk Analysis. Requirements Gathering Workshop. Fahri Batur. October 2013. About This Session. Introduction.

Download Presentation

Fahri Batur

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Fahri batur

SAP GRC AC ARA

Access Risk Analysis

Requirements Gathering Workshop

Fahri Batur

October 2013


About this session

About This Session

Introduction

  • Today is all about exploring how you will use Access Control by leveraging your business knowledge and our product knowledge to arrive at design decisions that will enable us to write the Blueprint and configure the system

  • It is important we have people in this session that can provide (with our help) direction in terms of how you will use Access Control

  • So lets start by doing introductions around the room to include what your area of interest is in relation to Access Control


Agenda

Agenda

Running Order

  • Requirements gathering for Segregation of Duties management via the Access Risk Analysis (ARA) module


How we re going to do this

How We’re Going to Do This

A little insight into what’s in store

  • Integrc’s role today

    • Ask you lots of questions about how you will use Access Control

    • Provide context to what we’re discussing and how our questions relate to your future use of Access Control

    • To help you understand how Access Control will need to be set-up in order to meet your business requirements

    • Tease out all the detail we will need to write the Blueprint and configure your solution

  • Your role today

    • Answer lots of questions!

    • Provide business context

Between us, we will establish all the facts we need to proceed


How we re going to do this1

How We’re Going to Do This

Method

  • Good old fashioned talking where your business knowledge and our product knowledge comes together

We have various techniques and aids to help us identify how Access Control will need to be configured

  • Structured questionnaire that will ensure we capture all information we need

  • Access to the Integrc GRC lab where we can demo scenarios through the day for context if necessary


Lets start at the very beginning

Marathon Phase

(Stay Clean)

Sprint Phase (Get Clean)

Risk Identification & Remediation

Privileged User Access

Role

Management

Prevention

Emergency Access Management

Privileged user access control solution

Business Role Management

Role definition and management

Access Request Management

Compliant provisioning solution

Access Risk Analysis

Risk analysis, detection, and remediation solution for access and authorisation controls

Lets Start at the Very Beginning

Overview of SAP GRC Access Control

Gavin Campbell - Director

[email protected]

+44 7828 658812


Access risk analysis ara

Access Risk Analysis (ARA)

Segregation of Duties Management

  • The rules engine that enables your Segregation of Duties reporting

  • Interfaces with other Access Control modules to enable compliant processes for provisioning and role management

  • Holds your definition of Segregation of Duties risks

  • Analyses roles and users in real time against defined SoD risks to provide visibility of where risks are


Just before we start

Just Before We Start

An Insight Into the Variables We Need to Capture

For each Access Control module, we will need to capture the following variables:-

  • System settings and parameters

    • Will dictate how your system behaves and what default settings it uses

  • Configuration settings

    • Dictate how you will use the solution and how your GRC processes will work

  • Master data

Cross Application Configuration and Settings


Target systems

Target Systems

Identify Systems to be Connected to Access Control

  • A target system is a backend system that will be connected to Access Control for the purposes of risk analysis, provisioning, super user management or role management

Click icon for Target Systems data capture sheet


Connectors

Connectors

Communication Channels Between GRC and Target Systems

  • A connector is created in GRC for each target system that Access Control will connect to. Your consultant will capture the connector details for each in scope system

Implement

Implement

Click icon for Generic System Settings data capture sheet


Connector definition

Connector Definition

Technical Connector Settings

  • A connector definition is required for each defined connector/target system. Your consultant will capture these technical settings for the purpose of documenting them in the Blueprint

Implement

Implement

Implement

Click icon for Generic System Settings data capture sheet

Maintain


Connector groups

Connector Groups

Logical Groupings of Physical Connections

  • Your consultant will discuss with you the different types of connector groups, what the advantages are of each type and establish which are best for you

Implement

Implement

Click icon for Generic System Settings data capture sheet


Connector integration scenarios

Connector Integration Scenarios

  • Integration scenarios are used to define the flow of information between different application components. Your consultant will help work out which scenarios are relevant to you

Implement

Implement

Click icon for Generic System Settings data capture sheet


Cross application

Cross Application

Generic System Settings

  • These parameters influence how the system operates but are not related as such to any one module. They are central to the system, much like the Basis layer of any SAP system.

Click icon for Generic System Settings data capture sheet


Access control owners

Access Control Owners

Important Users Who Are Assigned Specific Responsibilities

  • Users that will be involved in your Access Control processes need to be assigned their responsibilities in the Access Control owners table in addition to their ABAP roles

Implement

Click icon for Generic System Settings data capture sheet

Maintain


Organisational structure

Organisational Structure

Shared Structure for Assigning Mitigating Controls

  • The organisational structure is shared between Access Control and Process Control and used to assign controls in a structured way

Implement

Click icon for Generic System Settings data capture sheet


Ara configuration parameters

ARA Configuration Parameters

System Settings for ARA

  • These parameters influence how ARA operates. System default values are defined here

Implement

Click icon for Generic System Settings data capture sheet


Sod and critical risk ruleset

SoD and Critical Risk Ruleset

Defining the Risk Library

  • The ruleset defines the risks that matter to your organisation and ultimately shows the transactions that should not be allocated to users in combination

Implement

Click icon for Generic System Settings data capture sheet


Mitigating controls

Mitigating Controls

Define Controls and Map Them to Risks

  • Mitigating controls are documented in Access Control as a way of mitigating the risk of assigning conflicting access to users. Whilst Access Control does not manage the control execution, it provides reporting for visibility of mitigated and unmitigated risks

Implement

Implement

Click icon for Generic System Settings data capture sheet

Maintain


Mitigating control assignment

Mitigating Control Assignment

Mapping Users to Controls

  • This step defines the mitigating controls that need to be mapped to users based on the SoD risks that they will have at go-live

Implement

Implement

Click icon for Generic System Settings data capture sheet


Business processes and sub processes

Business Processes and Sub Processes

  • Part of mitigating control master data used to categorise controls

Implement

Implement

Click icon for Generic System Settings data capture sheet


Next steps

Next Steps

What Happens Next


Thank you

Thank You

On behalf of Integrc, thank you for your invaluable contribution. Your input during requirements gathering will influence the success of the Access Control implementation


  • Login