The Access Analysis Service of SAP Cloud Identity Access Governance provides several functionalities to manage the potential occurrence of risks and their proper handling. The management of risk, either on user or role level, is crucial for every company and the underlying business operations.
Every access risk creates the potential for fraud or unintentional errors. Consequently, the organization has to implement mechanisms to avoid or at least handle them properly. Without having that the organization has no control over such risks and can operate non-compliant in terms of specific regulations and guidelines. Access risks requires additional control to ensure that the organization is operating appropriately. Having those controls empowers the organization to monitor and control these risks to prevent users from exploiting vulnerabilities to commit fraud or post unintentional errors.
The Access Analysis Service provides tools and functionalities to address the end to end access risk management:
- It allows you to define specific risks, which are consolidated in an overall ruleset.
The risks itself can be categorized in 3 types:
- Segregation of Duties - This is defined as one individual having the ability to perform two or more conflicting functions to control a process from beginning to end without the involvement of others. For example, one person might be able to set up a vendor and process payments, or manipulate sales and customer invoices, to conceal kickbacks.
- Critical Action - Certain functions are so critical in nature that anyone who has access needs to be identified and assessed to ensure the access is appropriate. This is different from segregation of duties risks in that the person only needs to have access to a single function. For example, the ability to configure a production system is considered a critical action regardless of any other access the person might have.
- Critical Permission - Similar to a critical action, there are certain permissions (authorization objects) that are considered critical on their own. For example, having background job administration permissions might be considered critical by certain organizations.
- It supports you to analyze users and roles with regards to their actions and included permissions.
- It provides specific reports and dashboard analytics.
- It provides tools for refinements, remediation and proper workflows to ensure that controls are working properly.
All of these tools and mechanisms are used to build a defined process flow:
- Select a user to analyze.
- Refine user assignments to remove or reduce risk. Decide which roles can be removed due to lack of use.
- Mitigate any remaining risks by assigning a mitigation control.
- Ensure ongoing monitoring of mitigation controls and check if they are working properly.
Keep in mind that the management of access risks is an ongoing process, which has to be constantly executed and adjusted based on the changes of businesses, users and roles.
Note
Generally, talking about "Risks" in the context of Access Analysis has to be differentiated between two different meanings resp. definitions:
- Risks in terms of "risk definition" = The risk as such defines when it actually could occur. To be more precise, the circumstances when a risk appears.
- Risks in terms of "risk violation" = The risk itself is violated when its characteristics are fulfilled resp. when the circumstances have been passed.
The target system has to be already connected to SAP Cloud Identity Access Governance.
Further information on how to setup the integration between SAP Cloud Identity Access Governance and various target systems (for example, S/4HANA on-premise) can be found in the chapter, "Integration Scenarios".
Supported SAP NetWeaver versions (it is important to use only supported SAP NW version because the SAP Cloud Identity Access Governance Services Data Extractor API has to be included there):
SAP NetWeaver Version - Support Pack
- NW 700 - SP34
- NW 701 - SP19
- NW 702 - SP19
- NW 710 - SP21
- NW 711 - SP16
- NW 730 - SP16
- NW 731 - SP19
- NW 740 - SP16
- NW 750 - SP04
- NW 751 - SP02
For more information about the supported versions, see SAP Support Note: 2628749 - IAG Provisioning Services for SAP ERP and S/4HANA on-premise Systems
Responsibilities are defined and the proper authorizations have been assigned. This is especially the case for the creation of mitigation controls, where it is required to define mitigation control owners and mitigation control monitor groups. More information about control owner and monitors can be found on SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/66f206fdbf644001ae71dc16b297c5d0.html?locale=en-US
Risk Levels are delivered out-of-the-box (per default there are 4 levels: low, medium, high, critical) or you can create your own risk level. Risk levels are used to categorize the existing risks and define their proper sensitivity.
More information can be found on SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/57f08ae5cfde4160b0fc1b3f48e7dcd1.html?locale=en-US
Business Processes and sub-processes are part of the master data and as such they are used to illustrate the company's business processes. Business Processes are necessary for various functionalities in SAP Cloud Identity Access Governance including the creation of functions and risks.
Business Processes can be delivered out-of-the-box (in combination with the default delivered business function groups and rulesets) or you can build your own Business Processes and sub-processes.
For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/5d9ee3870659498fa9198c39295cb838.html?locale=en-US
The Business Function Groups are delivered out-of-the box (in combination with the default delivered ruleset), or you can build your own Business Function Groups.
The Business Function Groups are a mandatory piece for setting up the rulesets as every single group represents a specific ruleset. They will be used to structure the various target systems which are connected to SAP Cloud Identity Access Governance and therefore they will be used for the creation of functions. A Business Function Group can be either a single logical group representing a collection of same system types or it can be a cross-system group representing a collection of different systems.
For more information about Business Function Groups, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/6317a693601941be8e2e0cf7c7e8f78a.html?locale=en-US
The default delivered rulesets can be ordered using the SAP Incident. For more information, refer to the following SAP Note: https://launchpad.support.sap.com/#/notes/0002782388
If you want to build your own rulesets, you can find more information in this unit.
The Risk Score Policy reflects the prioritization and severity of different evaluation aspects of a potential risk. The Risk Score itself is a quantifiable number based on the user's access, usage, risks and mitigation. The policy defines which weighting factor has to be assigned to each of the previously mentioned parameters. The formula is as follows: (Total Roles + Used Roles + Risks) - Mitigated Risks = Risk Score of an Individual
Per default all values are 0 and, thus, it is set to inactive.
For more information about the policy and further explanation, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/c6352e4ddf3c4a869ceeb30bc0d3aa20.html?locale=en-US
General information on setting up the master data (including the dependencies) for the Access Analysis Service can be found on SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/7306ebad2e604faf948892915f60d1c6.html?locale=en-US
The figure, Process Flow of Mitigation Control Monitoring, represents the high-level process flow of the Mitigation Control Monitoring. As you can see there are 4 steps and different responsibilities involved.
Each step and responsibility is crucial in the overall process and ensures a proper periodical monitoring of the used mitigation controls. In general, mitigation controls are used to remediate existing access risks, especially if refinements or risk elimination are not possible anymore.
The mitigation control will be assigned to a specific risk and user for remediation (process step 1). Therefore, you have to create a dedicated mitigation control before you can assign it.
Note
To create a mitigation control, an administrator have to schedule the Control Monitoring job (process step 2), which generates a list of all mitigation controls that are eligible to be monitored. Those controls are listed in the Mitigation Control Monitoring app of the SAP Cloud Identity Access Governance Fiori Launchpad.
Every mitigation control monitor (person who is assigned to a control monitoring group) has to review and process his assigned mitigation controls (process step 3). During the review, do the following:
- Perform the test
- Determine whether the mitigation control has passed the test
- Document the test results
- Update it
The last process step incorporates the tracking of the executed mitigation control monitoring. Each and every monitoring process can be tracked, for example, by the compliance team through the Mitigation Control Monitoring Report (process step 4).