Working with Access Analysis Service

The central entry point of the Access Analysis Service is the analysis dashboard, which provides a holistic overview about the overall access compliance of the connected target architecture. It summarizes your achieved level of compliance based on different aspects.

Therefore, you get a snapshot of information critical to your access compliance, such as users with the highest risk scores, business processes with the most risk, and many more. To access the dashboard, navigate to Access Analysis Overview app.

The dashboard provides you several capabilities and details, such as the following:

• User listed by risk score
  Note

  The risk score is defined by the risk score policy (see previous lessons). High score is equals to high user risk.
• Most violated risks (ordered by occurrence)
• Quarterly evolution of risk violations per risk level
  Note

  The trend is showing an increasing or decreasing amount of risks.
• Business Processes with the most risk violations (including details and quick view).
  Note

  Each risk is associated to a specific business process.
• Risk occurrences of each risk level.
  Note

  Per default there are 4 risk level: low, medium, high, and critical.
• Information on how many users and roles have been retrieved from every target application.
  Note

  The details view provides 3 levels of information starting with overall application view (1), specific application with users and accesses (2), and specific user (3).

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/f8c147c368b24897966897e5523aa396.html?locale=en-US

A major functionality of the Access Analysis Service is the user risk analysis, which will provide you information and details about risk violations per user.

This section explains how to analyze user risks and what kind of apps, views, and possibilities are available to do that. The following apps can be used (each provide a different level of detail):

• Access Analysis: here you have the possibility to navigate further to the User Access Analysis page for a detailed view
• Access Analysis Enhanced Report: here you also have the possibility to navigate further to the User Access Analysis page for a detailed view
• Analyze User Access

In the following, we are going to describe the Access Analysis app, which can be utilized to analyze the master list of users.

With this app you are able to get a consolidated list view of all users and their enumerated number of risk violations, such as segregation of duties (SOD) and critical access risks. You can search for and select a specific user to drill down for more information and get a detailed view of the user's access analysis.

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Access Analysis→Access Analysis.
3. This app shows you a list of all users violating any risks and get a short overview of the user access analysis results.

   You can search for a specific user using the search option.

4. Select a user to drill-down for more information (you will be forwarded to the User Access Analysis page).

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/c60e65f07d0047d198e3da12c82c174c.html?locale=en-US

In the following, we are going to describe the Access Analysis Enhanced Report app, which can be utilized to get a summarized details list view on several metrics of users risk management, for example, number of user risks, remediation tags, change dates on accesses and some more.

Compared to the previously presented Access Analysis app, you get more filter options and information. The app itself is divided into 2 levels:

• Level 1: Header section, which represents the smart filter bar.
• Level 2: Details section, which represents the result list including some user metrics.

You can search for (using the smart filter in the header section) and select a specific user to drill-down for more information and get a detailed view of the user's access analysis.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Access Analysis→Access Analysis Enhanced Report.
3. Using the smart filter bar, you can search for a specific user or some other metrics to define the user result set you want to get listed in the details section.

   You can search for a specific user using the various search and filter options.

4. Choose Go to start the search and receive a result list based on your filters.
5. Select a user to drill down for more information (you will be forwarded to the User Access Analysis page).

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/33373ebe82a84bfb9c34d037f9f0667d.html?locale=en-US

In the following, we are going to describe the User Access Analysis page, which will be opened if you are going to select a specific user within the Access Analysis app or the Access Analysis Enhanced Report app to drill-down for more information.

This page offers you a detailed view and provides detailed information about a selected user, for example, currently assigned accesses and its associated risk violations. Besides that, it can be utilized to cover three main tasks such as further analyzing potential risks, starting the access refinement, or mitigating existing risks.

Therefore, the page is divided into several sections:

1. Header section: This section provides a summary about the results of the analyzed user risks and potential mitigation or refinement actions. Here you can see the following key figures:
   • User Name (first name, last name and User ID)
   • Total number of risks violations
   • Number of SOD related risks
   • Number of critical access related risks
   • Number of mitigated risks
   • Number of access refinements

   Access Compliance score: this score is calculated by dividing the number of mitigated risks by the total number of risks.

   Access Effectiveness score: this score is derived from the percentage of access that is being used (Example: You are using 2 out of 8 roles, then the Access Effectiveness score is 25%).

2. Accesses section: This section provides information about the roles and profiles, which are assigned to the user. It also provides information about their usage, validity, type and origin (application).
3. Risks section: This section provides information about the risk violations to the user based on the assigned accesses.
4. Audit section: This section provides information about past activities, which have been performed - for example, remediations or refinements of the user accesses and risks.
5. Notes section: This section provides information about additional comments, which have been entered for past remediation sessions.

In general, this page is being used to start refinement or remediation sessions of the user accesses and risks.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Access Analysis→Access Analysis or Access Analysis Enhanced Report.
3. Filter for a specific user and navigate further by selecting the relevant entry on the result list.
4. User Access Analysis page will be opened.

Information can be found on SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/96367c80bb094f4e9703cf20cf02940d.html?locale=en-US

In the following, we are going to describe the Analyze User Access app, which can be utilized to filter risks, conflicting functions, access, and applications associated with various users.

Compared to the previously presented apps (Access Analysis and Access Analysis Enhanced Report), which provides an detailed overview of more user-related information, this app focuses more on the risk and function-related information in the result overview.

Here you get details about what risks and functions are involved resp. which ones are associated to the user based on the (role and profile) assignments (and not only the amount of risks).

With this app, you are also able to download the dataset either for a specific or for all available applications (more information can be found in the next paragraph)

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Access Analysis→Analyze User Access.
3. Using the various filter options, you can search for a specific user or some other metrics to define the user result set you want to get listed in the details section.

   You can search for a specific user using the various search and filter options.

4. Choose Go to start the search and receive a result list based on your filters.
5. Take note that some of the result data provide a shortened detail view if you select it (in general those clickable data is highlighted in blue color. A small popup window opens, which provides a few more data).

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/7648c889ca5f46df86341483c99d5c65.html?locale=en-US

As previously described, the Analyze User Access app can be used to download the dataset either for a specific or for all available applications. The download is not done for individual l users, but always contains an interval of users.

If you want to download risks, functions, and accesses you can do it by selecting the respective button. In this case, you will get a CSV file, which can be easily opened using the Excel for further data analysis and filtering.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Access Analysis→Analyze User Access.
3. Choose the Download Dataset button.
4. Select the specific application (if desired).
5. Choose Download All to download data for all available applications OR select Download to download only data for the selected application in the dropdown field for the selected application in the dropdown field and the respective user range.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/7648c889ca5f46df86341483c99d5c65.html?locale=en-US

A major functionality of the Access Analysis Service is the role risk analysis, which will provide you with information and details about risk violations per role / group.

In this paragraph, you will learn how to analyze role risks and what kind of apps, views and possibilities are available to do that. The following app can be used:Access MaintenanceThis app shows the role repository of SAP Cloud Identity Access Governance. It lists all roles/groups retrieved from he target applications. Here you have the possibility to navigate further to the Access Maintenance details page for a detailed view.

In the following, we are going to describe the Access Maintenance app, which can be utilized to search for and display specific accesses. It also displays the risk count of each access to highlight if any risks are associated to this access.

Using this app, you are able to get a consolidated list view of all roles and their enumerated number of risks (whether it is a segregation of duties (SOD) or critical access risk). You can search for and select a specific role to drill down for more information and get a detailed view of the role access analysis.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Access Maintenance.
3. Using the various filter options, you can search for a specific role or some other metrics to define the role result set you want to get listed in the details section.

   You can search for a specific role using the various search and filter options.

   You can also display all accesses with associated risks, to do so you have to filter for Risk Count greater than "0".

4. Choose Go to start the search and receive a result list based on your filters.

   If you select an entry of the result list, you will navigate further to the detailed view of the Access Maintenance. Here, you get more information about the content of the role and details about its associated risks and about role attributes.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/fb7481ae72d940738632953969963c7e.html?locale=en-US

As previously mentioned, you can navigate further to the Access Maintenance detailed view, if you are going to select a specific entry of the result list.

On the details screen, you have 2 or 3 sections (depending on your selected access type):

1. Attributes
   Note

   Business sub-process, alias and assignment approvers are editable. This section provides general information about the access such as description, origin (application), access type, business sub-process, alias and assignment approvers, which are responsible to approve the assignment of an access to an user.
2. Associated Roles or Authorization Objects
   Note

   This is a display-only screen, no changes are possible; this section provides information about the content of the access.
3. 1. Case 1 - access type is "Single Access": all authorization objects are displayed.
   2. Case 2 - access type is "Composite Role": all assigned roles are displayed.
   3. Case 3 - access type is "Group" and there are no authorization objects available: this section will not be displayed.
   4. Risks (Note: display only screen, no changes are possible): This section provides information about the associated risks of the access.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Access Maintenance.
3. If you select an entry from the result list of the Access Maintenance app, the above illustrated details page will be opened.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/fb7481ae72d940738632953969963c7e.html?locale=en-US

A major functionality of the Access Analysis Service is the possibility to mitigate access risks, which are associated to a specific user based on his accesses.

At the beginning, we have introduced the risk management process flow, which involves 4 steps, starting with the analysis of user and roles. In the following, we are going to present you the options on how to manage emerging risks and how you can use the available remediation functionalities in the Access Analysis Service of the SAP Cloud Identity Access Governance.

Let us now start with the refinement of user accesses as this option should be always the first step in the risk remediation strategy. Normally, you should always resolve a risk before you start the mitigation of it.

The refinement of user access focuses rather on the elimination of potential risks than controlling it. The overall goal of the refinement is to remove unused access and reduce the risk count related to those accesses especially in terms of critical access risks.

In this paragraph, you will learn how to achieve a successful refinement of user accesses and what kind of apps, views and possibilities are available to do that.

The refinement of user access can be achieved using the User Access Analysis page, which can be opened as follows:

• Access Analysis app: navigate further by selecting an entry of the result list
• Access Analysis Enhanced Report app: navigate further by selecting an entry of the result list

In the following, we are going to describe the refinement options on the User Access Analysis page. On the proper screen, you will find 2 different refinement actions:

1. Simple Refinement: This action is related to the usage of specific accesses. If you go for this simple refinement process, the functionality looks for roles that have no usage and / or contain any critical risk. The functionality prepares a proposal, which contains the removal of potentially unused accesses to a system. It recommends that you should remove those accesses and therefore reduce the amount of associated risks. The proposal offers also a Reason column to underline the recommendation and explains why the access should be removed.
2. Advanced Refinement: This action is related to the function level of risks. Here you have several other options to carry out the refinements.

To implement the simple refinement process, perform the following steps:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Access Analysis→Access Analysis or Access Analysis Enhanced Report.
3. Set your filter options and start search by choosing the Go button.
4. Select an entry of the result list to navigate further to User Access Analysis page.
5. Choose the Remediate button to start remediation process.Enter a meaningful tag name and choose OK.
6. Choose Simple Refinement in the Access section.
7. Review the refinement proposal and choose Remove to process the refinement.
   • Decide whether you want to accept or decline the recommend removal of the listed accesses (see the Accept column of the proposal list).
   • Check your risks based on your refinement actions using the proper option / button.
8. Choose the Save button on the Refine User Access screen.
9. Choose the Save and Confirm button on the User Access Analysis page to complete the simple refinement process and automatically trigger the removal of the accepted accesses.
   Note

   The removal will not be processed if you do not select the Save and Confirm button in the last step. Keep in mind that you must trigger the provisioning job to finally remove the access. Automatic removal only means that you do not need any further approvals.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/e5965529a4e74cb8a5787d5bc599a4eb.html?locale=en-US

In the previous section, we have explained the simple refinement process and how it works. Now lets have a closer look on the advanced refinement process and see what kind of actions are available to perform this one.

As already described before, the advanced refinement process is done at function level. Compared to the simple refinement, you have more options you can choose from to carry out the refinement results. So, in this case, you have the possibility to better adjust the refinement results to meet your expectations and fulfill your specific needs.

You can use the following filters on function level to adjust the refinement proposal:

• Usage-based access: Eliminate all unused functions
• Risk-free access: Exclude functions to reach minimal risks
• Include all: Accept all functions
• Exclude all: Reject all functions

Steps to perform the advanced refinement process:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Access Analysis→Access Analysis or Access Analysis Enhanced Report.
3. Set your filter options and start search by choosing the Go button.
4. Select an entry of the result list to navigate further to User Access Analysis page.
5. Choose the Remediate button to start remediation process.
6. Enter a meaningful tag name and choose OK.
7. Choose Advanced Refinement in the Access section.
8. Adjust your refinement proposal by using the filter options to decide what functions has to be included or excluded in the evaluation.

   Decide whether you want to include or exclude it using the proper button (see the Include column of the Functions list).

9. Choose the Propose Access button to display the refinement proposal based on your function level filters.
10. In the Refinement Proposals section, you get a proposal for role assignments that need to be removed based on your previous function inclusion/exclusion. Choose to accept or reject the proposed access for the user.
11. Choose Simulate to see the impact on Access Effectiveness and amount of risks (at the top screen) from the access proposals you have chosen.
12. Choose the Save Proposal button on the User Access Refinement screen.
13. Choose the Save and Confirm button on the User Access Analysis page to complete the advanced refinement process and automatically trigger the removal of the accepted accesses.
    Note

    Without using the Save and Confirm button in the last step, the removal will not be processed. Keep in mind that you must trigger the provisioning job to finally remove the access. Automatic removal only means that you do not need any further approvals.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/5ff531ea98f84b308f7f6fb64c290192.html?locale=en-US

In the next section, we are presenting the second option of the available remediation functionalities, which is the creation and assignment of mitigation controls to an existing user risk.

The mitigation of an access risk is typically the last measure after you decide not to eliminate the risk but to accept the assignments leading to the risk. The mitigation itself relies on using a compensation control, which ensures that the risk-related access is reviewed and controlled on a regular basis.

You will learn how to achieve a successful mitigation of a user risk, which includes the creation, maintenance and assignment of a mitigation control to a specific user and risk. Furthermore, you will learn what kind of apps, views and possibilities are available to do that.

Before we can start the actual mitigation process, we have to create some master data to fulfill the prerequisites. The following tasks has to be done:

1. Create test plan
2. Create mitigation control

The first step is the creation of a test plan, which is needed for the definition of the mitigation control itself. It will be attached to the mitigation control and it defines the steps for testing mitigation controls to ensure that they performed correctly. All test plans have to be maintained offline.

To create a new test plan you can use the following app:Test Plans

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Test Plans.
3. Create a new entry using the Create button.
4. Provide the necessary information:
   • Name = <Entry any name>
     Note

     Names must be in upper case only with no special characters. No spaces are allowed.
   • Description = <Enter any description>
   • Test Plan Document = <Upload the offline prepared test plan using the Browse button>
5. Choose Save.

The second step is the creation of a mitigation control, which can be assigned to a specific user risk.

To create a new mitigation control, you can use the following app:Mitigation Control Master Data

The creation of mitigation controls consists of 4 steps:

1. Provide information about control details.
2. Assign risks, which can be mitigated utilizing this control.
3. Assign monitor groups and define who is responsible for overseeing the effectiveness of this control. The monitor is also responsible for doing the regular checks.
4. Assign test plan, which will be used by the assigned monitors to execute the periodically checks. You also define the frequency for the regular checks.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Mitigation Control Master Data.
3. Create new entry using the Create New button.
4. Provide the necessary information on the Control Details screen:
   • Name = <Entry any unique name>
     Note

     No spaces and special characters are allowed.
   • Description = <Enter any description>
   • Long Description = <Entry any long description> (optional)
   • Business Sub-process = <Choose any available sub-process, which match your requirements>
     Note

     Business sub-processes are assigned to business processes and can be maintained in the respective app in SAP Cloud Identity Access Governance.
   • Owner = <Choose any available owner from the dropdown menu>
     Note

     The owner is responsible for the content of the mitigation control. Only those persons are listed, who have been assigned the proper authorization / group IAG_CO_<NAME> (the entry of <NAME> in the system, are dependent on what the customer has saved the group as in IAS).
   • Validity period = <Define the validity period of the mitigation control>
5. Provide the data on the Assign Risk screen:

   Select the risks you want to assign to the mitigation control using the checkbox.

6. Select monitor groups to assign on the Assign Monitor Groups screen.

   Select the monitoring group you want to assign to the mitigation control using the checkbox.

   Note

   Only those groups are listed, who are available in the Identity Authentication system.
7. Provide data on the Assign Test Plan screen:

   Select the test plan that you want to assign to the mitigation control using the dropdown menu and define the frequency for the execution of the regular checks.

8. Choose the button that appears, which is Review.
9. Review the data of the summary.
10. Choose Save and Activate.
11. Alternatives:
    • Save Draft button: Use this option if the mitigation control needs further review or approval.
    • Deactivate button: Use this option if the mitigation control is no longer needed. You can only deactivate active controls.

A mitigation control can have the following status:

• Active: the control is available to be assigned
• Draft: the control is still being modified and is not ready for use
• Deactivated: the control cannot be used anymore.

A mitigation control cannot be deleted when it has been activated. However, it can be deactivated.

A mitigation control can have an active and a draft version simultaneously. This would occur if you edit an active mitigation control and save it as a draft. The draft version contains the changes. When you activate the draft, it overwrites the existing active version.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/3c6a409eec1541f58bbd59a74f5be6f2.html?locale=en-US

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/03db9dfc3f4a41f59a5cab1dd2f89fcc.html?locale=en-US

All prerequisites are fulfilled and we are able to start the actual mitigation process. The assignment of a mitigation control can be done similar to the previously described refinement options. At least we have to navigate to the User Access Analysis page, as this is the only screen, which provides the proper functionality to achieve the mitigation of existing user risks.

We can open the respective screen as follows:

• Access Analysis app: navigate further by selecting an entry of the result list
• Access Analysis Enhanced Report app: navigate further by selecting an entry of the result list

Steps to perform the assignment of mitigation control to a specific user risk:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Access Analysis→Access Analysis or Access Analysis Enhanced Report.
3. Set your filter options and start search by choosing the Go button.
4. Select an entry of the result list to navigate further to the User Access Analysis page.
5. Choose the Remediate button to start remediation process.
6. Enter a meaningful tag name and choose OK.
7. Select an existing user risk you want to mitigate and assign a proper mitigation control by choosing the dropdown menu in the Control column.
8. Choose a proper (available) mitigation control.
   Note

   It displays only those mitigation controls, which have been defined for the particular risk.
9. Assign the monitor group using the dropdown menu.
   Note

   It displays only those monitor groups, which are assigned to this mitigation control. In case there are several maintained you can choose your preferred one.
10. Optional: Adjust the validity period. As a default range it will use the validity period specified in the mitigation control.
    Note

    An extension of the validity period is not possible here. You can only shorten the date range.
11. Choose the Save and Confirm button on the User Access Analysis page to complete the assignment of a mitigation control and hence to mitigate the risk.
    Note

    The mitigation will not be processed if you do not use the Save and Confirm button in the last step.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/6c1c371cb58847d192f4ec627ad5515c.html?locale=en-US

As already stated, the idea of a mitigation control is to accept a potential user risk by ensuring control measures are in place. Those conditions are fulfilled if specific control mechanisms are implemented.

The overall goal of using a mitigation control is to avoid any misuse caused by accepting the risky accesses. Therefore, it is crucial to have a continuous monitoring in place and ensure that there are regular executed checks and that the control is working as expected.

At the beginning of the Access Analysis Service presentation, we have described the process flow of the mitigation control monitoring. In this chapter you will learn how to achieve a successful mitigation control monitoring and you will learn what kind of apps, views, and possibilities are available to do that.

The following tasks and steps are necessary to trigger, process and complete the monitor process:

1. Schedule the Control Monitoring Job.
2. Execute monitoring tasks for all mitigation controls, which are assigned to you.
3. Keep track of the executed mitigation control monitoring and its status.

To schedule the mandatory monitoring job, you have to open the following app:Job Scheduler

Steps to perform for scheduling the respective job:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Job Scheduler.
3. Schedule job and provide the necessary information:
   • Job name = <Any Job name>
     Note

     No spaces allowed.
   • Job category = Control Monitoring
   • Recurring Job = Yes or No
     Note

     Recurrence depends on your needs.
   • Start immediately = Yes or No
     Note

     Start time depends on your needs.
4. Choose Schedule Job.
5. Check job status in Job History List.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/41796404306340bb9ccd93a6c4ffbabe.html?locale=en-US

The second step is to execute monitoring tasks for all mitigation controls, which are assigned to you as a member of the monitoring group.

You can do this using the flowing app:Mitigation Control Monitoring

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Access Analysis→Mitigation Control Monitoring.
3. Select any mitigation control out of the controls list, which is assigned to you.
4. Execute the mandatory tasks in the following order:
   1. Download the attached test plan to perform the necessary tests.
   2. Determine whether the control has passed the test or not using the respective radio buttons.
   3. Update the result document and start the upload.
      Note

      Create a result file to document your evaluation and test results. Similar to the test plan, you can use different formats such as Microsoft Word, Excel, PowerPoint, or text files.
5. Choose Save.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/41796404306340bb9ccd93a6c4ffbabe.html?locale=en-US

The third step is to keep track of every executed monitoring action. In case you are part of the compliance team, you are probably interested in the status of various mitigation control and its monitoring results.

You can do this using the flowing app:Mitigation Control Monitoring Report

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Reports→Mitigation Control Monitoring Report.
3. Here you get an overview of all executed monitoring tasks with the following information provided:
   • Status of executed monitoring respective the performed tests
   • Who had performed the monitoring
   • When was the last monitoring executed (last test results)
   • Insights to uploaded test result documents

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/41796404306340bb9ccd93a6c4ffbabe.html?locale=en-US

In this paragraph, we want to show you how you can build custom rules to extend the default delivered ruleset. Of course you can also build a complete custom ruleset from the scratch without using the out-of-the-box rulesets.

No matter if you simply want to create some additional rules or if you want to create a new custom ruleset, in any ways you have to know how you can create the proper risks and functions, how you can bring them together and what kind of prerequisites have to be fulfilled in order to accomplish that.

But before we start to address the prerequisites and the mandatory master data, we will clarify some wordings and key terms to get a better understanding of the what we have to deal with as we progress:

• Business Function Group: Will be used as a connector group for target applications that should be analyzed with a dedicated ruleset. It represents a collection of either the same system type, in case you create a logical group or it represents a collection of different system types, in case you create a cross-system group.
• Business Process: Represents your company's business processes within SAP Cloud Identity Access Governance. Business processes are part of the master data and can be used for grouping purposes of various risks with the same origin.
• Risk: Represents potential problems you may encounter, which could cause error, misuse and irregularities within systems.
• Function: Functions are the building blocks of access risks. They define a collection of one or more tasks that an employee needs to perform a specific goal. These tasks are comprised of actions and permissions
• Actions and Permissions: Actions are better knows as "Transactions" in the context of SAP. To perform a function, more than one transaction may be required to be performed. Permissions on the other hand are part of transactions and define the various authorizations objects and field values in a SAP environment.

In the figure, Ruleset Definition, you can see the relationship between each of the explained terms and how they stick together. All of them are mandatory pieces for setting up the risk ruleset, which includes the creation of risks, functions and their derived rules.

Building custom rules (meaning functions and risks) are only possible if the following prerequisites are in place and all mandatory master data are created:

• Target applications are connected and successfully synchronized (for example, authorization data retrieved by the Repository Sync)
• Risk Level(s) are maintained
• Business Processes are maintained
• Business Function Group(s) are maintained and proper applications are assigned

Most of them are already described in the introduction of this service and therefore one should refer to the respective paragraph.

Next, we want to give you some insights on how to create your own business process and also how to create your own business function group with an application assignment.

The following steps has to be performed for the creation of a business process:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Business Process.
3. Create a new Business Process using the button and option.
4. Provide the necessary data:
   • Name = <Enter any name>
     Note

     No spaces allowed.
   • Description = <Enter any description>
5. Choose Save.

The following steps has to be performed for the creation of a business function group and the assignment of an application:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Business Function Groups.
3. Create new business function group using the + button.
4. Provide the necessary data:
   • Name = <Enter any name>
     Note

     No spaces allowed.
   • Type = "Logical Group" or "Cross-System Group"

     It depends on your requirements. A logical group defines a group, which contains only identical system types. A cross-system group defines a group, which contains different system types.

   • Description = <Enter any description>
5. Choose Save.
6. Select the previously created group in the list.
7. Choose Edit.
8. Assign proper applications using the + button.
9. Select the application that you want to assign to the business function group using the checkbox.
   Note

   You can assign as many applications as you want.

   Choose the Select button for assignment.

10. Choose Save.

When all prerequisites and mandatory master data are in place, you are able to create your own functions and risks. In this paragraph, we are going to explain the sequence and steps, which has to be performed to build your custom rules.

Please stick to the following order for the creation:

1. Create custom function.
2. Create custom risk and assign custom function.

The creation of function can be done with the following app:Functions

The first task is to create your custom function. To achieve this you have to perform the steps as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Functions.
3. Create new function using the + button.
4. Provide the necessary data on the Attributes tab:
   • Name = <Enter any name>
     Note

     No spaces allowed.
   • Description = <Enter any description>
   • Long Description = <Enter any long description> (optional)
   • Business Process = <Select any business process you want from the dropdown menu>
     Note

     A business process has to be created prior to the creation of the function.

Transaction codes:

• Assign the necessary transaction codes to the function: the transaction codes you assign are based on the selected business function group you have chosen after choosing the + button of the Actions section. As you know, the business function group has been previously created and includes the assignment of one or more applications. The available transaction codes are those, which have been synchronized from the application to the SAP Cloud Identity Access Governance using the Repository Sync. Therefore, you are only able to add transactions codes, which are present in the respective applications of the business function group you have selected.
  Note

  You can assign as much transaction codes as you want.
• Select the desired transaction codes you want to insert using the checkbox and choose Select.

Permissions

• Assign the necessary permissions to the function: Based on you previously selected transaction codes you have also the possibility to add the transaction-related permissions to the function. The selectable permissions are those, which are related to the previously added transaction and as such the permission values are those, which have been synchronized from the application to the SAP Cloud Identity Access Governance using the Repository Sync as well. Therefore, you are only able to add permissions, which are present in the respective applications of the business function group.
  Note

  You can assign as much permissions as you want.
• Select the desired permissions you want to insert using the checkbox and choose Select. after adding the transaction related permissions, the field values can be adjusted for the function definition depending on your requirements.
• Choose the Save and Activate button on the Functions page to complete the creation.
  Note

  If you do not use the Save and Activate button in the last step, the function is not in active state and thus it is not considered for selection in the risk assignment.

The creation of risks can be done with the following app:Risks

The second task is to create your custom risk and assign your custom function. To achieve this, you have to perform the steps as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Risks.
3. Create new risk using the + button.
4. Provide the necessary data:
   • Business Process = <Select any business process you want from the dropdown menu>
     Note

     Custom Business Processes have to be created prior to the function creation.
   • Risk ID = <Enter any unique risk name/ID>
     Note

     No spaces allowed.
   • Description = <Enter any description>
   • Long Description = <Enter any long description> (optional)
   • Risk Level = <Choose your desired risk level>
     Note

     Risk level is described in the introduction of this service. It is a mandatory master data, which has to be created prior to the risk and function creation. Default delivered values are: Low, Medium, High, Critical.
5. As Risk Type, choose one of the following values:
   • SOD Risk (Segregation of duties): Specifies a risk, which contains a minimum of 2 functions and defines every possible combination of the included function content as a risk rule.
   • Critical Access Risk: Specifies a risk, which contain only one function. The risk is violated if a user has only one transaction and permission defined in the contained function.
   • Critical Permission Risk: Specifies a risk, which contains only one function and defines the risk rules only on the permission level. The risk is violated if a user has the permission defined in the contained function. There is no direct relation of the permission to any dedicated transaction.
6. In the Active field, choose: YES/NO
   Note

   You have to activate the risk, otherwise it will not be taken into consideration for risk analysis.
7. Assign Functions.
   • Assign the required functions that you want. The functions specify the actual content of the risk. Based on your chosen risk type, you have to add one or more functions (for example, SOD needs minimum 2 functions assigned).
   • Choose the required function using the checkbox.
   • Choose Select to add them to the risk.

Choose Save

In the following, we are going to explain the download and upload functionality of the rule setup.

The functionality itself will typically be used in case you have to edit and / or adapt a lot of functions and risks. Doing it online is very challenging as there are no proper mechanisms provided for mass administration.

Therefore, you have the opportunity to download specific rulesets as a whole and start the editing process with the help of some offline tools like Microsoft Excel. When you have finished your work, you can easily upload the adapted ruleset again and publish the changes to the SAP Cloud Identity Access Governance. The download package (you will get a ZIP file) of specific rulesets consists of several files where each file contains different data content. The file type of every single file is TXT resp. CSV.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Rule Setup.
3. Download rules for all or only specific business function groups:
   1. Select the business function group you want to download. In case you want to download the complete rule set, you have to choose ALL.
   2. Choose the Download File button.
4. Make the required changes to the downloaded rules.
5. Upload the rules and publish the changes.
   Note

   In the ZIP file there is a "Readme.txt" file with details of how the file must be structured. Only files with a valid structure can be uploaded without errors.
   1. Choose the Browse button and select the rules ZIP file.
   2. Select Upload & Process. The processing status informs you when the upload is finished.
   3. Check the logs for further information: Processing Log contains the exact status of the processing. The Validation Log contains error messages and information about the data validation.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/a2eb9d80cfd54dfb978e3f25cc978e7c.html?locale=en-US