Analyzing Access Risks

After rule set design is completed, the process of analyzing user access across your environment can be started.

Access risk specialists within the internal control group conduct risk analysis. To successfully identify risks for users, roles, profiles, or HR objects, validate that the rule set works as designed. Security administrators and technical liaisons analyze SOD conflicts, primarily at the role level. Auditors and regulators can assist in running a risk analysis on a regularly. They can provide guidance to other team members as to which risks are true conflicts and what can be considered a false positive.

The Access Risk Analysis (ARA) functionality of SAP Access Control provides the framework with which you can analyze roles, users, profiles, or HR objects. SAP Access Control delivers numerous monitoring, analysis, and audit reports to support risk identification in existing assignments and estimate cleanup efforts. Access Risk Analysis reports include, but are not limited to:

• Risk Violations
• User Analysis
• Role Analysis
• Violations Comparison
• Alerts
• Risk Violation in Access Request
• Access Rule Library

• User Level Risk Analysis (ad-hoc)
• User Level Simulation
• Role Level Risk Analysis (ad-hoc)
• Role Level Simulation
• Mitigated Users
• User Level Invalid Mitigations Risk Analysis

Note

You can find a list of all reports and detailed description of reports on the page SAP Access Control, then navigate to Application Help → SAP Access Control → Reports and Analytics

Later in this lesson, you learn how to conduct access risk analysis using the Risk Violation Dashboard, the Rule Library Dashboard, and the ad-hoc risk analysis reports. Let’s start with Access Risk Analysis dashboards.

The Access Dashboards offer a graphical, comprehensive view of various compliance data. Each dashboard provides a general overview of the data using pie charts, tables, and bar graphs. The dashboard also enables the user to drill down to see more detail. Before the delivered dashboards can be used, the risk analysis engine must generate the analysis data and store it in the database. The dashboards displays the most recent data available, based on the most recent run of the Batch Risk Analysis. You can drill down to the specifics by clicking on the pie chart or bar chart graphics or by selecting the desired line item. One of the main dashboards is shown on the following screenshot. The Risk Violations Dashboard displays the number of access risk violations at the user, role, or profile level. Violation counts are displayed in multiple ways and can be filtered by various criteria such as year, system, analysis type, user group, and violation count.

In the following screenshot, you can see examples of how to navigate the details of a specific business process and display the risks associated with a specific system. First, select the bar chart that shows business process BS00 in the dashboard on the preceding screenshot. A new window appears with violation counts per system as the window on the left side of the following screenshot. To view associated access risks and see the result in a new window, select the violation count for the particular system, shown on the right side of the following screenshot.

Another example of access risk analysis dashboards is the Access Rule Library Dashboard. It provides a graphical view of all generated access rules. You can filter the rule levels by action, permission, critical action, critical permission, and access risk.

The graphics above display rule count based on business process and level of criticality. To access specific risk and rule data, you can drilldown by Business Process or Criticality Level.

When you select the bar chart or pie chart to drilldown, you get access to the selected data in list format. On the following example, you can see results of the drilldown from business process FI00 bar chart and results of subsequent drilldown to a particular access risk.

To access the side panel view for more data, use the Violation Historic View hyperlink in risk view as shown in the preceding screenshots. Extra data includes Historic Data on the number of users. The risk by date of analysis and Mitigation History Data shows the number of mitigations by date and user count.

In comparison to dashboards, ad-hoc risk analysis reports provide real-time risk analysis based on current data in target systems. The User Level Risk Analysis (ad-hoc) report allows you to analyze the risks of users and provides functionalities for further actions such as remediation or risk mitigation. Watch the following video to learn how to define Analysis Criteria and to differentiate between the different report formats available:

In addition to the report formats discussed in the previous video, there are more report options available during risk analysis. These report options support multiple analysis types: Access Risk Analysis, Access Risk Assessment, and Mitigation Analysis. To learn what each Analysis Type option means and how they affect the analysis result, watch the following video:

After defining analysis criteria, risk analysis can be started. Access risk analysis results provide an overview of the analysis criteria, report options selected for the analysis and analysis results. Watch the following video to get an impression of how the results are presented and to learn how to adjust the view according to your requirements.