As discussed previously, to support a review of an organization's ongoing compliance activities and status, SAP Access Control provides various reports and dashboards. It also provides a collection of audit and security reports.
To check the risk situation in companies, employees working in compliance deal with various challenges:
- How can we review information about last changes on objects such as roles, risks and profiles?
- How can we display actions and permissions that are in roles but are not in the rule library? It is important to check this because there can be new actions and permissions that constitute a risk and are not accounted for in a rule set.
- How can we determine action usage to prioritize remediation and mitigation of risks associated with the action?
To meet those challenges, SAP Access Control provides the following audit and security reports:
Audit Reports
| Audit Report | Action |
|---|---|
| Change Log Report. | This report provides change information on SAP Access Control objects such as role, risk, and profile. The information includes who changed the object, the timestamps, new and old values, the entity name and type, attributes, and the type of change. |
| Embedded Action Calls in Programs of SAP System Report. | This report identifies embedded transaction calls in custom programs. |
| List Actions in Roles but not in Rules Report. | This report lists all the actions that are in roles but are not part of the rule library. |
| List Permissions in Roles but not in Rules Report. | This report lists all the permissions that are in roles but are not part of the rule library. |
Security Reports
| Security Reports | Action |
|---|---|
| Action Usage by User, Role, and Profile Report. | This report lists actions by user, role, and profile. |
| Count Authorization for Users Report. | This report counts user authorizations and highlights the ones outside the system limits. |
| Count Authorization for Roles Report. | This report provides the authorization count for roles by role name. |
| List Expired and Expiring Roles for Users Report. | This report lists roles that have expired or are about to expire based on the dates you specify. |
In addition to reports, SAP Access Control integrates the risk analysis into the Access Request Management and the Business Role Management components to ensure continuous compliance during these processes:
- Access Request Management
A compliant Access Request process prevents the introduction of unmitigated risk into user assignments in productive environments. The risk analysis integration into the Access Request provides real time risk analysis and mitigation capability for all risk violations associated with the request. Both new requested access, and a users existing access, can be considered.
- Business Role Management
Incorporating a real time risk analysis into the role maintenance process ensures that you are aware of the current risk profile of each production role. Risk analysis can be incorporated into your role creation and maintenance methodology, requiring a risk analysis for all changes to role data. Combined with a Role Approval workflow, Business Role Management provides full transparency about your roles and their associated risks.
