After conducting risk analysis, identified risks must be remediated. If it's not possible to remediate, then risks must be mitigated. The purpose of remediation is to correct or eliminate access risks by changing roles or deleting roles from users. Working with the Risk and Process Owners, along with Security Administration, the Compliance Team must document a formal Remediation Plan.
To remediate a risk, you must apply the Roles first and Users second approach. SAP recommends this approach, as follows:
- Single roles
Identify risk violations within the smallest building blocks of a customer's security structure through risk analysis. Remediation activities for one role can reduce a huge number of violations. For example, if one role has three SOD risks, and 3000 users have that role assigned to them, it translates into 9000 violations. Therefore, eliminating three risks from one role can help to avoid 9000 violations for users.
Prioritize risks as critical, high, medium, or low, and report specifically on those levels that matter most to your organization. Work to identify issues that can be resolved quickly and significantly reduce SoD violations. For example, delete unused transactions or delete change activity in display-only roles.
Rerun risk analysis at the role level.
- Focus on composite roles after single roles are clean:
- Perform risk analysis against composite roles.
- Restructure the role using information from the simulation:
- Remove access for functionalities that are not used within your organization.
- Clean up SOD violations caused by multiple roles coming together under a composite role by using simulation functionality.
- Rerun risk analysis at the role level.
- Analyze access rights for individual users:
- Perform risk analysis against users after all single roles and composite roles have been remediated.
- Target specific functionality and business areas that contain the most critical areas of risk, such as purchase-to-pay, financial accounting, and so on.
- Adapt role assignments at the user master record level to avoid risks caused by SOD conflicts.
- Re-run analysis at the user level.
Risk Simulation in Risk Remediation Process
Risk simulations are often carried out as part of the Risk Remediation process. Simulation allows you to preview the result of changes to roles and user authorizations. You can then see if your changes create new access risks or help to eliminate existing access risks before implementing these changes. In this video, you learn how to use risk simulation:
Summary
Simulation allows you to adjust the access permissions of a user/role to test how those adjustments affect the overall risk profile of the user or role. By simulating risks you can play ‘what if’, and to develop different ways to remediate specific risk violations. In the simulation results, you can identify possible ways to remediate access risks. You can decide whether to add or remove access elements, decide on redesigning your business users' role assignments to ensure that an access risk is eliminated.
1: The Remediation View allows you to mitigate a risk or remove access that causes a risk.
2: The Information panel provides extra Risk and Role details.
In the remediation view of the User Level Risk Analysis (ad-hoc) report, you can remediate or mitigate access for a user from a single, unified interface. Using the remediation view integrated into the Access Request Management component, you can initiate a request to remove a role. You can do this, for example, when your analysis determines that to eliminate a corresponding risk, a role must be removed from the user being analyzed. After you initiate the role removal, SAP Access Control system generates a remove access request. The Request is then sent to the responsible approver according to the configured workflow. After workflow completion, the role will be deleted from the user in the target system. In the remediation view, you can also maintain the assignment of mitigating controls to access risks. You learn more about mitigating controls in the next lesson.