Describing SAP Access Control

SAP Access Control is an enterprise software solution that enables an organization to control access, identify risk, and document compliance. SAP Access Control is composed of five major tools:

1. Risk Analysis and Remediation–find and remediate segregation of duties and critical access violations
2. Access Request Management–automate access administration for enterprise applications
3. Business Role Management–define and maintain roles in business terms
4. Emergency Access Management–monitor emergency access and transaction usage
5. User and SoD Access Review–certify that access assignments are still warranted

These key processes work together to provide organizations with advanced analytic and reporting capabilities to identify where risk is present across critical business processes.

Risk and control catalogs allow for the central definition of risk and the documentation of mitigating controls that can be applied to specific users, user groups, security roles, and so on, to support compliance and audit-related activities.

The risk analysis engine is integrated with a workflow provisioning process and a role management process to allow customers to identify risk early before provisioning access to production environments.

Standard-delivered reporting functions include ad-hoc risk analysis capability, batch risk analysis, analytic dashboards, and alert reporting for monitoring and mitigating control execution and transaction usage.

The solution identifies and assesses potential access risks and violations and provides tools to remediate these risks through segregation of duties (SoD) analysis, critical access analysis, and remediation workflows.

The solution enables organizations to define and enforce access control policies across all SAP and non-SAP applications, reducing the complexity and effort required to manage access controls. SAP Access Control comes with several risk catalogs, or rule sets, that define access risks for standard SAP solutions such as SAP S/4HANA, SAP ERP, and SAP CRM, as well as several non-SAP solutions, including Oracle, JD Edwards, and Peoplesoft.

The implementation process for SAP Access Control involves evaluating the standard risk definitions delivered by the SAP rule set and tailoring that rule set to the customers' environment. Risk definitions are organized by business process defined and classified as either a segregation of duty risk, a critical action risk, or a critical permission risk.

The delivered rule set content includes a function catalog organized by business process. This catalog contains the actions and permissions required to perform all or part of a business function, such as Processing vendor invoices.

Risks are further classified as single or cross-system, depending on whether they include functions executed in one or multiple systems.

Once the required rule set has been implemented, SAP Access Control provides real-time, ad-hoc risk analysis or offline batch risk analysis. Risk analysis can be performed at the user level, the role level, or using any number of reporting attributes, including, for example:

• User Group
• Risk by Process
• Access Risk ID
• Risk Level
• Rule Set
• User Type
• System
• Include Role Assignment

Using the standard Risk Simulation analysis, auditors can develop the appropriate Remediation Strategy by simulating changes to user access and/or role design to eliminate conflict. Simulation is possible at the user, role, and permission levels. If a suitable control has been defined in the Mitigating Control catalog, mitigation controls can be selected and applied during the risk analysis.

SAP Access Control also provides Access Control Dashboards to give management and internal auditors a graphical representation of the status of Risk and Remediation activities across each connected system. These dashboards are updated regularly using a series of periodic batch jobs, including batch risk analysis.

A successful compliance strategy avoids introducing or reintroducing risk into productive environments. Companies are recommended to evaluate risk with each request for user access or a change in user access. SAP Access Control provides a compliant user provisioning and deprovisioning workflow-driven methodology that incorporates the ability to conduct a real-time risk analysis and access the mitigating control catalog before provisioning access for a user.

SAP Access Control allows centrally managing and controlling user access to SAP and non-SAP applications, ensuring the proper access is granted to the right users at the right time. The solution offers a self-service portal for users to request access to systems and applications and automated workflows for access request approval and provisioning. SAP Access Control can integrate with identity management and provisioning systems to enforce access control policies across the IT landscape.

Approval procedures and approval workflow are easily created and customizable using a flexible multistage, multipath workflow (MSMP). MSMP workflow provides the backbone for creating, submitting, and approving access requests. Workflow capabilities are also integrated across all functions of access control and can be used to support:

• Risk Maintenance
• Function Maintenance
• Mitigation Maintenance
• Access Request
• Role Maintenance
• User and Compliance Certification

User master records can be automatically created and access provisioned in many cases without further action following the approval of the request by relevant stakeholders. Autoprovisioning can allow security team members to focus on security incidents and issues rather than manually creating users and assigning roles and permissions.

Another critical component of a successful compliance strategy is role maintenance. Role definitions and maintenance can be done with compliance in mind. Role requirements and requests for changes to role composition must be documented and approved by various business or data owners.

The solution offers tools for defining, maintaining, and managing roles and authorizations, allowing organizations to standardize and streamline the role creation and maintenance process. SAP Access Control provides for a central role definition repository using Business Role Management.

Business Role Management provides the framework to define a standard role creation and role maintenance methodology. The role methodology is customizable and provides a standard, auditable process enforced to ensure compliance with company requirements. Business Role Management delivers a best practice template methodology that includes:

• Define Role
• Maintain Authorizations
• Analyze Access Risk
• Request Approval
• Generate Roles
• Maintain Test Cases and Results

The methodology is customizable and can be used with SAP and non-SAP solutions. A complete audit trail, workflow approvals, and risk analysis results are maintained.

Business Role Management supports periodic review processes like Role Reaffirm and role content certification.

SAP Access Control streamlines the process of certifying user access, enabling business owners to review and approve user access rights promptly and ensure compliance with regulatory requirements.

SAP Access Control provides several functions that support access certification and review:

• User Access Review: User Access Review (UAR) is a workflow-driven process using a standard MSMP workflow. Through this process, a user's access can be reviewed at the Manager or Role Owner level to determine if it is still appropriate. At the end of the review process, continued access is either approved or removed and documented and deprovisioned.
• SOD Review: SOD Review is a workflow-driven process using a standard MSMP workflow as well. Through this process, Managers or Risk Owners review users’ access to segregation of duty or critical action risks and determine whether continued access is still required. Continued access is either approved or removal of access is documented. Access can be deprovisioned at the end of the review process.
• Role Reaffirm: Role Reaffirm is similar to the UAR process previously outlined but is not workflow-driven. Business Role Management maintains a role reaffirm date as part of the role definition. When that date arrives, a notification can be sent to the respective role owner, who uses Business Role Management to document their approval or propose removing the specific role.
• Role Certification: Role Certification is a process whereby a role definition is reviewed periodically to determine if it is still correctly designed, contains proper access and permissions, and still needs production. It is not a workflow-driven process. Like Role Reaffirm, Business Role Management maintains a role certification date as part of the role definition. When that date arrives, a notification can be sent to the role content approver, who uses Business Role Management to certify the role contents.

SAP Access Control provides pre-configured and customizable reports to support compliance with internal and external regulations and audit requirements.

SAP GRC Access Control contains numerous standard reporting functions and monitoring capabilities that provide an organization with critical data on transaction usage, risk mitigation, and grants of emergency access.

Emergency Access Management (EAM) is a standard SAP GRC Access Control function. EAM provides a controlled framework for defining, managing, granting, and monitoring emergency system access. Through EAM, firefighters can be granted extra system security and temporary access to a superuser or firefighter ID. These special super users are controlled by a firefighter owner and monitored by a firefighter controller. The firefighter owner is charged with approving access to specific IDs, a process that a standard workflow approval procedure can drive.

Once provided access to the firefighter ID, the firefighter can "check out" the ID, which opens a session in the target environment where the firefighter can perform the actions required with the extra security access. The Emergency Access Management tool creates a detailed log of the actions performed using each firefighter ID. It sends that log to the firefighter controller, who monitors and reviews the logs and activities performed by the firefighter.

Access to accurate and timely compliance data allows an organization to adapt quickly and minimize risk when changes occur. SAP GRC Access Control provides a complete set of standard audit reports, an alert monitor, and standard dashboards to give an organization a comprehensive view of user access and access control.

Standard Audit Reports include detailed reports covering, for example:

• Access Rules
• Mitigation Control
• User Risk Violation Reporting
• Role Risk Violation Reporting
• Action Usage Reporting
• Role Usage Reporting
• Change Log Reporting

The Alert Monitoring functionality collects data on user access and generates alerts when conflicting or critical access is executed. Alerts can also be generated if mitigating control activities are not performed within a specified timeframe. Integration with SAP GRC Process Control can greatly enhance mitigation control management.

The Alert Dashboard provides a user-friendly graphical view of alert data and occurrences.

In conclusion, the SAP Access Control application helps customers confidently manage and control user access and compliance through its five main tools.