September 27, 2007 English

SAP GRC Compliant User Provisioning

Business Scenario Script for SAP Discovery System version 3

SAP AG Neurottstr. 16 69190 Walldorf Germany

Contents
Introduction ......................................................................................................................... 3 Create Request.................................................................................................................... 3 Approval Workflow Manager ............................................................................................ 8 Approval Workflow Role Approver 1............................................................................... 13 Approval Workflow Security Approval ............................................................................ 16 Role Reaffirms ................................................................................................................... 18 Reports .............................................................................................................................. 20 Charts ................................................................................................................................ 20

Page 2 of 21

SAP Best Practices

SAP GRC Compliant User Provisioning

Introduction
SAP GRC Access Control addresses the root cause of access control problems through standardized and centralized User maintenance. As a result, the software helps to eliminate manual errors and makes it easier to enforce best practices. Once access and authorization risks have been remediate, only SAP applications for Access Control can prevent new risks from entering a production system. By empowering business users to check for risks in real time and automating user administration, the applications make risk prevention a continuous, proactive process. Security experts as well as Managers can find out what kind of risks the user can incur during the user creation or user changes and perform automated risk assessments, track changes, and conduct maintenance with ease, which increases consistency and lowers IT costs. Let us walk you through the process of creating a ticket in Compliant User Provisioning.

Create Request
User creations and User changes in Compliant User Provisioning (formerly called as Access Enforcer) is done through a request. Lets create a request by logging as an end user. 1. Log into the Access Enforcer demo server: http://SAPDiscoverySystem:51000/AE/index.jsp 2. Select New Access from the options at the bottom half of the screen

LOGON: USER mwong PASSWORD sarbanes1

Page 3 of 21

3. Enter the following data for REQUEST INFORMATION : Fields Request Type Priority Functional Area Data New (default) High (default) Finance

4. 5. 6. 7.

Click search icon for Application Select Applications Screen will appear. Select the SAP Tab (default) Select Category Production Check ERP System-Client 200, click Continue.

8. 9. 10. 11. 12. 13. 14.

Enter New AP Clerk in the Request reason box Select Company: IDES Hi-Tech Select Employee Type: Permanent Employee Set Valid From: Todays date mm/dd/yyyy Click Search icon next to Manager field Enter Wilson in Last Name field and Fox in First Name field and click Search Check Radio button next to user id FWILSON and click Select at bottom of screen

Note: Custom Fields (Attributes) can be created and added to this form, so information deemed necessary to process requests is included. (Custom fields are added to the bottom of the screen and their placement can not be configured.) 15. 16. 17. 18. Set Plant: 0005 Set Division: 0001 Set Regional Office: Boston Set Security Clearance: None

Page 4 of 21

SAP Best Practices

SAP GRC Compliant User Provisioning

19. 20. 21. 22.

Click on the bottom of the page Set Application Area SAP Production Set Business process: Procure to Pay Set Sub-Process: Process Invoices

23. Select 24. Click VS::FI_AP_INVOICES to launch Role Details Screen to review the role

Page 5 of 21

NOTE: Mae Wong selects the hyperlink of suggested role and reads role description to determine if this is appropriate. Mae has access to all the details for this role (various tabs) and reviews the description to make sure its the right role for her job duty. Mae makes the decision to pick this role based on the description. 25. Review the role details by navigating through the tabs

26. Select Cancel to return back to the Role Selection Screen 27. Select VS::FI_AP_INVOICES and VS::FI_AP_DISPLAY_MASTER_DATA

28. Scroll down and Click Add at the bottom of the screen Note: Because of attributes, such as Im in Finance or Im a full time employee certain roles that automatically come up are: -VS::AP_FI_ DISPLAY_MASTER_DATA Select VS::AP_FI_ DISPLAY_MASTER_DATA and click Add. 29. Add a second role, Set the Sub-Process: Vendor Maintenance 30. Click Go. 31. Select VS::FI_VM_MAINTENANCE

Page 6 of 21

SAP Best Practices

SAP GRC Compliant User Provisioning

32. Click Add

NOTE: These roles are owned by Brian Law and Cyrus Perkins. Confirm all the three roles selected, Click Submit at the bottom of the page 33. Request is created. Note the request number (for example 22) as for a typical workflow, this request will be sent to the manager and after managers approval to the role owner(s) - Brian Law & Cyrus Perkins.

Page 7 of 21

Approval Workflow Manager

We now see the request appearing in the approval workflow of manager. An email has been sent to Fox Wilson who must approve this request now if it has to move further to other approvers. 1. Log into the Access Enforcer demo server: http://SAPDiscoverySystem:51000/AE/index.jsp USER ID fwilson PASSWORD sarbanes1

2. Select the request that was created (Request # will match to the request number in item 31 above) 3. Request # __ will appear for approval.

4. Select Risk Analysis at the bottom of the screen

Page 8 of 21

SAP Best Practices

SAP GRC Compliant User Provisioning

Three risks (P001,P002,P003) come up as shown:

5. Click on Risk: P002 Maintain a fictitious vendor and direct disbursements to it.

6. Click on VS::FI_VM_MAINTENANCE 7. The Row will turn RED, now select Simulate at the bottom of the box.

Page 9 of 21

8. There is only one risk that remains.

9. Select P003 then hit click on Mitigate button on the bottom

10. Select the Search button for Reference No required field

Page 10 of 21

SAP Best Practices

SAP GRC Compliant User Provisioning

11. Select MC0010 Since Mae works in a small subsidiary, she needs to be able to maintain a bank account and post payments to it. Fox Wilson therefore picks a mitigation control of MC0010.

12. Select Continue 13. Select Mitigation Monitor BLAW

14. Select Save 15. Review the Mitigation, Click on Continue When re-checking the risk analysis, all risks are remediated, there are no risks outstanding. Since Fox has removed on role (VS_FI_VM_MAINTENANCE) this request will now only be routed dynamically to the remaining role owner, Brian Law for approval. Fox Wilson can now approve the role.

16. Click Approve Page 11 of 21

17. Enter in a comment (why Mae did not receive the 2nd role), Hit Save 18. Click Approve again on the next screen.

19. Scroll to the end of the screen to review the request.

20. Logoff Fox Wilson.

Page 12 of 21

SAP Best Practices

SAP GRC Compliant User Provisioning

Approval Workflow Role Approver 1

We now see the request has moved on to the next person in the approval workflow. An email has been sent to BLAW and CPERKINS. Each must approve their roles. Log on to AE with user id /password mentioned below and select Request for Approval (Right hand side of the screen. This should be the default when Brian Law signs onto the system) 1. Logoff by clicking on Logout top right of the screen 2. Select http://SAPDiscoverySystem:51000/AE/index.jsp 3. Select User login from menu on the left. USER ID blaw
...

PASSWORD Sarbanes1

4. Click Logon button

Request Number **

Description Assigned Request number

Brian sees that there are no non-mitigated risks and so he decides to approve the request.

Page 13 of 21

5. Click on Approve button

6. Enter in a comment, Hit Save

7. And click on the Approve button

again in the following screen.

Page 14 of 21

SAP Best Practices

SAP GRC Compliant User Provisioning

If we had not removed the 2nd profile, and there were no risks, we would see that the status message communicates that Brian has approved, but requires another role owner (eg. Cyrus Perkins) is pending for the approval. This is not the case; therefore the request is now competed for Role owners and is now pending only for the Security approval. (eg. Calvin Klein).

8. Logoff by clicking on Logout top right of the screen

Page 15 of 21

Approval Workflow Security Approval

The request in now in Stage 3, Security Approval. We will now login as Calvin Klein. 1. Logoff by clicking on Logout top right of the screen 2. Click : http://SAPDiscoverySystem:51000/AE/index.jsp 3. Select User login from menu on the left USER ID Cklein
...

PASSWORD sarbanes1

4. Click Logon button 5. Select the request as noted earlier by clicking on the number Request Number ** Description Assigned Request number

The Security Team now has all the required approvals to process this request. AE has the ability to perform a complete Auto-Provision of the request. This would automatically update the systems with the new user or role assignment. Additionally, this can be performed manually by the security team. An alternate means of receiving the request, Calvin Klein will also receive an email that the role owner (Brian Law) has approved Mae Wongs request for the role. (In Access Inforcer, Calvin will see under Request for Access the same request # shown in the email) 6. Under Request Number **

Page 16 of 21

SAP Best Practices

SAP GRC Compliant User Provisioning

7. Click on Approve button 8. You will be prompted for comments: Enter a comment 9. And click on the Approve button again in the following screen

again in the following screen 10. Click on the Approve button The request is now complete. You will see a comprehensive history of the request, including an audit history.

11. Logoff by clicking on Logout top right of the screen.

Page 17 of 21

Role Reaffirms
Every Quarter, auditors require that each Role owner re-affirm the users who have access to their Roles. Each Role Owner can use Access Enforcer to make that process much easier to perform. 1. Log into http://SAPDiscoverySystem:51000/AE/index.jsp USER ID Blaw
...

PASSWORD Sarbanes1

2. Click Logon button 3. Select Reaffirms link from the menu on the left. This list shows all the Roles in each system. The role Owner can click on the role to get a list of currently assigned users for this role. 4. Click on VS::FI_AP_INVOICES

The Role owner can view this list, and remove any user who should not have access, and then approve the rest. This list is then stored in the database and allows the Auditors to view the Reaffirm list for each role on a quarterly basis. 5. Select MWONG as she is approved for this role

Page 18 of 21

SAP Best Practices

SAP GRC Compliant User Provisioning

6. Click on the Approve button 7. Enter a comment field for the auditor review

8. Click the Approve button

Page 19 of 21

Reports
A complete audit trail of all activities is kept for later review; you do not have to keep paper records or try to track down e-mails after the fact. 9. Select the Informer Tab at the top of the screen 10. Select Analytical Reports from the menu on the left Access Enforcer provides the ability to generate various reports for the purpose of viewing and analyzing request approval activities. Reports are divided into the following two categories: Analytical - You can drill down to individual role change and access permission requests. Chart - You can generate a graphical view of the request approval information, which can be used to analyze various activities.

Charts
11. Select the Informer Tab at the top of the screen 12. Select Chart View -> Access Request from the menu on the left The Access Request report option displays total number of requests grouped by request status.

13. Select Risk Violations (underneath Access Request) from the menu on the left

Page 20 of 21

SAP Best Practices

SAP GRC Compliant User Provisioning

The Risk Violations report option displays total number of requests grouped by violations and mitigation. The information in the Risk Violation Details indicates the details of risk violations. 14. Select Provisioning (underneath Risk Violations) from the menu on the left The Provisioning report option displays the number of roles assigned or removed in requests. 15. Select Service Level (underneath Provisioning) from the menu on the left The Service Level report option displays the total number of requests grouped by year or month. 16. Logoff by clicking on Logout top right of the screen.

Page 21 of 21