Professional Documents
Culture Documents
Contents
Introduction ......................................................................................................................... 3 Create Request.................................................................................................................... 3 Approval Workflow Manager ............................................................................................ 8 Approval Workflow Role Approver 1............................................................................... 13 Approval Workflow Security Approval ............................................................................ 16 Role Reaffirms ................................................................................................................... 18 Reports .............................................................................................................................. 20 Charts ................................................................................................................................ 20
Page 2 of 21
Introduction
SAP GRC Access Control addresses the root cause of access control problems through standardized and centralized User maintenance. As a result, the software helps to eliminate manual errors and makes it easier to enforce best practices. Once access and authorization risks have been remediate, only SAP applications for Access Control can prevent new risks from entering a production system. By empowering business users to check for risks in real time and automating user administration, the applications make risk prevention a continuous, proactive process. Security experts as well as Managers can find out what kind of risks the user can incur during the user creation or user changes and perform automated risk assessments, track changes, and conduct maintenance with ease, which increases consistency and lowers IT costs. Let us walk you through the process of creating a ticket in Compliant User Provisioning.
Create Request
User creations and User changes in Compliant User Provisioning (formerly called as Access Enforcer) is done through a request. Lets create a request by logging as an end user. 1. Log into the Access Enforcer demo server: http://SAPDiscoverySystem:51000/AE/index.jsp 2. Select New Access from the options at the bottom half of the screen
Page 3 of 21
3. Enter the following data for REQUEST INFORMATION : Fields Request Type Priority Functional Area Data New (default) High (default) Finance
4. 5. 6. 7.
Click search icon for Application Select Applications Screen will appear. Select the SAP Tab (default) Select Category Production Check ERP System-Client 200, click Continue.
Enter New AP Clerk in the Request reason box Select Company: IDES Hi-Tech Select Employee Type: Permanent Employee Set Valid From: Todays date mm/dd/yyyy Click Search icon next to Manager field Enter Wilson in Last Name field and Fox in First Name field and click Search Check Radio button next to user id FWILSON and click Select at bottom of screen
Note: Custom Fields (Attributes) can be created and added to this form, so information deemed necessary to process requests is included. (Custom fields are added to the bottom of the screen and their placement can not be configured.) 15. 16. 17. 18. Set Plant: 0005 Set Division: 0001 Set Regional Office: Boston Set Security Clearance: None
Page 4 of 21
Click on the bottom of the page Set Application Area SAP Production Set Business process: Procure to Pay Set Sub-Process: Process Invoices
23. Select 24. Click VS::FI_AP_INVOICES to launch Role Details Screen to review the role
Page 5 of 21
NOTE: Mae Wong selects the hyperlink of suggested role and reads role description to determine if this is appropriate. Mae has access to all the details for this role (various tabs) and reviews the description to make sure its the right role for her job duty. Mae makes the decision to pick this role based on the description. 25. Review the role details by navigating through the tabs
26. Select Cancel to return back to the Role Selection Screen 27. Select VS::FI_AP_INVOICES and VS::FI_AP_DISPLAY_MASTER_DATA
28. Scroll down and Click Add at the bottom of the screen Note: Because of attributes, such as Im in Finance or Im a full time employee certain roles that automatically come up are: -VS::AP_FI_ DISPLAY_MASTER_DATA Select VS::AP_FI_ DISPLAY_MASTER_DATA and click Add. 29. Add a second role, Set the Sub-Process: Vendor Maintenance 30. Click Go. 31. Select VS::FI_VM_MAINTENANCE
Page 6 of 21
NOTE: These roles are owned by Brian Law and Cyrus Perkins. Confirm all the three roles selected, Click Submit at the bottom of the page 33. Request is created. Note the request number (for example 22) as for a typical workflow, this request will be sent to the manager and after managers approval to the role owner(s) - Brian Law & Cyrus Perkins.
Page 7 of 21
2. Select the request that was created (Request # will match to the request number in item 31 above) 3. Request # __ will appear for approval.
Page 8 of 21
5. Click on Risk: P002 Maintain a fictitious vendor and direct disbursements to it.
6. Click on VS::FI_VM_MAINTENANCE 7. The Row will turn RED, now select Simulate at the bottom of the box.
Page 9 of 21
Page 10 of 21
11. Select MC0010 Since Mae works in a small subsidiary, she needs to be able to maintain a bank account and post payments to it. Fox Wilson therefore picks a mitigation control of MC0010.
14. Select Save 15. Review the Mitigation, Click on Continue When re-checking the risk analysis, all risks are remediated, there are no risks outstanding. Since Fox has removed on role (VS_FI_VM_MAINTENANCE) this request will now only be routed dynamically to the remaining role owner, Brian Law for approval. Fox Wilson can now approve the role.
17. Enter in a comment (why Mae did not receive the 2nd role), Hit Save 18. Click Approve again on the next screen.
Page 12 of 21
PASSWORD Sarbanes1
Request Number **
Brian sees that there are no non-mitigated risks and so he decides to approve the request.
Page 13 of 21
Page 14 of 21
If we had not removed the 2nd profile, and there were no risks, we would see that the status message communicates that Brian has approved, but requires another role owner (eg. Cyrus Perkins) is pending for the approval. This is not the case; therefore the request is now competed for Role owners and is now pending only for the Security approval. (eg. Calvin Klein).
Page 15 of 21
PASSWORD sarbanes1
4. Click Logon button 5. Select the request as noted earlier by clicking on the number Request Number ** Description Assigned Request number
The Security Team now has all the required approvals to process this request. AE has the ability to perform a complete Auto-Provision of the request. This would automatically update the systems with the new user or role assignment. Additionally, this can be performed manually by the security team. An alternate means of receiving the request, Calvin Klein will also receive an email that the role owner (Brian Law) has approved Mae Wongs request for the role. (In Access Inforcer, Calvin will see under Request for Access the same request # shown in the email) 6. Under Request Number **
Page 16 of 21
7. Click on Approve button 8. You will be prompted for comments: Enter a comment 9. And click on the Approve button again in the following screen
again in the following screen 10. Click on the Approve button The request is now complete. You will see a comprehensive history of the request, including an audit history.
Page 17 of 21
Role Reaffirms
Every Quarter, auditors require that each Role owner re-affirm the users who have access to their Roles. Each Role Owner can use Access Enforcer to make that process much easier to perform. 1. Log into http://SAPDiscoverySystem:51000/AE/index.jsp USER ID Blaw
...
PASSWORD Sarbanes1
2. Click Logon button 3. Select Reaffirms link from the menu on the left. This list shows all the Roles in each system. The role Owner can click on the role to get a list of currently assigned users for this role. 4. Click on VS::FI_AP_INVOICES
The Role owner can view this list, and remove any user who should not have access, and then approve the rest. This list is then stored in the database and allows the Auditors to view the Reaffirm list for each role on a quarterly basis. 5. Select MWONG as she is approved for this role
Page 18 of 21
6. Click on the Approve button 7. Enter a comment field for the auditor review
Page 19 of 21
Reports
A complete audit trail of all activities is kept for later review; you do not have to keep paper records or try to track down e-mails after the fact. 9. Select the Informer Tab at the top of the screen 10. Select Analytical Reports from the menu on the left Access Enforcer provides the ability to generate various reports for the purpose of viewing and analyzing request approval activities. Reports are divided into the following two categories: Analytical - You can drill down to individual role change and access permission requests. Chart - You can generate a graphical view of the request approval information, which can be used to analyze various activities.
Charts
11. Select the Informer Tab at the top of the screen 12. Select Chart View -> Access Request from the menu on the left The Access Request report option displays total number of requests grouped by request status.
13. Select Risk Violations (underneath Access Request) from the menu on the left
Page 20 of 21
The Risk Violations report option displays total number of requests grouped by violations and mitigation. The information in the Risk Violation Details indicates the details of risk violations. 14. Select Provisioning (underneath Risk Violations) from the menu on the left The Provisioning report option displays the number of roles assigned or removed in requests. 15. Select Service Level (underneath Provisioning) from the menu on the left The Service Level report option displays the total number of requests grouped by year or month. 16. Logoff by clicking on Logout top right of the screen.
Page 21 of 21