Overview of SAP BusinessObjects Access Control 10.

Applies to:
SAP BusinessObjects Access Control 10.0, SAP NetWeaver 7.0, Enhancement Package 2. For more information, visit the Governance, Risk, and Compliance homepage.

Summary
With the release of SAP BusinessObjects Access Control 10.0 there has been a lot of excitement regarding the enhanced version and its capabilities. This article provides a high level understanding of SAP GRC Access Control 10.0. Its compiled from the information available on various SAP sites and from the expert sessions on GRC 10.0. Author: Charukesh R Gaikwad

Company: KPMG India Created on: 10 May 2011

Author Bio
Charukesh Gaikwad is working as SAP GRC Consultant in KPMG ERP Advisory services.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 1

Overview of SAP BusinessObjects Access Control 10.0

Table of Contents
Access Control 10.0: Introduction ....................................................................................................................... 3 Access Control 10.0: Landscape .................................................................................................................... 3 New and Enhanced Features: Released Notes .............................................................................................. 5 New Focus Areas: ........................................................................................................................................... 6 Whats new in Risk Analysis? ............................................................................................................................. 7 New Risk Analysis Framework ....................................................................................................................... 7 System Specific Mitigation .............................................................................................................................. 7 Approval process for functions: ....................................................................................................................... 7 Additional Audit trail tracking ........................................................................................................................... 7 Work Centers in Access Control: ........................................................................................................................ 8 Related Content ................................................................................................................................................ 11 Disclaimer and Liability Notice .......................................................................................................................... 12

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 2

Overview of SAP BusinessObjects Access Control 10.0

Access Control 10.0: Introduction

SAP BusinessObjects Access Control is an enterprise software application that enables organizations to control access and prevent fraud across the enterprise, while minimizing the time and cost of compliance. The application streamlines compliance processes, including access risk analysis and remediation, business role management, access request management, superuser maintenance, and periodic compliance certifications. It delivers immediate visibility of the current risk situation with real-time data. Access Control 10.0 is part of newly released SAP Governance Risk & Compliance (GRC) 10.0 which also comprised of Process control 10.0, Risk Management 10.0 and Global Trade Services. The greatest value in GRC 10.0 is the Harmonization of Access Control, Process Control and Risk management which ultimately results in shared processes, data and user interface with reduction in redundancy. Access Control 10.0: Landscape The GRC 10.0 suite runs on AS ABAP 7.02 SP6 or higher. Access Control, Process Control and Risk Management are contained in one ABAP add-on GRCFND_A

Source: GRC 10.0 Pre installation Guide on SAP BPX

Front end: The front-end needs a web browser or (optionally) a client installation of the NetWeaver Business Client 3.0 (NWBC) The web browser can be used to access the embedded NWBC or GRC via the NetWeaver Portal The Adobe flash player 10 is used for displaying dashboards e.g. RM heat map

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 3

Overview of SAP BusinessObjects Access Control 10.0

SAPGUI 7.10 PL 15 or higher is required for administration or customizing tasks note that SAPGUI 7.20 is recommended due to the end-of-maintenance of SAPGUI 7.10 The Crystal Reports Adapter (CRA) is required for viewing (GRC) Crystal Reports.

Portal: The NetWeaver Portal 7.02 can be used optionally The GRC Portal Content contains the GRC Portal UI elements to access the GRC suite The Portals AS Java can contain an Adobe Document Services instance, in effect Portal and ADS may be shared on one AS Java instance

ERP and Non SAP Business Applications: The GRC solutions can communicate with SAP ERP and non-SAP business applications via plug-ins NW Function Modules hold the AC functions for ERP systems without HR (former non-HR RTA) PC relevant features are contained in the plug-in GRCPIERP, for example, for running automated controls and the HR relevant functions for AC (former HR RTA) GTS functions are part of the SLL-PI plug-in, for example, for GTS integration into the Logistics, HR, FI/CO and/or HCM processes in SAP ERP Non-SAP ERP systems can also be connected via adapters from an SAP Partner company

BI Content: NetWeaver BW can be used for reporting via the GRC BI Content The GRC BI Content is part of BI Content 7.06 NetWeaver BW 7.02 is used for the GRC BI Content.

Identity Management: AC can be integrated bi-directionally to IdM solutions for provisioning and risk analysis NetWeaver IdM7.2 is required for integrating with AC 10.0

Adobe Document Services: An instance of Adobe Document Services (ADS) should be accessible from the GRC AS ABAP for generating offline forms . Although it is technically optional, it is highly recommended for generating PDF reports These ADS can be an existing instance and can also be shared with other applications The Portals AS Java can contain an Adobe Document Services instance, so Portal and ADS may be shared on one AS Java instance.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 4

Overview of SAP BusinessObjects Access Control 10.0

New and Enhanced Features: Released Notes Enhanced Visualization and Streamlined Navigation This enhancement provides a common look and feel with configurable role-based user access for GRC functions from the SAP Portal or SAP NetWeaver Business Client (NWBC). Streamlined user navigation with shared work centers emphasizes function rather than component. This significantly reduces duplication of menu items (e.g., one inbox, not three) and makes possible sharing of data and functions. Menu items seen by the individual user within each work center is controlled by the users GRC role(s). This also enables data shared across components to be viewed differently by different users. Improved Reporting GRC reporting leverages the Business Suite ABAP List Viewer (ALV) Crystal integration framework to present and personalize ABAP (WebDynpro) reports and convert into Crystal reports. This lowers the TCO and extends the benefits of Crystal without the need for a separate BOE server. It also reduces the time spent by business users on reporting needs. Custom Crystal reports with embedded graphics can also be created easily with Crystal Designer. Analyze and Manage Access Risk This release provides a robust user interface for efficient creation and maintenance of functions, actions, and permissions. It uses a workflow-driven process for function maintenance. Audit trail tracking is available for most maintenance activities. In this release, it will be possible to mitigate risk at the rule level or at the system level. Design and Manage Access Risk Access Control 10.0 introduces a central role repository. Role definitions are shared across the application, allowing the user to create and maintain roles in one place. Business roles are introduced to improve the role management process by providing the ability to define roles similar to a job function. Authorizations are maintained through PFCG leveraging all the capabilities provided by PFCG. User is able to directly import roles from the backend system without the need for a file. Enhanced role methodology management allows users to update role methodology of a role that is already in use. Role comparison has been enhanced to compare role definitions from multiple backend systems. Role certification allows the role owners to certify the role content on a periodic basis to meet regulatory compliance requirements. Provision and Manage Users New enhancements include the ability to customize end user access request forms. Templates can be created for Access Requests. Approver view is now customizable. IdM integration has been enhanced with new web services. Emergency Access Management Access Control 10.0 introduces the ability to centrally administer firefighters. Firefighter assignments can be made in the central console and the firefighter session can be initiated centrally. Firefighters can be provisioned through the enhanced provisioning feature. A standardized workflow process has been introduced for reviewing firefighter logs

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 5

Overview of SAP BusinessObjects Access Control 10.0

New Focus Areas:

Source: SAP GRC Solutions 10.0: Live Expert Sessions

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 6

Overview of SAP BusinessObjects Access Control 10.0

Whats new in Risk Analysis?

The Enhanced Risk Analysis engine allows for end user customization and personalization streamlining the risk analysis. It has certainly increased the degree of automation and have empowered users to derive maximum value to suit his business/compliance requirements. With the provisions of bulk maintenance, enhanced audit trail and increased mitigation options the tool has now becomes more user friendly resulting in faster and efficient response. New Risk Analysis Framework

Different conditions can be configured and combined. Multiple risk analysis reports can be run at a time. Multiple selections can be imported from a file. Drill downs available across the reports. Column in the reports can be hidden and rearranged. Reports provide transaction execution data. Crystal and pdf reports available. The reports can be sorted by any column.

The Key benefit of enhanced risk analysis framework is access to right data at right time in the right format. This ultimately results into faster and consistent response. System Specific Mitigation Mitigation options have being expanded to address the complexities involved in Mitigation procedure and to streamline the overall mitigation process.

In the enhanced version its possible to assign mitigation controls to a specific system Multiple systems can also be chosen while assigning mitigation controls. Mass Mitigation which allows mitigation of multiple risk at one go

This enhancement aims to provide more flexibility and simplify and speed up the mitigation process. Approval process for functions:

All changes to functions will trigger workflows for approval.

Additional Audit trail tracking All changes to access rules can now be tracked. Components like functions, risk, org rule, supplementary rule, critical role, critical profile, rule set can have an audit trail. The key benefit is quick access and higher visibility to the changes made with comprehensive information about the changes.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 7

Overview of SAP BusinessObjects Access Control 10.0

Work Centers in Access Control:

Access Control is available both as a standalone application and as part of the GRC 10.0 application. Although the structure of work centers for the Access Control standalone application differs from the Access Control in the GRC10.0 Application the functions within the application are the same. Following table tries to capture the key features in these functions.

Functions My Home

Description My Home provides a central location to view and act on your assigned tasks, and accessible objects.

Features View, access, and address workflow tasks assigned to you, including completed reports that you scheduled. Assign delegates to perform your tasks or activities. View and process your user data. *Perform document searches across all documents (including document content) for which you have authorization.

Rule Setup/ Setup : Access Rule Maintenance

This is used to manage the following access rule entities: Rule sets These are categories or groupings of rules used primarily for determining the group of access risks to use when running an access risk analysis. Functions These are a collection of one or more actions that an employee needs to complete to perform a specific goal. Access risks These are objects that identify potential access problems that your enterprise might encounter

Using the Access Rule Maintenance section, you can do the following: Search and display existing rule sets, functions, and access risks Create new rule sets, functions, and access risks Modifying existing rule sets, functions, and access risks Delete rule sets, functions, and access risks, as necessary

Access Management

It is the place where you do all the Role Management, Role maintenance, Role Mining activities. Mitigated Access and Scheduling is also present in this work center.

Mitigated Access

Mitigated Access allows you to manage the risks associated with access control by identifying risks, assessing the level of those risks, and assigning mitigating controls to users,

Use mitigating controls to: Create mitigating controls that you cannot remove

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 8

Overview of SAP BusinessObjects Access Control 10.0

roles, and profiles to mitigate access rule violations. A risk is identified through risk analysis and cannot be mitigated unless the control has been previously defined. The first step in defining, or creating, a mitigating control is to create a mitigating control ID. This ID appears in risk analysis reports. All risk IDs associated with the control must also be mitigated with this control.

Assign mitigating controls to users, roles, and profiles that contain a risk Establish a period of time during which the control is valid Specify steps to monitor conflicting actions associated with the risk Create administrator, control monitors, approvers, and risk owners and assign mitigating controls to them

Role Management

The application allows role owners and security administrators to: Role Management allows you to manage roles from multiple systems with a single unified role repository. The roles can be documented, designed, analyzed for control violations, approved, and then automatically generated. It enables standardized practices to ensure that role definitions, development, testing, and maintenance are consistent across the entire enterprise Track progress during role implementation Monitor the overall quality of the implementation Perform risk analysis at role design time Set up a workflow for role approval Provide an audit trail for all role modifications Maintain roles after they are generated to keep role information current.

Role Mining Role Mining groups together features that allow you to target roles of interest, analyze the roles, and then take action. For example, find all roles that are due to expire and affirm if they are still relevant

Features Action Usage Role Comparison Role Reaffirm

The Role Mass Maintenance process is composed of the following procedures: 4 Role Mass Maintenance You can use Role Mass Maintenance to import and change authorizations and attributes for multiple roles. Importing Multiple Roles Updating Multiple Roles Updating Org. Values for Multiple Derived Roles Deriving Multiple Roles Analyzing Risk for Multiple Roles Generating Multiple Roles

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 9

Overview of SAP BusinessObjects Access Control 10.0

Reports and Analytics

Reports and Analytics

The Reports and Analytics work center contains the following sections: Access Dashboards Access Risk Analysis Reports Access Request Reports Role Management Reports Security Reports Audit Reports Superuser Management Reports

#Superuser Assignment

In the Superuser Assignment section, you can perform activities such as assigning firefighter IDs to owners and assigning firefighters and controllers to firefighter IDs.

The Superuser Assignment section provides the following links: Owners Firefighter IDs

#Superuser maintenance

In the Superuser Maintenance section, you can perform activities such as searching and maintaining firefighters and controllers, and assigning reason codes by system

The Superuser Maintenance section provides the following links: Firefighters Controllers Reason Codes

# Superuser Assignment and Superuser maintenance is part of Access management for Work centers for Access control in the GRC Application whereas its part of Setup for Work centers for Access Control Standalone. *Perform document Searches is for Work centers for Access control in the GRC Application

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 10

Overview of SAP BusinessObjects Access Control 10.0

Related Content
SAP BUSINESSOBJECTS ACCESS CONTROL 10.0 SAP Library-Access Control SAP GRC Solutions 10.0: Live Expert Sessions For more information, visit the Governance, Risk, and Compliance homepage.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 11

Overview of SAP BusinessObjects Access Control 10.0

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com 12