GRC Components Work module of GRC

GRC

Compliant User Provisioning Compliant User Provisioning (CUP) is a capability of SAP GRC Access Control. It provides compliant user provisioning across enterprise systems. Included are access request self-service, approvals, compliance checks, proactive resolution of access controls, and provisioning. CUP also provides standard reports. Both CUP and RAR capabilities introduce a configurable reporting data mart that enables customized reporting by integrating your reporting tool of choice. The data mart extracts the relevant data from the RAR and CUP and converts the data for reporting purposes

The data mart is nonhistorical Data mart schema are published, which enables customers to integrate with any reporting tools.

CUP combines predefined roles and permissions with configurable workflow capabilities, thus automating and expediting user provisioning throughout an employees lifecycle with the company. CUP prevents violations of separations of duty (SoD) and helps to ensure corporate accountability and compliance with Sarbanes-Oxley, and other laws and regulations. Users can request system access using a context-based selection of role descriptions that are defined using the Enterprise Role Management (ERM) functionality, another capability in the SAP BusinessObjects Access Control application. When a user requests access to a system, CUP automatically forwards the access requests to designated managers and approvers within a predefined workflow that is customized for the enterprise. The CUP workflow engine considers the functional responsibility of the requestor and the type of access request being made, and automatically determines the appropriate routing for access approval. CUP prevents access-approval delays by routing requests to back up approvers when primary approvers are unavailable or have not responded. CUP automates the following user provisioning activities: Creating users

Changing users Deleting users Locking/Unlocking users Resetting user passwords Assigning roles to users Removing and changing role validity for users User access review

======================================= Risk Analysis and Remediation

The Risk Analysis and Remediation (RAR) capability is a fully automated rules-based security audit and segregation of duties (SoD) analysis tool used to identify, analyze, and resolve risk and audit issues that relate to regulatory compliance. Features The Risk Analysis and Remediation capability: Enables all key stakeholders to work in a collaborative manner to build ongoing SoD risk and audit compliance at all levels. This compliance includes User, Role, Profile, and HR Object levels.

Empowers security administrators, business process owners and internal auditors to prepare their SAP systems, and all other systems, for an audit. Provides user friendly summary and drill-down reports, making the identification and resolution of Risks and audit issues a painless process.

o o

RAR produces Risk Analytical Reports for selected users, user groups, roles, and profiles, allowing user administrators to identify potential risk issues before assigning a new role to a user, group or profile. RAR produces reports on critical actions, critical permissions, critical roles, and profiles.

Introduces a configuable reporting data mart that enables customized reporting by integrating your reporting tool of choice (for both RAR and CUP):

o o o

The data mart extracts the relevant data from the RAR and CUP and converts the data for reporting purposes The data mart is nonhistorical Data mart schema is published, which enables customers to integrate with any reporting tools.

Includes an expandable starter set of rules, and enables risks to be identified and created in the system so that an administrator can correlate them with functions and associate each function to a business process. And then, the Risk Analysis and Remediation capability generates the rules to offset your identified risks, thus building on your rule set.

Provides comprehensive risk management functionality and powerful, easy to use, functionality to document Risk Mitigation Controls.

RAR enables you to perform a risk analysis to identify risks associated with a user, role, profile, or HR object. If you cannot eliminate a risk, you can use the capability to define mitigation controls. You also define monitors and approvers, assign them to specific controls, and create business units to help categorize mitigating controls.

Uses custom tables to store SoD data. It also ensures there is no interference with existing security processes and procedures.

============================= Enterprise Role Management Enterprise Role Management (ERM) is a capability of the GRC Access Control application. The other Access Control capabilities interact with ERM. Enterprise Role Management automates the definition and management of roles, allowing you to manage enterprise roles with a single unified role repository. The roles can be documented, designed, analyzed for control violations, approved, and then automatically generated.

This capability enables preferred practices to ensure that role definitions, development, testing, and maintenance are consistent across the entire enterprise. ERM provides SAP security administrators, role designers, and role owners with a simplified means of documenting and maintaining important role information for better role management. The features include: Tracking progress during role implementation.

Monitoring the overall quality of the implementation. Performing risk analysis at role design time. Setting up a workflow for role approval. Providing an audit trail for all role modifications. Maintaining roles after they are generated to keep role information current.

========================= Superuser Privilege Management In emergencies or extraordinary situations, Superuser Privilege Management, a capability of SAP GRC Access Control, enables users to perform activities outside their roles under Superuser-like privileges in a controlled, auditable environment. A temporary ID is assigned that grants the user privileged, yet regulated, access. This transfer of privileges from one person or role to another is called firefighting. Such a firefighting event might occur, for example, if an employee is injured and another employee has to perform the injured employees duties. Superuser Privilege Management is an ABAP and Web-based capability that tracks, monitors, and logs the activities that are performed by a Superuser with a privileged user ID. Superuser Privilege Management also automates firefighting tasks such as defining firefighter IDs and assigning owners and controllers. This capability is a back-end systems activity with limited interfacing to Compliant User Provisioning where related reports may be generated. For reports and other information, see the Compliant User Provisioning topics in this application help.