Beruflich Dokumente
Kultur Dokumente
COPYRIGHT Copyright 2006 SAP AG. All rights reserved. SAP Library document classification: PUBLIC No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. Virsa, Virsa Systems, Access Enforcer, ComplianceOne, Compliance Calibrator, Confident Compliance, Continuous Compliance, Firefighter, Risk Terminator, Role Expert, the respective taglines, logos and service marks are trademarks of SAP Governance, Risk and Compliance, Inc., which may be registered in certain jurisdictions. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves information purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAPImportant Disclaimers SAP Library document classification: PUBLIC This document is for informational purposes only. Its content is subject to change without notice, and SAP does not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. Coding Samples Any software coding and/or code lines/strings (Code) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or were grossly negligent. Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint where to find supplementary documentation. SAP does not warrant the availability and correctness of such supplementary documentation or the ability to serve for a particular purpose. SAP shall not be liable for any damages caused by the use of such documentation unless such damages have been caused by SAPs gross negligence or willful misconduct. Accessibility The information contained in the SAP Library documentation represents SAPs current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP specifically disclaims any liability with respect to this document and no contractual obligations or commitments are formed either directly or indirectly by this document. This document is for internal use only and may not be circulated or distributed outside your organization without SAPs prior written authorization.
CONTENTS
Preface About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Alert Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Product Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Documentation Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Installation Guide, Configuration Guide, User Guide, and Release Notes . . . . . . . . . . . . . . . . . . . . .9 Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Contacting SAP GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 1 Introduction to Access Enforcer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 How to use Access Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 2 Using the Approver Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Requests for Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Viewing Pending Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Approving and Rejecting Access Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Holding Access Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Performing Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Performing Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Performing Advanced Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Selecting Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Selecting PD Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Forwarding Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 ReRoute Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Create Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Search Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Request On Hold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Approver Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Copy Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Request Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 ReAffirm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 3 Using the Requestor Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Creating Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 Choosing a Request Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 New Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 Changing an Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Deleting an Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67 Locking Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70 Unlocking Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Password Self Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Information Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 Request Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 4 Using the Informer Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Analytical View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 Service Level for Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 Request with Conflicts and Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89 Request by Roles and Role Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 List Roles and Owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 Requests by PD/Structural Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Chart View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 Access Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 Risk Violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99 Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Service Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
PREFACE
TOPICS
buttons, icons, and menus, and terms that are objects of a user selection. Bold text is used to indicate defined terms and word emphasis. Italic text is used to indicate user-specified text, document titles, and word emphasis. Monospace text (Courier) is used to show literal text as you would enter it, or as it would appear onscreen.
Alert Statements
The alert statementsNote, Important, and Warningare formatted in the following styles:
Note Information that is related to the main text flow, or a point or tip provided in addition to the previous statement or instruction. Advises of important information, such machine or data error that could occur should the user fail to take or avoid a specified action. Requires immediate action by the user to prevent actual loss of data or where an action is irreversible, or when physical damage to the machine or devices is possible.
Important
Warning
Product Documentation
Documentation Formats
Documentation is provided in the following electronic formats:
You must have Adobe Reader installed to read the PDF files. Adobe Reader installation programs for common operating systems are available for free download from the Adobe Web site at www.adobe.com.
Online Help
You can access online help by clicking the Help link from within the application.
GRC-SAE Virsa Access Enforcer GRC-SCC Virsa Compliance Calibrator GRC-SFF Virsa Firefighter for SAP GRC-SRE Virsa Role Expert
For more information on the SAP Support Portal, use the quick-links provided below:
SAP Notes Search Here you can search for reference material and possible solutions for any questions regarding the GRC components. Messages Here you can create Support Messages for the GRC components. Software Download Here you can download installations, upgrades, and support packages. SAP Service Channel - Your Inbox Here you can monitor the status of your open messages.
10
1
INTRODUCTION
TO
ENFORCER
ACCESS
TOPICS
11
Overview
Provisioning access to users, in the traditional manner, involves the user completing paper forms that request access to SAP backend systems or business applications (nonSAP server). Those forms are then submitted to the first-line manager who reviews, approves, and forward them for second-line approvers who are IT security or the request can be automatically provisioned by the administrator of the target system. Usually, during the approval process, the managers who review access requests are expected to research and identify any potential conflicts of interest between roles that the requestor currently has and any new roles including permissions being requested. However, access requests that are under-research and are expedited for approval can cause significant problems where legal, regulatory, security, and financial risks can potentially harm the corporation. Access Enforcer automates the access provisioning approval process by combining roles and permissions with workflow. When a user (Requestor) makes an access request to resources for which they do not have permission, Access Enforcer automatically forwards the access request to designated managers and approvers within a pre-defined workflow. This workflow is customized to reflect your company policy. Roles and permissions are automatically applied to the enterprise directories when the access request are approved. Access Enforcer automates the role provisioning process within the identity management environment. It ensures corporate accountability and compliance with Sarbanes-Oxley along with other laws and regulations.
Approvers can also request access for other end-users. Approvers include line managers and IT security.
Informer The Informer module is a reporting tool that provides graphical and
The following scenario depicts a general usage of Access Enforcer in a typical enterprise environment:
1
Upon logging in to Access Enforcer, the end-user or Requestor makes an access request for a specific application (SAP and/or non-SAP) for which they do not have the necessary roles.
12
Access Enforcer provides the Requestor an Access Request page where certain attributes can be pre-populated with default values based on the Request Type. The Access Request page can be set to specific or multiple data sources (such as SAP HR systems or a non-SAP application servers) to complete the access request process. After completing the Access Request page, the Requestor submits the request thereby triggering a workflow process. The workflow process is made up of a series of pre-defined approval stages. The entire workflow is customized to reflect the business policies and security procedures. At each approval stage, the Approver receives email notification of the access request. The Approver can then retrieve additional information from multiple sources to provide the data necessary for a complete risk analysis, including Segregation of Duties (SOD) assessments that are automatically evaluated by the Compliance Calibrator engine. When a conflict of interest do arise, the Approver can mitigate the problem or reject the access request. Mitigating a conflict can be a onetime exception for a particular request or a policy change within the business unit. Upon approval, the access request is routed to the next stage, which can be the IT security team for entry to the SAP backend system or application server. It can also be automatically provisioned to the target system. Access Enforcer documents the audit trail of the executed user request and approval for security, legal, and regulatory compliance monitoring. Managers, Approvers, and IT Security team can view reports that show the number of provisioned users in a given time frame or within a certain Service Level Agreement. Reports can also show analytical breakdown of SOD violations and mitigation resolutions.
Getting Started
To bring up the Access Enforcer client on your desktop browser, enter the following URL address: http://<server name>:<port number>/Access Enforcer where the server name is the name of the application server that Access Enforcer resides and the port number is the assigned port number of the application server. Access Enforcer home page appears:
13
Figure 1
Note
Contact your Access Enforcer Administrator or SAP Security System Administrator for the correct URL address for your companys Access Enforcer.
Login as a Requestor
To access the Requestor module of Access Enforcer, you first need to log in.
To Log In: 1 2
Click Request Access in the Access Enforcer Home page, the User Login page appears. Enter your login credentials to display the Request Access page.
Login as an Approver
To access the Approver module of Access Enforcer, you first need to log in.
To Log In: 1 2
Click User Login in the Access Enforcer Home page, the User Login page appears. Enter your login credentials to display the Requests for Approvals page.
14
2
USING
THE
APPROVER MODULE
TOPICS
15
Overview
Access Enforcer provides a standardized decision-making process for approving requests. It also provides a comprehensive view of information needed to make approval decisions. Authorized Approvers can be managers or members of various departments (such as IT Security), who are assigned to the appropriate workflow stages in the approval process. These assignments to workflow are configured by the Access Enforcer Administrator. Access Enforcer provides three standard Approver types. Depending on your organizational hierarchy and process, there may be other Approver types that can be added to Access Enforcer. The standard Approver types are: Manager Approver The Manager Approver is usually the requestors manager. Manager can review and approve their workflow stage during the approval process. Role Owner Approver The Approver has the authority to approve or reject a request. The Approver can put a request on hold and add additional roles to the request, if necessary. An Approver can only approve or reject requests that they own and cannot approve requests for other approvers unless they are assigned as a alternate approver. Security Approver The Security Approver is usually the last approver in a typical workflow. The Security Approver can provision access to the target system that has been requested.
Note All standard Approvers can use the Access Enforcer functions, such as Risk Analysis, Mitigation, and Roles Assignment, given that they have been assigned permission to execute those functions. The Access Enforcer Administrator can configure these authorizations.
16
Figure 2
You can select a specific request by clicking Request Number link on the Request for Approval page. The details of the specific request are displayed. You can then perform the appropriate approval actions on the request. The standard approval actions are: Approving Access Request Rejecting Access Request Holding Access Request Performing Risk Analysis These actions are dependent on the permissions granted to you as an Approver.
17
To approve a Request: 1
In the Request for Approval page, click the desired Request Number you want to approve. The Request Information page appears.
Figure 3 2
Click Approve. The Request Information - Approval Path Status page appears.
18
Figure 4 3
Click on the Plus (+) icon to display detailed information of any status information. For example, the Audit Information details show the entire history of the request from the time it was submitted to when it was approved and by whom.
Figure 5
Before approving the request, it is recommended that you review the Roles/Profiles tab.
19
Figure 6
Roles/Profile Tab
Click the Green checkbox icon to reject/remove a role. Access Enforcer supports two system types; SAP and ORAAPS (Oracle Applications). This is the name of the system. The system belongs to the corresponding system type. This is the name of the role or profile. This is the type of role. The type can be Single, Composite, or Template. This is a brief description of the role/profile. This is the start date of when the role is valid. This is the end date of when the role is valid. This is the name of the role owner. The role owner is generally the person who created the role.
System
To add a role, click Select Roles. Refer to the Selecting Roles on page 33 for detailed instructions.
20
Before approving the request, it is recommended that you review the PD Profiles tab.
Figure 7
PD Profiles Tab
This is the actual name of the system. This is the name of the profile. This is the description of the profile. This is the start date of when the profile is valid. This is the end date of when the profile is valid.
To add a PD Profile, click Select PD Profiles. Refer to the Selecting PD Profiles on page 35 for detailed instructions.
Using the Risk Violations Tab
Before approving the request, it is recommended that you review the Risk Violations tab.
21
Figure 8
Note
risk violations associated with the request. A green flag indicates that there are no risk violations. A yellow flag indicates the there are violations with associated mitigation controls.
System Type
Access Enforcer supports two system types; SAP and ORAAPS (Oracle Applications). This is the actual name of the system. This is the description of the risk. This is the number of risk violations. This is the status of the violation. The status can be High, Medium, or Low.
To mitigate a risk violation, click Risk Analysis. Refer to the Performing Risk Analysis on page 26 for detailed instructions.
Using the Mitigations Tab
Before approving the request, it is recommended that you review the Mitigation tab.
22
Figure 9
Mitigation Tab
Note
that there are no risk violations. A yellow flag indicates the there are violations with associated mitigation controls.
This is the actual name of the system. This is the description of the risk. This is a unique number that identifies the mitigation control. This is a classification of processes for a department. This is the user name of the approver. This is the start date of when the mitigation control is valid. This is the end date of when the mitigation control is valid.
The Mitigation tab is read only. It displays what risks are mitigated and the details on the mitigation control.
Using the Comments Tab
Before approving the request, it is recommended that you document any information regarding the request by using the Comments tab. To add a comment, click the Plus (+) icon. The field becomes active.
23
Figure 10
Comments Tab
Before approving the request, it is recommended that you view the Request Justification tab for any information regarding this request. This tab is read-only.
Figure 11
Note
The information in the Request Justification tab was entered during the creation of the request by using Create Request option in the Access Enforcer tab.
Before approving the request, you can attach files that are relevant to the request by using the Attachment tab.
Figure 12
Attachments Tab
24
To attach a File 1
In the Attachment tab, click the Attach Files. The Upload Files Information page appears.
Figure 13 2 3
In the Select Files field, click Browse to navigate to the file you wish to associate. Click Attach.
Note You can add multiple files.
Click Continue.
In the Request for Approval page, click the desired Request Number you want to approve. The Request Information page appears. See Figure 3, Request lnformation Page. Click Reject. A Comment Entry page appears. Enter a brief comment on the reason(s) for rejecting this particular access request. Click Save.
2 3 4
In the Request Information page, click Hold. The Request Information page appears.
25
Figure 14
The Hold page contains submitted information using the Access Request page. At the top of the page, the Approval Path Status displays the workflow and the stage at which the request was put on Hold. It also displays the approver name responsible for that stage.
2 3 4
Scroll to the bottom of the Hold page. Click Download to store this request on your local system. Enter a brief comment to describe the reason(s) for approving this access request. Click Print to print this request.
On the Request Information page, click Risk Analysis. The Risk Analysis page appears.
26
Figure 15 2
Any risks are found are displayed in the Risk Violations list. Click the + symbol on any of the Risk IDs to display the drill-down report.
Figure 16
Once you have uncovered any risk violations, you can proceed to either: Mitigate uncovered conflicts Perform advanced Analysis using lower-level objects
Performing Mitigation
The Mitigation option enables you to resolve risk violations by allowing exceptions to the rules defined using Compliance Calibrator (mitigation controls). The Mitigation option allows you to monitor risks over a specific time period. On the Mitigation page, you can: Create a new mitigation control for a specific risk violation Assign an existing mitigation control to a specific violation
27
On the Risk Analysis page, click Mitigation. The Mitigation page appears.
Figure 17 2
Mitigation Page
Figure 18 3 4 5
In the Control ID field, enter the mitigation control ID. This is a unique number sequence that references a mitigation control. This number is ten characters in length. In the Control Description field, enter a description of your mitigation control. Make sure that your description uniquely identifies the mitigation control. In the Functional Area drop-down menu, select the functional area to categorize your mitigation control.
28
In the Management Approvers field, click the drop-down menu to select an approver for the mitigation control. Approvers are responsible for approving a mitigation control. The Mitigation page provides the following three tabs for your mitigation control: Mitigation Risks Monitors Reports
7 8
Click the Mitigation Risks tab. Click Select Risks to associate a risk with the mitigation control.
Figure 19
Use the search function to find a risk. You can specify the Risk ID, Business Process, and Risk Level details as the search criteria for the risk.
9
In the Risk ID field, enter the Risk ID. The Risk ID is a unique identifier for the risk. Business Process.
10 In the Business Process field. Click the drop-down menu to select the appropriate 11 In the Risk Level field, click the drop-down menu to select the appropriate Risk
Level.
12 Click Search. A list of risks is displayed. Select the desired risks. 13 Click Add. 14 Click Continue. The Mitigation page appears with the added risks.
29
Figure 20
15 Click the Monitors tab. Monitors are users who will monitor the mitigated risk.
Figure 21 30
17 In the Name drop-down menu, select the name of the monitor. 18 Click the Reports tab. The Reports tab allows you to specify details for generating
report transactions, which are executed by the monitors assigned to the transaction.
Figure 22
20 In the Transaction Code field, enter the appropriate transaction code for the report.
business unit.
22 In the Frequency field, enter the number of days within which the report transaction
must be executed.
Note The Frequency value determines whether an alert is generated. If a report transaction is not run within the time specified by the Frequency value, an alert is sent to the Manager. Refer to the Virsa Compliance Calibrator User Guide, for more information about Assigning Alert Monitors.
31
In the Risk Analysis page, click Advanced Analysis. The Risk Analysis - Advanced Analysis page appears.
Figure 23 2 3
In the System drop-down menu, select the appropriate system name. In the Analysis Type drop-down menu, select the appropriate values. The Analysis Types you can select are:
Critical Role/Profile Analysis will be performed at the Role level Critical Transaction Analysis will be performed at the Transaction Code level Authorization Object Level Analysis will be performed at the at the detail of
the object level Depending on the Analysis Type that you select, the corresponding Analysis Results appear. For example, when the Authorization Object Level analysis type is selected, the Risk Analysis results will appear as follows:
32
Figure 24
Click Continue. The specific Request Number - General Information page appears.
Selecting Roles
In SAP, roles are a collection of transactions that an end-user is permitted to perform. When a role is assigned to an end-user, all transactions within that role are available to that user. Roles in SAP can be single or composite. Composite roles are a group of single roles.
Note The Select Role option button appears only if you have permission to select roles.
To grant Roles: 1
On the specified Request Number - General Information page, click Select Roles. The Select Roles page appears.
33
Figure 25 2 3
In the Select the System drop-down menu, select the system that has the given roles information. In the Select the Type of Access drop-down menu, select the criteria by which you intend to search for the role. These criteria are:
Roles Select this option if you want to search for a specific role by its Name/ Description. Transaction Select this option if you want to search a specific role by transaction code. The Enter Transaction Code field appears. You must enter the exact transaction code of a role. Click Go. A list of all roles that have the transaction code that you specified appears. Create my account like other user Select this option to create a role or account
that is similar to an existing account. For example, you can grant roles or an account as the user, blaw (Brian Law). Once you grant this role to the Requestor, they can have the same authorizations and permissions in SAP, as the user blaw. The Create my account like field appears. Enter the desired User ID. Click Go. A list of roles is displayed for the given User ID. Select the appropriate role name then click Add.
4 5 6 7 8
In the Application Area drop-down menu, select the appropriate application area. In the Business Process drop-down menu, select the appropriate business process. In the Sub Process drop-down menu, select the appropriate sub process. In the Role Name field, enter the role name you want to search. In the Role Description field, enter the description of the role.
34
10 In the Company drop-down menu, select the company name. 11 Click Go. 12 In the Search Results tab, click Add to select the desired role name. 13 In the Selected Roles/Profiles tab, a list of roles and profiles are selected. Click
Continue.
14 In the Request Reason field, a list of systems and roles/profile names are displayed,
Selecting PD Profiles
As an Approver, you can grant authorization for objects that are stored in a hierarchical structure, using a structural authorization check. In Access Enforcer, there is a functional distinction between the task of selecting and the task of assigning. Roles and permissions as well as PD Profiles must first be selected. Use the Select PD Profile option to select and assign PD profiles.
To assign PD Profiles: 1
In the Request Number - General Information page, click Select PD Profile. The Assign PD Profile page appears.
Figure 26 2 3 4
In the Systems drop-down menu, select the system where the profile details exist. In the Profile Name field, enter the name of the profile. Enter the first letters of the PD Profile name or enter a wildcard (*) character to search to view all PD Profiles. In the Description field, enter a description of the PD Profile that you want to retrieve.
35
5 6 7
Click Search. A list of system names, and corresponding profile name, description and validation dates appear. Select the PD Profiles that you want to add. Then click Add. Click Continue.
Forwarding Requests
During the approval process, you can forward the request to another approver.
To forward a Request: 1
In the Request Number - General Information page, click Forward Request. The Select Users page appears.
Figure 27 2 3 4 5 6
In the Last Name field, enter the last name of the person you want to find. Otherwise, you can enter a wildcard (*) to view all users. In the First Name field, enter the first name of the person you want to search. Click Search. A list of user names appears in the Search Results tab. Select the desired user name(s). Select one of the following two options: Forward with No Return This option forwards the request to the selected user for processing. The request is not returned to you.
36
Forward with Return This option forwards the request to the selected user for processing. Afterwards, the request is returned to you.
7
Figure 28
ReRoute Requests
During the approval process, you can reroute the request to another approver.
To reroute a Request: 1
On the Request Number - General Information page, click Re-Route. The Request Information - Re-Route page appears.
Figure 29 2
In the Stage field, click the drop down menu to select the desired workflow stage.
37
3 4
In the Comments field, enter a short description for rerouting this request. Click Save.
Create Request
As an Approver, you can create a request for yourself or other users. Upon creating a request, you are considered a Requestor in the request approval system, where you are requesting access or role permissions to a system. The type of request determines the workflow path. Access Enforcer provides the following standard request types: New access request Change access request Lock/Unlock request Information request Delete request Completing a request initiates a workflow. This section discusses the creation of a New access request. Using the other request types have similar steps, but with different results.
To create a Request: 1
In the navigation menu of the Access Enforcer tab, click Create Request. The Create Request page appears.
Figure 30
38
2 3
In the Request Type drop-down menu, select a request type. In the Priority drop-down menu, select the approriate priority. The possible choices are High, Medium, or Low. Any other values in the menu are defined by your Access Enforcer Administrator. In the Due Date field, click the Calendar icon to select the date you want the request date to be complete in the access request approval process. In the Employee Type drop-down menu, select the appropriate employee status. The possible choices are Full-Time, Part-Time, Temporary, or Contractor. Any other values in the menu are defined by your Access Enforcer Administrator. In the User ID field, enter your User ID or the persons User ID for whom you are requesting access. In the Last Name field, enter your last name or the persons last name for whom you are requesting access. In the First Name field, enter your first name or the persons first name for whom you are requesting access. In the Email Address field, enter your email address or the persons email address for whom you are requesting access. number for whom you are requesting access.
4 5
6 7 8 9
10 In the Telephone Number field, enter your phone number or the persons phone 11 From the Company drop-down list, select the company for which the person you are
to display Additional User Information page that contains more fields that are required to complete the request creation.
39
Figure 31
14 In the Business Process drop-down menu, select the business process for the user. 15 In the Position field, enter the position name in respect to the business process. 16 In the Organization Unit field, enter the organization unit. 17 In the Personnel Number field, enter the personnel number of the user. 18 In the Job field, enter the name of the users job. 19 In the Cost Center field, enter the users cost center. 20 In the Business Area field, enter the name of the business area. 21 In the Location field, enter the location name. 22 In the User Validity Start Date and User Validity End Date fields, click the
Calendar icon Note
to set the range of dates of when the user starts and ends.
In the Customized Information group, the additional custom fields are defined by your corporate policy. They may or may not be mandatory to complete the Create Request page.
23 Click Continue. 24 In the Requestor First Name field, enter the first name. 25 In the Email Address field, enter the email address. 26 In the Managers Last Name field, click the Magnifying Glass icon
to select the appropriate approver. Once you have made a selection the Managers First Name and Email Address fields are automatically populated.
40
Applications page. Select the desired Application name(s) and System ID.
Figure 32
Note
Access Enforcer allows you to select an SAP, Oracle application server, or Others application tab.
28 Click Continue. The Create Request page re-appears. 29 In the Company drop-down menu, select the company name. 30 In the Functional Area drop-down menu, select a functional area associated with
this request.
Note The Select Roles option button appears only if you have permission to select roles.
31 Click Approve.
41
Search Request
The Search Request option allows you to search for an Open, Closed, Hold, or Rejected requests. You can specify specific search criteria to filter your request. The request information that is returned is view only. You cannot modify the information that appears in the result page.
To search for a Request: 1
In the Access Enforcer tab, click Search Request. The Search Requests page appears.
Figure 33 2
In the Request ID field, enter the request ID you wish to search. The Request ID search over-rides any other search criteria. You can continue to the next step or click Search. In the User Last Name field, enter the last name of the user. Continue to the next step or click Search. In the User First Name field, enter the first name of the user. Continue to the next step or click Search. In the Requestor Last Name field, enter the last name of the requestor. Continue to the next step or click Search. In the Requestor First Name field, enter the first name of the requestor. Continue to the next step or click Search. In the Manager Last Name field, enter the last name of the approver. Continue to the next step or click Search. In the Manager First Name field, enter the first name of the approver. Continue to the next step or click Search.
3 4 5 6 7 8
42
In the Status drop-down menu, select the desired request status. You can continue to the next step or click Search. You can continue to the next step or click Search.
10 In the Request Priority drop-down menu, select the desired priority of the request.
Figure 34
43
Request On Hold
The Request on Hold option allows you to view all requests that you put on hold to process at a later time. You then can select a request from the displayed list and perform the appropriate action.
To view your Requests on Hold: 1
In the Access Enforcer tab, click Request on Hold. The Request on Hold page appears.
Figure 35 2
44
Figure 36 3
Click the button that corresponds to the action you want to perform on this request.
45
Approver Delegation
The Approver Delegation option enables you to delegate your approver authority to another member of your team. For example, if you are out-of-the-office for a period of time, you can delegate your approval permissions to the designated proxy on your team. You have to specify a duration of time for which you want to allocate your work to your proxy. The delegated approver processes requests that are routed through the standard approval process when the request goes through a normal request approval workflow. However, if the request is escalated, the delegated approver may not be the person who approves the request. During the configuration of workflow stage, your Access Enforcer Administrator may have enabled the Forward to Alternate Approver option allowing the defined Alternate Approver the authorization to approve the request. In this scenario, the delegated approver is not the same person as the alternate approver.
To assign a Delegated Approver: 1
In the Access Enforcer tab, click Approver Delegation. The Approver Delegation page appears.
Figure 37 2
In the Delegated Approver ID field, click the Magnifying Glass icon the Select Delegator page.
to display
46
Figure 38 3 4
Select the desired User ID. Click Select. The Approver Delegation page re-appears.
Figure 39
47
5 6
In the Valid From and Valid To fields, click on the Calendar icon to specify a date range during which the delegated approver has approval authority. Click Save. The Approver Delegation page re-appears with a success message at the top and the name of the approver in the Delegations table.
Figure 40 7
Make sure that the Status icon is activated for each delegated approver.
48
Copy Request
The Copy Request option allows you to create a new request based on an existing request. You can copy an existing request for multiple users. For example, if you have multiple users who have requested access to the same system or roles, you can copy an existing request to create multiple requests with similar information.
To copy a Request: 1
In the Access Enforcer tab, click Copy Request. The Copy Request page appears.
Figure 41 2 3 4
In the Source Request ID field, enter the request ID you want to copy. Select the information attributes you want to copy to your new request. Click Save for a single request. Otherwise, click Multi User and skip to Step 6.
49
Figure 42 5 6
Complete the Create Request page for a single user. Note that all of the fields in this page are pre-populated with information copied from the Source Request ID. If you click on Multi User, the Copy Request - Import Request page appears.
Figure 43 7
You can import a text file that lists multiple users with attributes similar to the example in Figure 43, Copy Request - Import Request Page. The text file contains the User ID information formatted using column with tab delimiter, as shown in Figure 44, Import User Request text file page. Click Browse to locate your text file.
50
Figure 44 8 9
Click Import. The Copy Request Import Request page is then populated with the user ID listed in your text file. Click Save. The Create Request - General Information page appears. Note that Multi User is entered in the User ID information fields.
Figure 45
10 Complete the Create Request page for multiple user. Note that all of the fields in
this page are pre-populated with information copied from the Source Request ID.
51
In the Access Enforcer tab, click Request Audit Trail. The Search Request Audit Trail page appears.
Figure 46
Note
Each field on this page is a search criterion. You can enter information in any field and then click Search. However, if you are searching for a particular request, enter the fields with unique identifiers.
2 3 4 5 6 7 8 9
In the Request ID field, enter the request ID. In the User Last Name field, enter the users last name. In the User First Name field, enter the users first name. In the Requestor Last Name field, enter the requestors last name. In the Requestor First Name field, enter the requestors first name. In the Approver Last Name field, enter the approvers last name. In the Approver First Name field, enter the approvers first name. In the Status field, click the drop-down menu to select request status. You can select All, Open, Closed, Hold, or Reject.
52
10 In the Request Priority field, click the drop-down menu to select the request
priority.
11 In the Creation Date From and Creation Date To fields, click the Calendar icon
to select the date range during which the request was created.
12 Click Search. The Audit Trail - Search Results page appears.
Figure 47
The search results show the details of the request, including who submitted the request, who approved the request and the request status.
53
ReAffirm
As a Role Owner Approver, you need to reaffirm roles with dates that have expired. The reaffirm dates are initially set by the Access Enforcer Administrator, using the Configuration Module. In the Roles>Create Roles page, the Administrator should have defined a specific time period in which the role needs to be reaffirmed.
To Reaffirm a Role: 1
In the Access Enforcer tab, click Reaffirms. The Role Reaffims page appears.
Figure 48 2 3
In the System field, click the drop-down menu to select a system name. A list of role names appears in the list. Click on the Role Name link to display the role name details.
54
Figure 49 4 5 6
Select a User ID for which you want to change its status by performing the following actions: Approve, Remove, or Hold. Upon clicking an action button (Approve, Remove, or Hold), the Comment page appears. Enter a comment, then click the corresponding action button. The Role Reaffirm page re-appears with a success message at the top of the page. Note that the User IDs status has changed, based on the action selected. If you have approved the entire list of User IDs, the Roles will be reaffirmed.
55
56
3
USING
THE
REQUESTOR MODULE
TOPICS
57
Overview
As a Requestor, you use the Requestor module to create various access requests for an SAP backend system, non-SAP system, or other application (server). There are three types of Requestors:
Department Member Creates requests for access permissions or roles, for themselves or for their team members Managers Creates requests for roles for their subordinates Approvers Other managers can also create requests
The workflow for access request is not dependent on request types. However, a request types is one of the attributes that make up an Initiator for a workflow path. Depending on the request type you submit, it automatically triggers a pre-defined workflow. Request types are: New Change Lock User Unlock User Information Delete User The workflows are configured by the Access Enforcer Administrator to reflect your corporate policies and business unit practices.
Note For more information on configuring workflows, see the Access Enforcer 3.0 NetWeaver Administration Guide.
Access Enforcer allows you to track your request and view its status. As your request goes through each stage of the workflow, you can view all comments appended by Managers, Approvers, and Security.
58
Creating Requests
Virsa Access Enforcer provides standard request types that are defaults, which cannot be deleted or modified. The request types of your access request will determine how the request is processed for approval in the workflow.
Note Your Access Enforcer Administrator can create or modify request types at any time to reflect your business unit process or corporate policies.
Figure 50
In the Request Access page displays the following request types: New Account Request new accounts Changes to an Existing Account Request changes to an existing account Account Deletion Delete accounts in various systems
59
Locking Accounts Lock accounts in various systems. For security reasons, you lock out a user because he is temporarily non-active as a member of a group or organization. Unlocking Accounts Unlock accounts from various systems. The user has become active in a group or organization and unlocking his account will reestablish his account and role. Password Self Service Reset or request to change your password Information Search and view information needed to complete a request
New Accounts
As a Requestor, you are requesting for a new account in an SAP or a non-SAP system. You can also request a new account for another user.
To create a New Account: 1
Upon selecting the New Accounts option, the User Login page appears.
Figure 51 2 3
In the Select Langauge drop-down menu, select the desired language. To display the Request Access page, enter your login credentials .
Note If you are requesting for another user, check Requesting for Other User. By selecting this box, the User Data fields require information about the user. If you do not select this option, then by default, the requestors User ID information is populated in the User Data fields.
60
Figure 52 4
In the Request Type field, the value defaults to New since this is a new account. If the value is not New, then click the drop-down menu to select the appropriate request type. In the Priority drop-down menu, select the appropriate entry. The possible values are High, Medium, or Low. In the Functional Area drop-down menu, select the appropriate functional area that pertains to you. In the Application field, click the Magnifying Glass icon application (server) from the Select Application page. to select the desired
5 6
7 8 9
In the Request Reason field, enter a description for your access request. In the User Name field, enter the persons name for whom you are requesting access. Enter the first name and then the last name.
10 In the User ID field, enter the persons User ID. 11 In the Telephone Number field, enter the persons telephone number. 12 In the Department field, enter the name of the department that the person belongs to.
Note In the Requestor and Manager Data group, the following fields are, by default, pre-populated with Requestor information: Requestor (name), E-Mail, and Telephone number.
14 In the Company drop-down menu, select the companys name. 15 In the Employee Type field, the default employee type is pre-populated. However, if
this is incorrect, click the drop-down menu to select your employment status. An employee type can be Full-Time, Part-Time, Temporary, or Contractor.
16 In the Manager field, enter the managers name. 17 In the E-Mail field, enter the managers email address. 18 In the Telephone Number field, enter the managers telephone number.
Note The Additional Information group contains custom fields, which can be mandatory or not to complete the access request. If the Request Access page does not have any custom fields, then the Additional Information group does not appear.
Figure 53
21 In the Select the System drop-down menu, select the system that contains the role. 22 In the Select the Type of Access drop-down menu, select the type of access for your
request. You can choose one of the following: Roles Use if you want to search for specific role by roles. Each role is searched by Name/Description.
62
Transaction Use if you want to search a specific role by transaction code. Upon selecting this value, the Enter Transaction Code field appears. Enter the exact transaction code and click Go. Create my account like other user Use if you know another user account that you want to model. Upon selecting this value, the Create My Account Like field appears. Enter the account name you want to model and click Go.
23 In the Application Area drop-down menu, select the application area. 24 In the Business Process drop-down menu, select the business process. 25 In the Sub Process drop-down menu, select the sub process associated with your
business process.
26 In the Role Name field, enter the name of role . 27 In the Role Description field, enter the description of role. 28 In the Functional Area drop-down menu, select the functional area. 29 In the Company drop-down menu, select the company. 30 Click Go.
Changing an Accounts
As a Requestor, you can request a change to an existing account in an SAP or a non-SAP system. You can also request a change for another user.
To change an Account: 1
Upon selecting the Changes to an Existing Account option, the User Login page appears. Enter your login credentials to display the Request Access page.
Note If you are requesting for another user, check Requesting for Other User. By selecting this box, the User Data fields require information about the user. If you do not select this option, then by default, the requestors User ID information is populated in the User Data fields.
63
Figure 54 2
In the Request Type field, the value defaults to Change since this is a change to an existing account. If the value is not Change, then click the drop-down menu to select it. In the Priority drop-down menu, select the appropriate entry. The possible values are High, Medium, or Low. In the Functional Area drop-down menu, select the appropriate functional area. In the Application field, click the Magnifying Glass icon application (server) from the Select Application page. to select the desired
3 4 5
64
Figure 55
Note
The Select Applications page displays SAP, Oracle application servers, and Others application tabs.
6 7 8 9
Select the desired application server, then click Continue. In the Request Reason field, enter a description for the access request. In the User Name field, enter the persons name for whom you are requesting access. Enter the first name and then the last name. In the User ID field, enter the persons User ID.
10 In the Telephone Number field, enter the persons telephone number. 11 In the Department field, enter the name of the department that the person belongs to.
Note In the Requestor and Manager Data group, the following fields are, by default, pre-populated with Requestor information: Requestor (name), E-Mail, and Telephone number.
12 In the Location field, enter the companys location. 13 In the Company drop-down menu, select the companys name. 14 In the Employee Type field, the default employee type is pre-populated. However, if
this is incorrect, click the drop-down menu to select your employment status. An employee type can be Full-Time, Part-Time, Temporary, or Contractor.
15 In the Manager field, click the Search icon to query for the managers name. 16 In the E-Mail field, enter the managers email address.
65
18 You can either submit the request at this point or select a role. If you choose to submit
the request, click Submit. The request is automatically routed to a workflow for approval. Otherwise to select a role, skip this step.
19 Click Select Roles. The Select Roles page appears. Use this page to select a role you
Figure 56
20 In the Select the System drop-down menu, select the system that contains the role. 21 In the Select the Type of Access drop-down menu, select the type of access. You can
choose one of the following: Roles Use to search for specific role by roles. Roles are searched by Name/ Description. Transaction Use to search a specific role by transaction code. Upon selecting this value, the Enter Transaction Code field appears. Enter the exact transaction code and click Go. Create my account like other user Use to create an account like another user account that you want to model. Upon selecting this value, the Create My Account Like field appears. Enter the account name you want to model and click Go.
66
22 In the Application Area drop-down menu, select the application area. 23 In the Business Process drop-down menu, select the business process. 24 In the Sub Process drop-down menu, select the sub process associated with your
business process.
25 In the Role Name field, enter the name of role. 26 In the Role Description field, enter the description of role. 27 In the Functional Area drop-down menu, select the functional area. 28 In the Company drop-down menu, select the company. 29 Click Go.
Deleting an Accounts
As a Requestor, you can request to delete an account in an SAP or a non-SAP system. You can also request to delete an account for another user.
To delete an Account: 1
Upon selecting the Account Deletions option, the User Login page appears. Enter your login credentials to display the Request Access page.
Note If you are requesting for another user, check Requesting for Other User. By selecting this box, the User Data fields require information about the user. If you do not select this option, then by default, the requestors User ID information is populated in the User Data fields.
67
Figure 57 2
In the Request Type field, the value defaults to Delete Account since this is a change to an existing account. If the value is not Delete Account, then click the drop-down menu to select it. In the Priority drop-down menu, select the appropriate entry. The possible values are High, Medium, or Low. Any other values in the menu are defined by your Access Enforcer Administrator. In the Functional Area drop-down menu, select the appropriate functional area that pertains to you. In the Application field, click the Magnifying Glass icon application (server) from the Select Application page. to select the desired
68
Figure 58
Note
The Select Applications page displays SAP, Oracle application servers, and Others application tab.
6 7 8 9
Select the desired application server, then click Continue. In the Request Reason field, enter a description for your delete request. In the User Name field, enter the persons name for whom you are requesting deletion. Enter the first name and then the last name. In the User ID field, enter the persons User ID.
10 In the Telephone Number field, enter the persons telephone number. 11 In the Department field, enter the name of the department that the person belongs to.
Note In the Requestor and Manager Data group, the following fields are, by default, pre-populated with Requestor information: Requestor (name), E-Mail, and Telephone number.
12 In the Location field, enter your companys location. 13 In the Company drop-down menu, select your companys name. 14 In the Employee Type field, the default employee type is pre-populated. However, if
this is incorrect, click the drop-down menu to select your employment status. An employee type can be Full-Time, Part-Time, Temporary, or Contractor.
15 In the Manager field, click the Search icon to query for your managers name. 16 In the E-Mail field, enter your managers email address.
69
Locking Accounts
As a Requestor, you can request to lock an account in an SAP or a non-SAP system. You can also request to lock an account for another user.
To lock an Account: 1
Upon selecting the Locking Accounts option, the User Login page appears. Enter your login credentials to display the Request Access page.
Note If you are requesting for another user, enable Requesting for Other User checkbox. By selecting this box, the User Data fields needs information about the user. If you do not select this option, then by default, the requestors User ID information is populated in the User Data fields.
Figure 59
70
In the Request Type field, the value defaults to Lock Account since this is a lock to an existing account. If the value is not Lock Account, then click the drop-down menu to select it. In the Priority drop-down menu, select the appropriate entry. The possible values are High, Medium, or Low. Any other values in the menu are defined by your Access Enforcer Administrator. In the Functional Area drop-down menu, select the appropriate functional area that pertains to you. In the Application field, click the Magnifying Glass icon application (server) from the Select Application page. to select the desired
Figure 60
Note
The Select Applications page displays SAP, Oracle application servers, and Others application tab.
6 7 8 9
Select the desired application server, then click Continue. In the Request Reason field, enter a description for your delete request. In the User Name field, enter the persons name for whom you are requesting deletion. Enter the first name and then the last name. In the User ID field, enter the persons User ID.
10 In the Telephone Number field, enter the persons telephone number. 11 In the Department field, enter the name of the department that the person belongs to.
Note In the Requestor and Manager Data group, the following fields are, by default, pre-populated with Requestor information: Requestor (name), E-Mail, and Telephone number.
13 In the Company drop-down menu, select your companys name. 14 In the Employee Type field, the default employee type is pre-populated. However, if
this is incorrect, click the drop-down menu to select your employment status. An employee type can be Full-Time, Part-Time, Temporary, or Contractor.
15 In the Manager field, click the Search icon to query for your managers name. 16 In the E-Mail field, enter your managers email address. 17 In the Telephone Number field, enter your managers telephone number.
Note The Additional Information group contains custom fields, which can be mandatory or not to complete the access request. If the Request Access page does not have any custom fields, then the Additional Information group does not appear.
Figure 61
20 In the Select the System drop-down menu, select the system that contains the role
request. You can choose one of the following: Roles Use if you want to search for specific role by roles. Each role is searched against its description an not its role name.
72
Transaction Use if you want to search a specific role by transaction code. Upon selecting this value, the Enter Transaction Code field appears. Enter the exact transaction code and click Go. Create my account like other user Use if you know another user account that you want to model. Upon selecting this value, the Create My Account Like field appears. Enter the account name you want to model and click Go.
22 In the Application Area drop-down menu, select the application area for your
request.
23 In the Business Process drop-down menu, select the business process for your
request.
24 In the Sub Process drop-down menu, select the sub process associated with your
business process.
25 In the Role Name field, enter the name of role for your request. 26 In the Role Description field, enter the description of role for your request. 27 In the Functional Area drop-down menu, select the functional area for your request. 28 In the Company drop-down menu, select the company for your request. 29 Click Go.
Unlocking Accounts
As a Requestor, you can request to unlock a locked account in an SAP or a non-SAP system.
To unlock an Account: 1
Upon selecting the Unlocking Accounts option, the User Login page appears. Enter your login credentials to display the Request Access page.
Note If you are requesting for another user, check Requesting for Other User. By selecting this box, the User Data fields require information about the user. If you do not select this option, then by default, the requestors User ID information is populated in the User Data fields.
73
Figure 62 2
In the Request Type field, the value defaults to Unlock Account since this is a request to unlock a locked account. If the value is not Unlock Account, then click the drop-down menu to select it. In the Priority drop-down menu, select the appropriate entry. The possible values are High, Medium, or Low. Any other values in the menu are defined by your Access Enforcer Administrator. In the Functional Area drop-down menu, select the appropriate functional area that pertains to you. In the Application field, click the Magnifying Glass icon application (server) from the Select Application page. to select the desired
74
Figure 63
Note
The Select Applications page displays SAP, Oracle application servers, and Others application tab.
6 7 8 9
Select the desired application server, then click Continue. In the Request Reason field, enter a description for your delete request. In the User Name field, enter the persons name for whom you are requesting deletion. Enter the first name and then the last name. In the User ID field, enter the persons User ID.
10 In the Telephone Number field, enter the persons telephone number. 11 In the Department field, enter the name of the department that the person belongs to.
Note In the Requestor and Manager Data group, the following fields are, by default, pre-populated with Requestor information: Requestor (name), E-Mail, and Telephone number.
12 In the Location field, enter your companys location. 13 In the Company drop-down menu, select your companys name. 14 In the Employee Type field, the default employee type is pre-populated. However, if
this is incorrect, click the drop-down menu to select your employment status. An employee type can be Full-Time, Part-Time, Temporary, or Contractor.
15 In the Manager field, click the Search icon to query for your managers name. 16 In the E-Mail field, enter your managers email address.
75
Figure 64
20 In the Select the System drop-down menu, select the system that contains the role
request. You can choose one of the following: Roles Use to search for specific role by roles. Roles are searched by Name/ Description. Transaction Use to search a specific role by transaction code. Upon selecting this value, the Enter Transaction Code field appears. Enter the exact transaction code and click Go. Create my account like other user Use to create an account like another user account that you want to model. Upon selecting this value, the Create My Account Like field appears. Enter the account name you want to model and click Go.
76
22 In the Application Area drop-down menu, select the application area for your
request.
23 In the Business Process drop-down menu, select the business process for your
request.
24 In the Sub Process drop-down menu, select the sub process associated with your
business process.
25 In the Role Name field, enter the name of role for your request. 26 In the Role Description field, enter the description of role for your request. 27 In the Functional Area drop-down menu, select the functional area for your request. 28 In the Company drop-down menu, select the company for your request. 29 Click Go.
Upon selecting the Password Self Service option, the Password Self-Service page appears.
Figure 65 2
3 4
In the SAP System drop-down menu, select the SAP system that contains your User ID account and password information. Select the Synchronize on all SAP systems checkbox to enable your password to apply to other SAP systems.
77
Information Request
As a Requestor, you can request for information only from an SAP or a non-SAP system. You can also request information for another user.
To request access for Information: 1
Upon selecting the Information option, the User Login page appears. Enter your login credentials to display the Request Access page.
Note If you are requesting for another user, enable Requesting for Other User checkbox. By selecting this box, the User Data fields needs information about the user. If you do not select this option, then by default, the requestors User ID information is populated in the User Data fields.
Figure 66 2
In the Request Type field, the value defaults to Information since this is a request for information only. If the value is not Information, then click the drop-down menu to select it. In the Priority drop-down menu, select the appropriate entry. The possible values are High, Medium, or Low. Any other values in the menu are defined by your Access Enforcer Administrator.
78
In the Functional Area drop-down menu, select the appropriate functional area that pertains to you. In the Application field, click the Magnifying Glass icon application (server) from the Select Application page. to select the desired
Figure 67
Note
The Select Applications page displays SAP, Oracle application servers, and Others application tab.
6 7 8 9
Select the desired application server, then click Continue. In the Request Reason field, enter a description for your delete request. In the User Name field, enter the persons name for whom you are requesting deletion. Enter the first name and then the last name. In the User ID field, enter the persons User ID.
10 In the Telephone Number field, enter the persons telephone number. 11 In the Department field, enter the name of the department that the person belongs to.
Note In the Requestor and Manager Data group, the following fields are, by default, pre-populated with Requestor information: Requestor (name), E-Mail, and Telephone number.
12 In the Location field, enter your companys location. 13 In the Company drop-down menu, select your companys name. 14 In the Employee Type field, the default employee type is pre-populated. However, if
this is incorrect, click the drop-down menu to select your employment status. An employee type can be Full-Time, Part-Time, Temporary, or Contractor.
15 In the Manager field, click the Search icon to query for your managers name.
79
16 In the E-Mail field, enter your managers email address. 17 In the Telephone Number field, enter your managers telephone number.
Note The Additional Information group contains custom fields, which can be mandatory or not to complete the access request. If the Request Access page does not have any custom fields, then the Additional Information group does not appear.
want for this request. However, this step is not necessary for Deleting Request.
Figure 68
20 In the Select the System drop-down menu, select the system that contains the role
request. You can choose one of the following: Roles Use if you want to search for specific role by roles. Each role is searched against its description an not its role name. Transaction Use if you want to search a specific role by transaction code. Upon selecting this value, the Enter Transaction Code field appears. Enter the exact transaction code and click Go.
80
Create my account like other user Use if you know another user account that you want to model. Upon selecting this value, the Create My Account Like field appears. Enter the account name you want to model and click Go.
22 In the Application Area drop-down menu, select the application area. 23 In the Business Process drop-down menu, select the business process. 24 In the Sub Process drop-down menu, select the sub process associated with your
business process.
25 In the Role Name field, enter the name of role. 26 In the Role Description field, enter the description of role. 27 In the Functional Area drop-down menu, select the functional area. 28 In the Company drop-down menu, select the company. 29 Click Go.
81
Request Status
Access Enforcer allows Requestors to search and view a comprehensive list of all request that they have been submitted over a period of time, by status (Open, Closed, or Rejected), or a combination of the two. The Request Status option helps Requestors track a specific request through the approval process as well keep a up-to-date record of all requests submitted over time.
To view Request Status: 1 2
In the Access Enforcer navigation menu, click Request Status. The User Login page appears. Enter your login credentials to display the Request Status page.
Figure 69 3
In the Select Request Status drop-down menu, select a status type. Choose one of the following: Open, Closed, or Rejected. In the Submission Date field, click the Calendar icon range. Click Search. to select a from and to date
4 5
82
Support
Access Enforcer provides Support information on how to contact Customer Service. You can contact Customer Service via email or phone. Before contacting Customer Service, it is recommended that you have the following information:
Version of Access Enforcer Version of Compliance Calibrator Version of SAP Version of Oracle A detailed description of the problem
In the Access Enforcer navigation menu, click Support. The Customer Support page appears.
Figure 70
83
84
4
USING
THE
INFORMER MODULE
TOPICS
85
Overview
Access Enforcer provides the ability to generate various reports for the purpose of viewing and analyzing request approval activities. Reports are divided into the following two categories: Analytical You can drill down to individual role change and access permission requests. Chart You can generate a graphical view of the request approval information, which can be used to analyze various activities.
86
Analytical View
The Analytical Reports category deals with risks, conflicts, and mitigation controls assigned to each of the risks. Analytical reports provide extensive details for all open request, request by User ID, roles owned by specific role owners, and permissions. Upon logging in to Access Enforcer, click the Informer tab. Then click Analytical View>Analytical Reports. The Analytical Reports page appears.
Figure 71
In the Analytical Reports page, click Service Level for Request. The Service Level for Request page appears.
87
Figure 72
Note
You can use any of the fields as a search criteria. Afterwards, click Search.
2 3 4 5 6 7 8
In the From Date and To Date fields, click the Calendar icon range. In the Requestor field, enter the name of the requestor. In the Requestor ID field, enter the name of the requestor ID. In the Approver field, enter the name of the approver. In the Status drop-down menu, select the status type.
to select a date
Select the Display only exceeding Service Level option to view all requests whose actual service time has exceeded the expected service time. Click Search. The Service Level for Request page then displays the search results.
Note Click Clear to clear out any values in the fields to start a new search. Otherwise, click Cancel to dismiss the current page and return to the menu page.
88
Figure 73
Note
Click on any of the column headings in the Search Results table to sort the request by ascending or descending order. To view the details of a request, you need to copy and paste the request number into the Search Request option in the Access Enforcer tab.
In the Analytical Reports page, click Request with Conflicts and Mitigation. The Request with Conflicts and Mitigation page appears.
89
Figure 74
Note
You can use any of the fields as a search criteria. Afterwards, click Search.
2 3 4 5 6 7 8
In the From Date and To Date fields, click the Calendar icon range. In the Requestor field, enter the name of the requestor. In the Requestor ID field, enter the name of the requestor ID.
to select a date
In the Risk ID field, enter the risk ID. This is a unique identifier for the risk. In the Approver field, enter the name of the approver. In the Status drop-down menu, select the status type. In the Mitigation Control field, enter the mitigation control.
90
Select the Conflict without Mitigation Controls option to view requests that are not assigned with mitigation controls. assigned with mitigation controls.
Note Click Clear to clear out any values in the fields to start a new search. Otherwise, click Cancel to dismiss the current page and return to the menu page.
10 Select the Conflict with Mitigation Controls option to view requests that are
11 Click Search. The Conflicts and Mitigations page then displays the search results.
Figure 75
Note
Click on any of the column headings in the Search Results table to sort the request by ascending or descending order. To view the details of a request, you need to copy and paste the request number into the Search Request option in the Access Enforcer tab.
In the Analytical Reports page, click Request by Roles and Role Owners. The Request by Roles and Role Owners page appears.
91
Figure 76
Note
You can use any of the fields as a search criteria. Afterwards, click Search.
2 3 4 5
In the From Date and To Date fields, click the Calendar icon range. In the Role Name field, enter the name of the role. In the Status drop-down menu, select the status type. In the Role Owner field, enter the name of the role owner.
Note
to select a date
Click Clear to clear out any values in the fields to start a new search. Otherwise, click Cancel to dismiss the current page and return to the menu page.
Click Search. The Request by Roles and Role Owners page then displays the search results.
92
Figure 77
Note
Click on any of the column headings in the Search Results table to sort the request by ascending or descending order. To view the details of a request, you need to copy and paste the request number into the Search Request option in the Access Enforcer tab.
In the Analytical Reports page, click List Roles and Owners. The List Roles and Owners page appears.
93
Figure 78
Note
You can use any of the fields as a search criteria. Afterwards, click Search.
2 3 4 5 6 7 8 9
In the Role Name field, enter the name of the role. In the Role Owner drop down menu, select the name of the role owner. In the Business Process drop down menu, select the business process. In the Functional Area drop down menu, select the functional area. In the Role Description field, enter a description of the role. In the Secondary Owner drop down menu, select the business process. In the Sub Process drop down menu, select the sub process. In the System drop down menu, select the system.
Note Click Clear to clear out any values in the fields to start a new search. Otherwise, click Cancel to dismiss the current page and return to the menu page.
10 Click Search. The List Roles and Owners page then displays the search results.
94
Figure 79
Note
Click on any of the column headings in the Search Results table to sort the request by ascending or descending order. To view the details of a request, you need to copy and paste the request number into the Search Request option in the Access Enforcer tab.
In the Analytical Reports page, click Requests by PD/Structural Profiles. The Requests by PD/Structural Profiles page appears.
95
Figure 80
Note
You can use any of the fields as a search criteria. Afterwards, click Search.
2 3 4 5 6
In the From Date and To Date fields, click the Calendar icon range. In the PD Profile Name field, enter the name of the PD profile. In the Description field, enter a description of the PD profile. In the Status drop-down menu, select the status. In the System drop-down menu, select the system.
Note
to select a date
Click Clear to clear out any values in the fields to start a new search. Otherwise, click Cancel to dismiss the current page and return to the menu page.
Click Search. The Requests by PD/Structural Profiles page then displays the search results.
96
Figure 81
Note
Click on any of the column headings in the Search Results table to sort the request by ascending or descending order. To view the details of a request, you need to copy and paste the request number into the Search Request option in the Access Enforcer tab.
97
Chart View
The Chart Reports category displays various graphical reports for a specific time period. The Chart View reports are divided into to types of views; pie chart to show the shares of a particular element and bar chart to show a trend of a particular element. These elements can be the request status, request type, risk violations, or assigned roles, and the like. The views are listed as follows: Access Request Access Request (pie chart) Request by Type (bar chart) Risk Violations Request and Risk Violations (pie chart) Risk Violation Details (bar chart) Provisioning Role Assigned/Removed (bar chart) User Processed (bar chart) Service Level Request Count by Year/Month (exponential graph) Service Level (exponential graph) Upon logging in to Access Enforcer, click the Informer tab. Then click Chart View.
Access Request
The Access Request report option displays total number of request grouped by request status.
To generate an Access Request report: 1
Expand the Chart View option, click Access Request. The Access Enforcer
Management Reports - Access Request page appears. Note You can use any of the fields as a criteria to create your report. Afterwards, click Go.
98
Figure 82 2 3 4 5 6 7
In the From Date and To Date, click the Calendar icon In the System drop-down menu, select the system.
In the Request Type drop-down menu, select the request type. In the Priority drop-down menu, select the priority of the request. In the Functional Area drop-down menu, select the functional area. Click Go.
Note Use the same steps to generate a Request by Type Report.
After creating the report, you can scroll over the graph with your cursor, where the pie chart jumps to the Request page. The Request page displays the requests that is represented in the pie chart.
Risk Violations
The Risk Violations report option displays total number of request grouped by violations and mitigation. The information in the Risk Violation Details indicate the details of risk violations.
To generate a Risk Violation report: 1
Expand the Chart View option, click Risk Violations. The Access Enforcer Management Reports - Risk Violations page appears.
Note You can use any of the fields as a criteria to create your report. Afterwards, click Go.
99
Figure 83 2 3 4 5 6 7
In the From Date and To Date, click the Calendar icon In the System drop-down menu, select the system.
In the Request Type drop-down menu, select the request type. In the Priority drop-down menu, select the priority of the request. In the Functional Area drop down menu, select the functional area. Click Go.
The Risk Violation Details displays the details of request with violations, number of violations, and total number of requests grouped by violations and mitigations. After creating the report, you can scroll over the graph with your cursor, where the pie chart jumps to the Request page. The Request page displays the requests that is represented in the pie chart.
Provisioning
The Provisioning report option displays the number of roles assigned or removed in requests. The Role Assigned/Removed report shows the roles assigned and removed. The User Processed report displays the total users grouped by request type. The chart shows total users created, deleted, locked, unlocked, and changed.
100
Expand the Chart View option, click Provisioning. The Access Enforcer
Management Reports - Provisioning page appears. Note You can use any of the fields as a criteria to create your report. Afterwards, click Go.
Figure 84 2 3 4 5 6 7
In the From Date and To Date, click the Calendar icon In the System drop-down menu, select the system.
In the Request Type drop-down menu, select the request type. In the Employee Type drop-down menu, select the employee type. In the Location field, drop-down menu, select the location. Click Go.
Note Use the same steps to generate a Users Processed Report.
After creating the report, you can scroll over the graph with your cursor, where the bar chart jumps to the Request page. The Request page displays the requests that is represented in the bar chart.
101
Service Level
The Service Level report option displays the total number of requests grouped by year or month.
To generate a Service Level report: 1
Expand the Chart View option, click Service Level. The Access Enforcer Management Reports - Service Level page appears.
Note You can use any of the fields as a criteria to create your report. Afterwards, click Go.
Figure 85 2 3 4 5 6
In the From Date and To Date, click the Calendar icon In the System drop-down menu, select the system.
In the Request Type drop-down menu, select the request type. In the Functional Area drop-down menu, select the functional area. Click Go.
Note Use the same steps to generate a Service Level Report with the exception of the Priority field. In the Priority field, click the drop
down menu to select the priority of the request you want to add to your report. Click Go.
102
INDEX
A
Access Request, 98 holding, 25 Access Requests approving and rejecting, 17 Advanced Analysis performing, 31 Analytical View, 87 Approver Delegation, 46 Approver Module, 15 Approving Request, 18 Attaching a File, 25 Audit Trail, Request, 52 Mitigation performing, 27
O
On Hold, Request, 44
P
PD Profile selecting, 35 PD/Structural Profiles, requests, 95 Pending Requests viewing, 17 Provisioning, 100
C
Chart View, 98 Copy Request, 49 Create Request, 38
R
ReAffirm, 54 Rejecting Request, 25 Request approving, 18 conflicting and mitigation, 89 rejecting, 25 roles and role owners, 91 Service Level, 87 Request Audit Trail, 52 Request on Hold, 44 Request Types standard, 38 Request, Copy, 49 Requests for Approval, 17 forwarding, 36 rerouting, 37
103
D
Delegated Approver, 46
I
Informer Analytical View, 87
L
List Roles and Owners, 93
M
Manager Approver, 16
Risk Analysis performing, 26 Risk Violations, 99 Role reaffirm, 54 Role Owner Approver, 16 Roles selecting, 33
S
Search Request, 42 Security Approver, 16 Service Level, 102 Service Level for Request, 87
104