Hot topics in GRC:

SAP BusinessObjects
Access Control 10.0
Scott Enerson, PwC
14 September 2011
PwC
Agenda
Objectives Of This Session
Governance, Risk, and Compliance Trends
SAP BusinessObjects Access Control 10.0 Overview
Hardware Landscape
Upgrade/Migration Path
Questions
2
PwC
Objectives Of This Session
Understand the capabilities of SAPs Access Control solution
Understand the key differences between previous versions of Access
Control and version 10.0
Understand how the Access Control solution can help address
operational and compliance challenges
Know where to find additional information resources on the Internet
3
PwC
Governance, Risk, and Compliance
(GRC) Trends
4
PwC
GRC Technology Maturity - Recent Trends
Optimizing access control
Control repository as a platform
Multi-compliance framework
Continuous controls monitoring (CCM) technology is maturing
CCM is being considered in a wide context
Integrating GRC solutions
5
PwC
Benefits of Integrated GRC
Visibility Confidence Efficiency
6
PwC
Top 5 Areas of Interest in Version 10
Improvements in functionality and usability
Migration from older versions (including VIRSA) to GRC 10.0
Connectivity beyond SAP use of 3
rd
party vendors such as
Greenlight Technologies
Timing, cost and level of effort for upgrade
Value proposition for new implementations
7
PwC
SAP BusinessObjects Access Controls
Overview
8
PwC
SAP GRC Suite: Access Controls, Process Controls,
& Risk Management
SAP GRC Process control
Business drivers
Continuous monitoring
Sustainablecost of compliance
Stronger alignment across the
assurance community & lines of
business
Better insight & timely decision making
Greater transparency & accountability
Value proposition
Automationof control activities through
continuous control monitoring&
auditing.
Multi-compliance framework enables
enterprise wide regulations.
Centralization of risk & control
documentation/testing/remediation
across organizations and compliance
initiatives.
SAP GRC Risk management
Business drivers
Common definition of risk across the lines of
business
Faster & timely response to risk
anomalies/violations
Increase level of automationacross the risk
management value chain
Increase visibilityof risk to shareholders &
board
Value proposition
Alignment of risks to strategic priorities and
business objectives.
Proactive risk monitoringthrough defined key
risk indicators and standardized early warning
system.
View of consolidated risk exposure resulting
fromrisk analysis and correlation.
Enterprise
risk
Business
process
Security
SAP GRC Access control
Business drivers
Inefficient & inconsistent utilizationof
access control across the organization.
Inflexible & inefficient role build model.
Inability to embed preventative SoD
analysis within the user access
lifecycle.
User provisioningis a time consuming
and slow process.
Better insight & transparency
Value proposition
Real-timeinsight into access and
segregation of duties violations.
Reduction of critical access risks
through control mitigationand
dashboard reporting.
Preventative user provisioning through
identificationof user conflicts prior to
granting access.
9
PwC
Overviewof SAP Access Controls
Centralized analysis and mitigation
of access risks.
Centralized platform for managing
and reviewing emergency access
activities
Centralized request and approval
process from hire to retire access.
Automated re-certification of existing
access
2
3
4
Different
functionality
layers
SAP GRC
Access
Control
platform
Centralized access risk repository for multi-
application landscapes
1
10
PwC
Access Risk Analysis
S
A
P
B
O
A
c
c
e
s
s
C
o
n
t
r
o
l
Role
Management
Access Risk
Analysis
Provisioning
I
d
e
n
t
i
t
y
M
a
n
a
g
e
m
e
n
t
Superuser
Privilege
Management
Auditing and
review
SAP Netweaver
IdM
IBM SUN

HR
Self-service
Authoritative
source
Applications
11
PwC
Access Risk Analysis Comparison
Access Controls 5.3 Access Controls 10 Key Differences
Multiple user analysis
requires repeated manual
input
Reporting is static and the
output requires manual
data manipulation in
either Excel or Access.
One report type per
analysis. Multiple reports
must be run to evaluate
both SODand sensitive
access risks
User list upload
functionality; Ability to
exclude values and ranges
Reporting engine is based
on Crystal Reports.
Customize reports via
filters, changing column
order, hiding columns
Ability to run multiple
report types at the same
time
More complex
selectioncriteria
available
Reduces effort to
manipulate reports
into readable formats
Ability to run multiple
reports at once to have
a complete picture of
risk
12
PwC
Access Risk Analysis Comparison
Access Controls 5.3 Access Controls 10 Key Differences
Mitigating controls need
to be assigned to a user
one at a time and are not
shared with process
controls.
Transaction code usage is
available only through the
use of the Alert function
Rule set change
management procedures
were performed outside of
Access Controls.
Mass mitigation is
available and control data
is shared with Process
Controls.
Transaction code usage is
nowa part of various
reports.
Native SAP workflow
engine to help drive the
change management
process.
Shared controls
repository with
Process Controls
Transactioncode
usage is integrated
into the reporting
functionality
Embedded change
documentationin rule
set change
management
processes
13
PwC
Emergency Access Management
S
A
P
B
O
A
c
c
e
s
s
C
o
n
t
r
o
l
Role
Management
Access Risk
Analysis
Provisioning
I
d
e
n
t
i
t
y
M
a
n
a
g
e
m
e
n
t
Superuser
Privilege
Management
Auditing and
review
SAP Netweaver
IdM
IBM SUN

HR
Self-service
Authoritative
source
Applications
14
PwC
Emergency Access Management Comparison
Access Controls 5.3 Access Controls 10 Key Differences
Manual log review
process with no
electronic signoff
Requires master data to
be setup in multiple
environments.
Firefighters are required
to logon to multiple
clients
ABAP and Java reporting
functionality, with
limitations on detail
Workflowfor the log
review and signoff process
Centralized setup of
master data
Centralized access point
for firefighters
Additional reports are
available, for example
operating system reports,
audit log, and debug and
replace
Electronic record of
the log reviewprocess
Centralized source for
accessing and
configuring Superuser
functionality
Consistent reporting
format for all
emergency activities
Enhanced reporting
15
PwC
Access Request
S
A
P
B
O
A
c
c
e
s
s
C
o
n
t
r
o
l
Role
Management
Access Risk
Analysis
Provisioning
I
d
e
n
t
i
t
y
M
a
n
a
g
e
m
e
n
t
Superuser
Privilege
Management
Auditing and
review
SAP Netweaver
IdM
IBM SUN

HR
Self-service
Authoritative
source
Applications
16
PwC
Access Request Comparison
Access Controls 5.3 Access Controls 10 Key Differences
Relies on internal
workflowengine to
initiate and route
requests.
Limited options for
determining workflow.
Automated user access
review (UAR) that
allowed for managers or
role owners to perform a
review.
SAP native workflow
engine that provides
enhanced functionality
and logic for routing
approvals.
Complex requirements can
be met using business
rules framework (BRF+)
User Access Reviews
(UAR) can be routed to
different approvers
Utilizes native SAP
functionality to route
access requests and
manage workflow.
Increased flexibility in
defining workflow
Ability to route UAR
approvals to other
approvers
17
PwC
Access Request Comparison
Access Controls 5.3 Access Controls 10 Key Differences
Role master data for
access requests can be
maintained in both the
ERMand CUP database
Limited customization of
end user request forms
Integration with Identity
Management tools
Roles available for
provisioning are now
maintained in the Role
Management application
Ability to create end user
request forms;
Introduction of template
requests
Enhanced integration with
Identity Management
Centralized repository
for roles available for
provisioning
Newcustomizability in
end user experience
Flexibility in choosing
whether AC or IdM
accepts requests or
performs final
provisioning
18
PwC
Role Management
S
A
P
B
O
A
c
c
e
s
s
C
o
n
t
r
o
l
Role
Management
Access Risk
Analysis
Provisioning
I
d
e
n
t
i
t
y
M
a
n
a
g
e
m
e
n
t
Superuser
Privilege
Management
Auditing and
review
SAP Netweaver
IdM
IBM SUN

HR
Self-service
Authoritative
source
Applications
19
PwC
Role Management Comparison
Access Controls 5.3 Access Controls 10 Key Differences
Used as a design solution
for technical roles.
Internal workflow engine
to manage processes
Real time SoD can be
performed with a single
rule set .
For SAP there is the
ability to define role
content in both ERMand
SAP
Introduction of business
role concept
Utilizes traditional SAP
workflowto route
activities and approvals.
Real time SoD can be
performed on multiple
rule sets.
For SAP role content
definition only performed
in SAP
Business role concept
More flexible SAP
workflow
Ability to test roles
against multiple rule
sets
Leverages existing SAP
role creationand
maintenance
processes
20
PwC
Harmonization on a Unified Platform
SAP GRC Process control
Business drivers
Continuous monitoring
Sustainablecost of compliance
Stronger alignment across the
assurance community & lines of
business
Better insight & timely decision making
Greater transparency & accountability
Value proposition
Automationof control activities through
continuous control monitoring&
auditing.
Multi-compliance framework enables
enterprise wide regulations.
Centralization of risk & control
documentation/testing/remediation
across organizations and compliance
initiatives.
SAP GRC Risk management
Business drivers
Common definition of risk across the lines of
business
Faster & timely response to risk
anomalies/violations
Increase level of automationacross the risk
management value chain
Increase visibilityof risk to shareholders &
board
Value proposition
Alignment of risks to strategic priorities and
business objectives.
Proactive risk monitoringthrough defined key
risk indicators and standardized early warning
system.
View of consolidated risk exposure resulting
fromrisk analysis and correlation.
Enterprise
risk
Business
process
Security
SAP GRC Access control
Business drivers
Inefficient & inconsistent utilizationof
access control across the organization.
Inflexible & inefficient role build model.
Inability to embed preventative SoD
analysis within the user access
lifecycle.
User provisioningis a time consuming
and slow process.
Better insight & transparency
Value proposition
Real-timeinsight into access and
segregation of duties violations.
Reduction of critical access risks
through control mitigationand
dashboard reporting.
Preventative user provisioning through
identificationof user conflicts prior to
granting access.
21
PwC
Access Controls Harmonization & Unified
Compliance Platform
Access Controls 5.3 Access Controls 10 Key Differences
Applications are deployed
both JAVA and ABAP
Web interface looks
different than ABAP
interface
Security is maintained in
the JAVA UME, with
limited granularity
Configuration is managed
by importing and
exporting data.
Standardized ABAP
platform
Harmonized user interface
for all applications
Native ABAP security
allows granular security to
be implemented
Standard SAP transport
and archiving is embedded
Only the SAP ABAP
skill set is necessary
End users experience a
consistent look
Traditional SAP
approach to security
ABAP platform
supported by Basis
processes already in
place
22
PwC
Access Controls Harmonization & Unified
Compliance Platform
Access Controls 5.3 Access Controls 10 Key Differences
Access Controls 5.3,
Process Controls 3.0, and
Risk Management 3.0
have their own individual
master data.
Access Controls 5.3
leverages its own workflow
Common master data
repository for Access
Controls, Process
Controls, and Risk
Management
Leverages standard SAP
workflow
Single repository of
master data for all
applications
Wider variety of
workflow
configuration
possibilities available
23
PwC
Connectivity beyond SAP with Greenlight
24
PwC
GRC 10.0 Hardware Landscape
25
PwC
Access Control 10.0 Architecture
26
PwC
Upgrade/Migration Path
27
PwC
Migration/Upgrade Paths
Migration / Upgrade Paths for earlier releases of GRC solutions
28
PwC
Migration/Upgrade Paths (continued)
Migration / Upgrade Path for Multiple GRC solutions
29
PwC
Summary
30
PwC
Key Benefits of Version 10
Easier GRC technical system implementation and management
Better reporting improves visibility to segregation of duties and
sensitive access controls
Can help lower the cost and effort of security operational activities
Improved flexibility in workflow
Enhanced integration with Identity Management tools
Improvements in role concept management functionality
31
PwC
Further Help
32
PwC
Where to find more information
PwC SAP Security and Risk Management Services
http://www.pwc.com/se/sap
SAP BusinessObjects GRC Solutions Overview
http://www.sap.com/grc
General help with SAP Governance Risk and Compliance
http://help.sap.com/content/bobj/sbu/index_grc.htm
33
PwC
SAP BusinessObjects Access Control 10.0
Live Demonstration
Thursday
10:45 11:05
13:15 13:35
PwC Booth
34
PwC
Questions
35
PwC
Contact Us
Scott Enerson
scott.enerson@se.pwc.com
M: +46 (0) 709 29 36 88
36
Boost Your Vision
2011 PwC. All rights reserved. Not for further distributionwithout the permission of PwC.
"PwC" refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires, individual member firms of
the PwC network. Each member firmis a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any
services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional
judgment or bind them in any way. No member firmis responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of
another member firm's professional judgment or bind another member firmor PwCIL in any way.
Tack fr att du lyssnade!