SAP User Access Reviews

Chris Haigh
Global SAP Security Specialist
12 years SAP security experience
ABAP, Basis and Security for initial SAP projects
at Woolwich plc in 1999 (R/3 4.0 and 4.6c)
Barclays SAP program Security & Integration
BI authorisations

In-house SAP Security specialist at

Brakes Foodservice, outsourced to Atos Origin
(RS Components, United Biscuits)

SAP Security Capability lead at Axon Solutions

BI 7.0 specialism
(AA, BP, Davis Langdon, Harrow Council,
Northern Rail, NPIA, SHS, TfL, UBS)
 K-C since May 2008
PI
APO
BOBJ
portal

CRM
SCM
ECC
BW
MDM
SolMan
SRM
 Our Product Areas

Personal Care Consumer Tissue

Health Care K-C Professional

 SOX Requirement

Processes for allocation of access

Changes to access (allocation or functionality)

Reviewing access periodically.

Access Reviews now part of GRC 10.0

Other vendors offering Access Review functions.

2007 and 2008 Audit Finding
 7,700

17,200
4,500 Asia Pacific
EMEA
5,800 LAO
North America
 Original Process

System based (30 production systems)

Role focussed (30,000+ roles)

Many visits for the same users

For each system
For each role

Access changes requested and processed

manually.
Very Repetitive

Role 1

Role 2

Role n
 Excel Based

Export role allocations from SAP to Excel

Add role owner information from SQL

Add team structure information from HR

Sent to team leaders by role owners by e-mail

LAO were taking 3 months to complete a review

How to fix the Audit Finding?

 Risk Based Reviews

Over 30,000 roles globally

Not all roles need reviewing

Only review the important roles

Assess risk of each role.

 Role Classification

Role owners often unaware of some of risk

Wanted a scientific approach

Key transactions
Critical / Sensitive functions
Critical authorisation values
Key business processes
Contributing to SoD concerns.
 Confidential or Internal

Confidential
Roles contain important access or could contribute
to a segregation of duties concern
Role allocations must be reviewed.

Internal
If role allocations not reviewed, these would not
expose Kimberly-Clark to any significant risk.
 Use of Virsa

Assess role contents at role change time

Technical checks if critical values being

introduced

SoD contributing transactions

Role classification updated as necessary.

 Virsa Process
As part of role change management
Assess Re-Assess to
Change role
current risks see if risks
contents
in role have changed

Internal roles changing their classification

Confidential roles rarely lose access

Internal roles wont be reviewed.

Classifications into SAP Role Database
 A New Process for Access Reviews

Fewer roles to review

Still more than we expected!

Fewer users to review

Some only have Internal roles

Reduced effort to manage review process

GRC 10.0 didnt exist in 2009.

 Because of our SAP history

Fire fight and Virsa

Developed in-house solution

Caters for some unique K-C issues

Most cost effective, given planned initiatives.

 The SAP Access Review System

SQL database, with Intranet based pages

Weekly extracts of data

SAP (AGR_USERS table)
active directory
contractor database and
Education Management System

Data in .CSV format, leveraging old process.

 A True Team Structure

Permanent employees
Based on HR organisation structure

Contract staff
Not in HR structure
Have a K-C sponsor
Sponsor considered their team leader.
Main Review Screen
Multi-Language
 Team Leader Focussed Reviews

All SAP access for the team members

Each SAP system regardless of region

Shows the confidential roles first.

Confidential Role Display
Full Role Display
Drill Through to Role Info
 Team Leader Focussed Reviews

All SAP access for the team members

Each SAP system regardless of region

Shows the confidential roles first.

Allows removal of roles no longer required

Allows team structure to be amended.

Removing Team Members / Roles
 System Retains History of Review

Once team members and roles have been

checked
Including any team changes
Role removals

Last two reviews held in system

Latest review visibile.

Review History
 Delegating the Task

Team Leaders have the responsibility to ensure

their team reviewed
Can delegate to a member of their team
Can delegate to a trusted third party
Team leaders can set 2 delegates

People can request to be a delegate

Admin can set their delegates to any team.

Delegation
Delegation
 Reporting

Mainly for people supporting system

Orphan Users
Review History
Role Centric
User Not Reviewed
User Centric View.
Reporting Role Centric View
 Orphans

Team members without a team leader

Some due to timing issues in team structure

Some truly missing a manager

Contractors moving teams

Team leaders leaving.

Orphan User Report
Built-In Help / Tutorial
 Some Numbers

4,140 Team Leaders

35,000 Team Members

Initially 700+ Orphans!

Over 500,000 user-role allocations

95% completion in active regions.

 Chasing Up

Team leaders responsible for completing

reviews

Regional Internal Controls oversee process

Some changes needed to system, as not

designed to be administer centrally

Culture change necessary to stop handholding.

 Lessons Learnt

Organisation data for many teams wrong

Time wasted on correcting team info, not doing

reviews

Some team leaders would complain longer

about doing a review than review took them!
 Future Changes

Workday being rolled out globally

true Global HR system
K-C employees
Contract staff

CA Identity Manager
Managing user accounts
SAP role allocations.
?