Sie sind auf Seite 1von 38

SAPPHIRE Berlin 2008

How to Successfully Implement SAP GRC


Access Control

Reinhard Falke, Vibracoustic


Jasmin Reuschling, SAP Deutschland AG & Co. KG

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 1
Agenda

 Vibracoustic Company Profile


 Motivation to look after GRC

 Approach and Current Status of Implementation

 SAP GRC Access Control


 SAP NetWeaver Identity Management

 Future Plans/Vision

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 2
Agenda

 Vibracoustic Company Profile


 Motivation to look after GRC

 Approach and Current Status of Implementation

 SAP GRC Access Control


 SAP NetWeaver Identity Management

 Future Plans/Vision

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 3
Company Profile

Vibracoustic GmbH & Co. KG


69456 Weinheim
Höhnerweg 2-4
www.vibracoustic.com

Automotive Supplier

2500 Employees in Europe

Headquarters in Weinheim/Germany

A company of the Freudenberg Group

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 4
Product Range
Engine Mounts Air Spring/MCU

Air Spring
Damper

All-terrain Vehicle
Hydro Mount Multi Function Electrically Switchable
Mount
Mount Hydro Mount

Torsional Vibration
Dampers Air Spring
PC
Air Spring
PC

Torsional Air Spring CV


Vibration
Damper

Decoupled
Pulley MCU Jounce Bumper

Chassis Parts

Suspension Link
Drive Shaft
Damper Integral Link
Compression Conventional Bush Tie Blade
Arm Bush Bush

We convert noise and vibration into sound and comfort


21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 5
Business Development Vibracoustic Europe

Turnover Vibracoustic Europe 2007 (Target)

in Mio €

520
503
500 451
405
400 355 370
353
323
300

200

100

0
2001 2002 2003 2004 2005 2006 Target Target
2007 2008

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 6
Global Network: Locations worldwide

Hamburg - D

Weinheim - D Sroda Slaska - PL I + II

Neuenburg - D Hradec Králové - CZ

Trebechovice - CZ
Trebechovice - CZ

Manchester, NH - USA Tianjin - China


Melnik - CZ

Plymouth, MI - USA Daegu - Korea


Nyíregyháza - HU
Yokosuka - Japan
Ligonier, IN - USA
Bursa - TR
Tottori - Japan
Cuautla - Mexico
Yantai - China
Lerma - Mexico
Wuxi - China
Chandigarh - India
Bangkok - Thailand
Taubaté - Brazil

Technology Center Production Partner

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 7
Global Alliance
Parent Vibracoustic Global Production Sites European Production Sites Customers
Companies Alliance
VC North America
Ligonier / USA

Freudenberg & Co. VC North America VC Polska


Weinheim/ Germany Vibracoustic Europe Manchester / USA Sroda Slaska / Poland

VCE, Weinheim/ Germany


Turnover 2006: VC Mexico VC Czech Republic

Cuautla / Mexico Melnik / Czech Republic


Mio € 451,0

VC Mexico VC Czech Republic


Vibracoustic Japan Lerma / Mexico Hradec Kralové / Czech Rep
NOK Corporation
NVC, Tottori/ Japan
Tokio/ Japan VC Czech Republic
Turnover 2005: VC Brazil
Mio € 157 Taubaté / Brazil Trebechovice / Czech Rep

VC India VC Hungary

Mohali / India Nyíregyháza / Hungary


Vibracoustic Korea
PHC, Daegu/ South Korea
VC Thailand VC Turkey
PHI Turnover 2005:
Bangkok / Thailand Bursa / Turkey
Daegu/ South Korea Mio € 209
(total incl. non-NVH)
VC Korea VC Germany
Daegu / South Korea Hamburg / Germany
Vibracoustic USA
VNA Plymouth/ USA
VC China VC Germany
Turnover 2006: Neuenburg / Germany
Tianjin / China
Mio € 135
FNGP
Plymouth/ USA VC China
Wuxi / China

VC Japan
21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de Tottori / Japan BE3866 8
Company SAP Profile

 SAP ERP 6.0 (single client)

 supplies 4 companies, 7 locations in Europe


(activities outside Europe in preparation)

 530 SAP Users

 hosted at Freudenberg IT, Weinheim, Germany


application support and consulting by Freudenberg IT
strategic partnership

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 9
Freudenberg IT – Our Strategic Partner

 Full-service IT provider for national and


international medium-sized businesses
 According to PAC, the number one hived off IT
company on the free market in Germany –
two-thirds of the turnover outside the
Freudenberg Group
 Financially secure thanks to affiliation with the
Freudenberg Group
 Branches in Europe, North America and Asia
(12 locations)
 7 data centers that meet the highest quality
standards
 Integrated range of services: Consulting,
support and operation
 Long-standing and in-depth process
knowledge
– over 30 years of SAP experience

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 10
Agenda

 Vibracoustic Company Profile


 Motivation to look after GRC

 Approach and Current Status of Implementation

 SAP GRC Access Control


 SAP NetWeaver Identity Management

 Future Plans/Vision

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 11
Starting Position at VC

Vibracoustic is a very lean, agile company

 strong adjustment of job design to the business


 most differentiated tasks for the employees
 only few identical roles (from the view of authorizations)
 high vitality of the organization

Complete responsibility for maintaining access was with IT

 high frequency of (complex) changes


 immediate reaction on change requests expected
 risk assessment not very developed/systematic

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 12
Challenge

User IT Security Audit

I need …tons of
SAP_ALL violations:
That will need
to go into the
report

I only want to
do my job! Management

Could you
I need XK01 try to do
ASAP! this
efficiently!

The Challenge: Inefficient access and authorization management


without security checks and auditability

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de Source: SAP BE3866 13
Starting Position at VC

Check of Authorization Concept in 2005

 large extent of user authorizations


 excessive superuser authorizations
 wide distribution of critical transactions and combinations
 poor authorizing process

Trigger for project: new concept of SAP authorizations


(18 months)

 transparent also for superiors and management


 easy to adjust
 process for authorization application and provisioning
- with standard Windows tools (based on Excel forms)
- SAP + all other 32 non-SAP systems and resources
 documentation in file system (file of forms)

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 14
Agenda

 Vibracoustic Company Profile


 Motivation to look after GRC

 Approach and Current Status of Implementation

 SAP GRC Access Control


 SAP NetWeaver Identity Management

 Future Plans/Vision

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 15
Approach Step 1

SAP had begun to supply a portfolio of solutions for governance,


risk, and compliance: SAP solutions for GRC

 presentation of SAP GRC Access Control at SAP (summer 2006)


 technical implementation 2007
 limited pilot
Implementation of SAP GRC Access Control: ABAP 4.0
operated by VC IT personnel
not yet rolled out to business functions

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 16
SAP GRC Access Control SAP GRC
Access
Access Controls
Control

Sustainable Prevention of Segregation of Duties (SoD) Violations

Effective
Minimal Continuous
management oversight
time to compliance access management
and audit
(Get clean) (Stay clean) (Stay in control)

Risk analysis Enterprise role Compliant user Superuser privilege Periodic access
and remediation management provisioning management review and audit

Perform cost-effective, Enforce SoD Prevent SoD Close #1 audit issue Focus on remaining
rapid, comprehensive compliance at violations at with temporary challenges during
initial clean up design time run time emergency access recurring audits

Risk analysis, remediation, and prevention services

Cross-enterprise library of best-practice segregation of duties rules


Risk Analysis and Remediation
Delivers 24/7, real-time compliance by stopping security and
controls violations before they occur
Access Risks Services
 Common services across
Risk Identification

Real-time SOD Risk Analysis all SAP GRC Access


Critical Transaction Monitoring
Control capabilities

Cross-Application Integration
 Facilitates collaboration
between Business and IT
Elimination

Remediation Management to clean up access risks


Mitigation Management
Reporting

Alerts Framework

Reporting
Prevention

Real-time Simulation

Mandatory Prevention

Access Risks Library

Cross-Enterprise Rules Database


Rules

Cross-Enterprise Rules Architect


Superuser Privilege Management
Enables Compliance-Focused Emergency Access for SAP ERP

Compliant superuser access  Close #1 open audit


issue
Superuser
 Avoid business
obstructions with faster
SAP_ALL emergency response
 Reduce audit time
New session New session New session New session
Firecall ID Firecall ID Firecall ID Firecall ID  Reduce time to perform

SD MM FICO critical tasks

Log Log Log Log

• Preassigned firefighter IDs


• Access restrictions
• Validity dates
• Field-level changes tracked in audit log
Vibracoustic’s Step 1

Effective
Minimal Continuous
Management Oversight
Time To Compliance Access Management
and Audit
(Get Clean) (Stay Clean) (Stay in Control)
Risk Analysis Superuser Privilege
andRisk
Remediation
Analysis Enterprise Role Compliant User Superuser Privilege
Management Periodic Access
and Remediation Management Provisioning Management Review and Audit

Rapid,
Rapid, cost-effective
cost-effective Enforce SoD Prevent SoD Close
Close#1 auditissue
#1 audit issue Focus on remaining
and comprehensive
and comprehensive compliance at violations at with temporary
with temporary challenges during
initial clean-up design time run time emergency access
initial clean-up emergency access recurring audits
Risk analysis, remediation and prevention services

Cross-enterprise library of best practice segregation of duties rules

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de SAP 20
Source: BE3866
Target Step 1

Set up new authorization concept


 role-based, transparent, easy to maintain
 IT personnel, SAP, Freudenberg IT, Ernst & Young

Design of change request process for roles


 authorizing process
 IT personnel, key users

Design process for authorization requests


 IT personnel, key users

Introduce Authorization Risk Management and Remediation


 managers, Ernst &Young, VC risk management, Freudenberg IT

Introduce Superuser Privilege Management


 for maintenance and support users
 managers, Ernst &Young, Freudenberg IT
21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim E.ON Energie – Einführung der SAP GRC Access Control Suite – Ein Projektbericht
info@vibracoustic.de | www.vibracoustic.de BE3866 21
Project Plan – Timeline of Project
SAP GRC Access Control

2007 2008

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

Preliminary
Final
implementation
implementation
SAP GRC
Access Control
SAP GRC
Access Control

trial phase
risk analysis

utilize review risk roll out risk


risk analysis matrix analysis and remediation

utilize
roll out
superuser
user privilege
privilege
management
management

VC IT and Users
SAP and Freudenberg IT

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 22
Achieved / Targets

achieved 2007/ targets 2008 (stay clean)

 keep up the new systematic of roles and access rights


 improve risk assessment / analysis
 replace the manual process to apply for and provide access
stay in control of user access rights
improved deprovisioning when leaving (e.g. customer portals)
 audit-proof documentation
 system check instead of content check at year’s end
 preventive instead of reactive process
 emphasize responsibility of the departments
 assess the risks
 apply segregation of duties (structural organization)

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 23
Experiences

Risk Analysis and Remediation

 200+ predefined risks provide a head start to risk definition

 Analysis helped to clean up existing single roles

 Business participation required at role definition time

 Include auditors beginning with the early stages of the process

 VC will review the risk matrix with business units and auditors;
potential resulting activities:
- different valuation of risks
- reclassifying of risks
- change risk definitions

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 24
Experiences

Superuser Privilege Management

 helpful not only for technical service personnel but also for key users
in operational areas

 helps to facilitate discussion with users about “normal” role


and support role

 succeeded in limiting authorizations to what they really needed


according to their “normal” role

 ongoing process to set up controls based on the embedded


auditing facilities

 limited experience until now

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 25
Experiences

with Auditors

 Including the auditors at very early stages of the process and


keeping them involved have helped to meet them on eye level

 auditor's activities in the area of access management helped to draw


management's attention to GRC; management support is vital to
such projects.

 VC’s own rules will replace generic auditor's rule sets; this will
reduce time by limiting discussions to applicable risks

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 26
Agenda

 Vibracoustic Company Profile


 Motivation to look after GRC

 Approach and Current Status of Implementation

 SAP GRC Access Control


 SAP NetWeaver Identity Management

 Future Plans/Vision

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 27
Vibracoustic’s Step 2

First attempt at Identity Management

 Individual software

Search for an “off the shelf” solution

 SAP had acquired MaXware


 presentation at SAP in summer 2007
 decision to participate in the ramp up

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 28
Authorization Request

help generate single


request
desk call help desk calls

system 1 system 2 system 3 system 32


provisioning get approval provisioning get approval

system 2 system 3
provisioning provisioning

reconcile file
request form request form
Current Situation

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 29
Authorization Request

Target situation request

 highly automated
 reliable documentation
approval
 cost reduction
 fast provisioning
32 parallel
processes provisioning

escalation

documentation

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 30
Business-Oriented Identity Management
SAP addresses compliance issues across the organization

Business Systems
Controls Access

SAP GRC SAP NetWeaver


Access Control Identity
Management

 User provisioning for ERP like systems  User provisioning in heterogeneous


 Risk analysis system landscape

 Audit and compliance  Privilege management for


applications and resources
 Privilege management for business
transactions  Identity synchronization
 Identity virtualization

SAP offers an integrated solution


SAP GRC & IdM

Sales Line
Employee Manager
Mail

DB
GRC & IdM
Approval ERP Provision
create request
workflow System? non-ERP system
OS
no
Active Directory
yes Portals
Exchange
Risk
Select role Provision
Analysis
workflow ok ERP system
?

SoD Risk mitigation


violation workflow Audit

Business
Owner
Ramp up
SAP GRC Access Control & SAP NetWeaver Identity Management

2008

April May June July

Migrate to
SAP GRC Access
Control 5.3

Implement and customize


SAP NetWeaver Identity
Management 7.0

Customize
and launch

VC IT and Users
SAP and Freudenberg IT

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 33
Agenda

 Vibracoustic Company Profile


 Motivation to look after GRC

 Approach and Current Status of Implementation

 SAP GRC Access Control


 SAP NetWeaver Identity Management

 Future Plans/Vision

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 34
Vibracoustic plans and visions

 shift audit activities from


reactive to proactive measures

 enable the business to maintain and refine the


process of managing and controlling risks,
move from detective to preventive control

 complete process to move responsibility from


IT to the business

 check enterprise role management to improve


role change management

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 35
Jasmin Reuschling
Solution Sales Executive Reinhard Falke
Martin Stecher
Governance, Risk & Compliance Director
Solution Sales SAP GRC Business Processes and Information Technology
SAP Deutschland AG & Co. KG
SAP Deutschland AG & Co. KG
Vibracoustic GmbH & Co. KG
T +49/6227/7-50225 Höhnerweg 2-4 . 69465 Weinheim, Germany
Phone +49/62 27/7-49111
M +49/151/16810319 Phone +49 (0) 6201 80 6456 . Fax +49 (0) 6201 88 6456
Mobile +49 (0) 172 632 0809
Mobil +49 (170) 8555624
Jasmin.Reuschling@sap.com
reinhard.falke@vibracoustic.de www.vibracoustic.de
Martin.Stecher@sap.com
www.sap.de/grc
http://www.sap.com/grc A company of the Freudenberg Group

21.05.2008 | Alle Rechte bei Vibracoustic GmbH & Co. KG | Höhnerweg 2-4 | 69469 Weinheim
info@vibracoustic.de | www.vibracoustic.de BE3866 36
Access SAPPHIRE '08
Berlin Online
Watch video recordings, download audio files
in MP3 format, and view the slides from
all keynotes and presentation sessions.

www.sap.com/emea/sapphire
Copyright 2008 SAP AG
All rights reserved

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned and associated logos displayed
are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, SAP Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwähnte SAP-Produkte und Services sowie die
dazugehörigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Ländern weltweit. Alle anderen in diesem Dokument erwähnten Namen
von Produkten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu
Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen.

Alle Rechte vorbehalten.