Beruflich Dokumente
Kultur Dokumente
info
GRC Architecture
GRC Component
Biju (Jays)
1
GRC Architecture
GRC – Connectivity of Application
GRC - Workflow
Component of GRC ( Basic)
CUP - Compliant User Provisioning
RAR - Risk Analysis and Remediation
SPM - Superuser Privilege Management
ERM - Enterprise Role Management
2
GRC Architecture
SAP GRC Access Control 5.3 leverages the technical infrastructure of SAP NetWeaver. Its user interface
runs in any Browser supported by NetWeaver.
SAP GRC Access Control 5.3 is based on Web Dynpro Java (Risk Analysis and Remediation and Super
User Privilege Management) and JSP (Compliant User Provisioning and Enterprise Role Management).
Each one of the four application components connects via System Connectors to a multitude of backend
SAP and Non-SAP business applications. In the case of SAP backend systems all four application
components can be configured to support integration with the system landscape directory for their
system connectors. This allows for a central storage of connection data for each SAP backend system and
for additional features like Secure Networ k Communication (SNC) and SAP Router strings.
In detail the four applicat ion components come with the following connectiv ity options:
o SAP Backend Systems with basis release levels 4.6C, 6.20, 6.40, 7.0 and 7.10
3
o ORACLE Applications supported by Greenlight Adapters
o SAP Backend Systems with basis release levels 4.6C, 6.20, 6.40, 7.0 and 7.10
o SAP Backend Systems with basis release levels 4.6C, 6.20, 6.40, 7.0 and 7.10
o SAP Backend Systems with basis release levels 4.6C, 6.20, 6.40, 7.0 and 7.10
Users within Access Control 5.3 are managed leveraging NetWeaver’s User Management Engine (UME),
which can to three different types of user repositories: local database, SAP backend system or to a
suppor ted LDAP directory.
To opt imize user searches within the applicat ion context addit ional user persistence
components can be added to the infrastructure:
o The User Master Source is the first system searched to obtain basic user data from. Any
backend system connected via a system connector can be selected.
o The User Source is the primar y source extracting basic user data during searches. UME
or any backend system connected via a system connector can be selected.
o The User Details Source is used to fetch additional information (attributes) about the
user. UME or any backend system connected via a system connector or a combination of
these (multiple data sources) can be selected.
o The Authentication System verifies the requestor’s identity from the selected system.
UME or any backend system connected via a system connector can be selected.
Access Control 5.3 provides new web ser vices for Identity Management (IDM) vendors, which enables
4
seamless integration between IDM and GRC Access Control.
Integration of each of the above capabilities is imperative for the following functionality:
Risk maintenance
Role maintenanc e
5
Details in GRC Components
Compliant User Provisioning (CUP) is a capability of SAP GRC Access Control. It pr ovides compliant user
provisioning across enterprise systems. Included are access request self-service, approvals, compliance
checks, proactive resolution of access controls, and provisioning.
Both CUP and RAR capabilities introduce a configurable reporting data mart that enables customized
reporting by integrating your repor ting tool of choice.
The data mart extracts the relevant data from the RAR and CUP and converts the data for
reporting purposes
The data mart is nonhistorical
Data mart schema are published, which enables customers to integrate with any reporting tools.
CUP combines predefined roles and permissions with configurable workflow capabilities, thus automating
and expediting user provisioning throughout an employee’s lifecycle with the company.
CUP prevents violations of separations of duty (SoD) and helps to ensure corporate accountability and
compliance with Sarbanes-Oxley, and other laws and regulations.
Users can request system access using a context-based selection of role descriptions that are defined
using the Enterprise Role Management (ERM) functionality, another capability in the SAP BusinessObjects
Access Control application.
When a user requests access to a system, CUP automatically forwards the access requests to designated
managers and approvers within a predefined wor kflow that is customized for the enterprise. The CUP
workflow engine considers the functional responsibility of the requestor and the type of access request
being made, and automatically determines the appropriate routing for access approval.
CUP prevents access-approval delays by routing requests to back up approvers when primar y approvers
are unavailable or have not responded.
Creating users
Changing users
Deleting users
Locking/Unlocking users
Resetting user passwords
Assigning roles to users
Removing and changing role validity for users
User access review
6
The Risk Analysis and Remediation (RAR) capability is a fully automated rules-based security audit and
segregation of duties (SoD) analysis tool used to identify, analyze, and resolve risk and audit issues that
relate to regulatory compliance.
Features
Enables all key stakeholders to wor k in a collaborative manner to build ongoing SoD risk and
audit compliance at all levels. This compliance includes User, Role, Profile, and HR Object levels.
Empowers security administrators, business process owners and inter nal auditors to prepare their
SAP systems, and all other systems, for an audit.
Provides user friendly summary and drill-down reports, making the identification and resolution of
Risks and audit issues a painless process.
o RAR produces Risk Analytical Repor ts for selected users, user groups, roles, and profiles,
allowing user administrators to identify potential risk issues before assigning a new role
to a user, group or pr ofile.
o RAR produces reports on critical actions, critical permissions, critical roles, and profiles.
Introduces a configuable reporting data mart that enables customized reporting by integrating
your reporting tool of choice (for both RAR and CUP):
o The data mart extracts the relevant data from the RAR and CUP and converts the data
for reporting purposes
o The data mart is nonhistorical
o Data mart schema is published, which enables customers to integrate with any reporting
tools.
Includes an expandable starter set of rules, and enables risks to be identified and created in the
system so that an administrator can correlate them with functions and associate each function to
a business process. And then, the Risk Analysis and Remediation capability generates the rules to
offset your identified risks, thus building on your r ule set.
Provides comprehensive risk management functionality and powerful, easy to use, functionality to
document Risk Mitigation Controls.
o RAR enables you to perform a risk analysis to identify risks associated with a user, role,
profile, or HR object. If you cannot eliminate a risk, you can use the capability to define
mitigation controls. You also define monitors and approvers, assign them to specific
controls, and create business units to help categorize mitigating controls.
Uses custom tables to store SoD data. It also ensures there is no interference with existing
security processes and procedures.
Enterprise Role Management (ERM) is a capability of the GRC Access Control application. T he other
Access Control capabilities interact with ERM.
Enter prise Role Management automates the definition and management of roles, allowing you to manage
enterprise roles with a single unified role repository. T he roles can be documented, designed, analyzed
for control violations, approved, and then automatically generated.
This capability enables preferred practices to ensure that role definitions, development, testing, and
maintenance are consistent across the entire enterprise.
7
ERM provides SAP security administrators, role designers, and role owners with a simplified means of
documenting and maintaining important role infor mation for better role management.
In emergencies or extraor dinary situations, Superuser Privilege Management, a capability of SAP GRC
Access Control, enables users to perform activities outside their roles under Super user -like privileges in a
controlled, auditable environment.
A temporar y ID is assigned that grants the user privileged, yet regulated, access. T his transfer of
privileges from one person or role to another is called firefighting. Such a firefighting event might occur,
for example, if an employee is inj ured and another employee has to perform the injured employee’s
duties.
Superuser Privilege Management is an ABAP and Web-based capability that tracks, monitors, and logs the
activities that are performed by a Super user with a privileged user ID. Superuser Privilege Management
also automates firefighting tasks such as defining firefighter IDs and assigning owners and controllers.
This capability is a back-end systems activity with limited interfacing to Compliant User Provisioning
where related reports may be generated. For reports and other information, see the Compliant User
Provisioning topics in this application help.
Date : 24-Apr-2011