http://sapsecurity.

info

GRC Architecture
GRC Component
Biju (Jays)

1
GRC Architecture
 GRC – Connectivity of Application
 GRC - Workflow
Component of GRC ( Basic)
 CUP - Compliant User Provisioning
 RAR - Risk Analysis and Remediation
 SPM - Superuser Privilege Management
 ERM - Enterprise Role Management

2
GRC Architecture
SAP GRC Access Control 5.3 leverages the technical infrastructure of SAP NetWeaver. Its user interface
runs in any Browser supported by NetWeaver.

SAP GRC Access Control 5.3 is based on Web Dynpro Java (Risk Analysis and Remediation and Super
User Privilege Management) and JSP (Compliant User Provisioning and Enterprise Role Management).

Each one of the four application components connects via System Connectors to a multitude of backend
SAP and Non-SAP business applications. In the case of SAP backend systems all four application
components can be configured to support integration with the system landscape directory for their
system connectors. This allows for a central storage of connection data for each SAP backend system and
for additional features like Secure Networ k Communication (SNC) and SAP Router strings.

In detail the four applicat ion components come with the following connectiv ity options:

Risk Analysis and Remediat ion:

o SAP Backend Systems with basis release levels 4.6C, 6.20, 6.40, 7.0 and 7.10

o SAP NetWeaver Portal 7.0 SP12+

o PEOPLESOFT Applications suppor ted by Greenlight Adapters

o JDE EnterpriseOne supported by Greenlight Adapters

3
 o ORACLE Applications supported by Greenlight Adapters

o Legacy Application via flat file interface

Compliant User Prov isioning:

o SAP Backend Systems with basis release levels 4.6C, 6.20, 6.40, 7.0 and 7.10

o SAP NetWeaver Portal 7.0 SP12+

o PEOPLESOFT Applications suppor ted by Greenlight Adapters

o JDE EnterpriseOne supported by Greenlight Adapters

o ORACLE Applications supported by Greenlight Adapters

Enterprise Role Management:

o SAP Backend Systems with basis release levels 4.6C, 6.20, 6.40, 7.0 and 7.10

Super user Pr ivilege Management:

o SAP Backend Systems with basis release levels 4.6C, 6.20, 6.40, 7.0 and 7.10

Users within Access Control 5.3 are managed leveraging NetWeaver’s User Management Engine (UME),
which can to three different types of user repositories: local database, SAP backend system or to a
suppor ted LDAP directory.

To opt imize user searches within the applicat ion context addit ional user persistence
components can be added to the infrastructure:

Risk Analysis and Remediat ion:

o The User Master Source is the first system searched to obtain basic user data from. Any
backend system connected via a system connector can be selected.

Compliant User Prov isioning:

o The User Source is the primar y source extracting basic user data during searches. UME
or any backend system connected via a system connector can be selected.

o The User Details Source is used to fetch additional information (attributes) about the
user. UME or any backend system connected via a system connector or a combination of
these (multiple data sources) can be selected.

o The Authentication System verifies the requestor’s identity from the selected system.
UME or any backend system connected via a system connector can be selected.

Access Control 5.3 provides new web ser vices for Identity Management (IDM) vendors, which enables

4
seamless integration between IDM and GRC Access Control.

Integration of each of the above capabilities is imperative for the following functionality:

Approval workflow in Compliant User Provi sioning:

In Risk Analysis and Remediation, approval work flow is required for:

 Risk maintenance

 Mitigating control maint enance

 Mitigating control assignment changes to users, roles, or profiles

In Enterprise Role Management, approval work flow is required for:

 Role maintenanc e

Ri sk analysi s and mitigation in Risk Analysi s and Remediation:

In Compliant User Provisioning, risk analysis and mitigation is required for:

 Provisioning risk analysis and mitigation

 Risk analysis results for SOD Review

In Enterprise Role Management, risk analysis and mitigation is required for:

 Role risk analysis
 Function selection for authorization dat a

Role data synchronization in Enterpri se Role Management:

In Compliant Us er Provisioning, role data synchronization is required for:

 Roles for provisioning

 Role definition, assignment and usage information for Us er Access Review
requests.

5
Details in GRC Components

Compliant User Prov isioning

Compliant User Provisioning (CUP) is a capability of SAP GRC Access Control. It pr ovides compliant user
provisioning across enterprise systems. Included are access request self-service, approvals, compliance
checks, proactive resolution of access controls, and provisioning.

CUP also provides standard repor ts.

Both CUP and RAR capabilities introduce a configurable reporting data mart that enables customized
reporting by integrating your repor ting tool of choice.

 The data mart extracts the relevant data from the RAR and CUP and converts the data for
reporting purposes
 The data mart is nonhistorical
 Data mart schema are published, which enables customers to integrate with any reporting tools.

CUP combines predefined roles and permissions with configurable workflow capabilities, thus automating
and expediting user provisioning throughout an employee’s lifecycle with the company.

CUP prevents violations of separations of duty (SoD) and helps to ensure corporate accountability and
compliance with Sarbanes-Oxley, and other laws and regulations.

Users can request system access using a context-based selection of role descriptions that are defined
using the Enterprise Role Management (ERM) functionality, another capability in the SAP BusinessObjects
Access Control application.

When a user requests access to a system, CUP automatically forwards the access requests to designated
managers and approvers within a predefined wor kflow that is customized for the enterprise. The CUP
workflow engine considers the functional responsibility of the requestor and the type of access request
being made, and automatically determines the appropriate routing for access approval.

CUP prevents access-approval delays by routing requests to back up approvers when primar y approvers
are unavailable or have not responded.

CUP automates the following user provisioning activities:

 Creating users
 Changing users
 Deleting users
 Locking/Unlocking users
 Resetting user passwords
 Assigning roles to users
 Removing and changing role validity for users
 User access review

Risk Analysis and Remediat ion

6
 The Risk Analysis and Remediation (RAR) capability is a fully automated rules-based security audit and
segregation of duties (SoD) analysis tool used to identify, analyze, and resolve risk and audit issues that
relate to regulatory compliance.

Features

The Risk Analysis and Remediation capability:

 Enables all key stakeholders to wor k in a collaborative manner to build ongoing SoD risk and
audit compliance at all levels. This compliance includes User, Role, Profile, and HR Object levels.
 Empowers security administrators, business process owners and inter nal auditors to prepare their
SAP systems, and all other systems, for an audit.
 Provides user friendly summary and drill-down reports, making the identification and resolution of
Risks and audit issues a painless process.
o RAR produces Risk Analytical Repor ts for selected users, user groups, roles, and profiles,
allowing user administrators to identify potential risk issues before assigning a new role
to a user, group or pr ofile.
o RAR produces reports on critical actions, critical permissions, critical roles, and profiles.
 Introduces a configuable reporting data mart that enables customized reporting by integrating
your reporting tool of choice (for both RAR and CUP):
o The data mart extracts the relevant data from the RAR and CUP and converts the data
for reporting purposes
o The data mart is nonhistorical
o Data mart schema is published, which enables customers to integrate with any reporting
tools.
 Includes an expandable starter set of rules, and enables risks to be identified and created in the
system so that an administrator can correlate them with functions and associate each function to
a business process. And then, the Risk Analysis and Remediation capability generates the rules to
offset your identified risks, thus building on your r ule set.
 Provides comprehensive risk management functionality and powerful, easy to use, functionality to
document Risk Mitigation Controls.
o RAR enables you to perform a risk analysis to identify risks associated with a user, role,
profile, or HR object. If you cannot eliminate a risk, you can use the capability to define
mitigation controls. You also define monitors and approvers, assign them to specific
controls, and create business units to help categorize mitigating controls.
 Uses custom tables to store SoD data. It also ensures there is no interference with existing
security processes and procedures.

Enterprise Role Management

Enterprise Role Management (ERM) is a capability of the GRC Access Control application. T he other
Access Control capabilities interact with ERM.

Enter prise Role Management automates the definition and management of roles, allowing you to manage
enterprise roles with a single unified role repository. T he roles can be documented, designed, analyzed
for control violations, approved, and then automatically generated.

This capability enables preferred practices to ensure that role definitions, development, testing, and
maintenance are consistent across the entire enterprise.

7
ERM provides SAP security administrators, role designers, and role owners with a simplified means of
documenting and maintaining important role infor mation for better role management.

The features include:

 Tracking progress during role implementation.

 Monitoring the overall quality of the implementation.
 Performing risk analysis at role design time.
 Setting up a workflow for role approval.
 Providing an audit trail for all role modifications.
 Maintaining roles after they are generated to keep role infor mation current.

Super user Pr ivilege Management

In emergencies or extraor dinary situations, Superuser Privilege Management, a capability of SAP GRC
Access Control, enables users to perform activities outside their roles under Super user -like privileges in a
controlled, auditable environment.

A temporar y ID is assigned that grants the user privileged, yet regulated, access. T his transfer of
privileges from one person or role to another is called firefighting. Such a firefighting event might occur,
for example, if an employee is inj ured and another employee has to perform the injured employee’s
duties.

Superuser Privilege Management is an ABAP and Web-based capability that tracks, monitors, and logs the
activities that are performed by a Super user with a privileged user ID. Superuser Privilege Management
also automates firefighting tasks such as defining firefighter IDs and assigning owners and controllers.

This capability is a back-end systems activity with limited interfacing to Compliant User Provisioning
where related reports may be generated. For reports and other information, see the Compliant User
Provisioning topics in this application help.

Please Let me know if any concerns.

Thanks,
Jays
http://sapsecurity.info

Date : 24-Apr-2011