PRASA GRC Training

GRC Approvers

Course Overview
This course introduces the Continuous Compliance Suite, demonstrating the Approver functionality of RA&R, CUP and SPM as it is used by PRASA

Course Goals
This Course will Prepare you to:
Work Work Work

with Risk Analysis and Remediation Compliant User Management Approver module. with Superuser Privilege Management

Course Objectives
After this course, you will have the foundation knowledge to:
Discuss

and work with Risk Analysis and Remediation

(RA&R)
Discuss

and work with Compliant User Provisioning

(CUP) Approver module

Discuss

and work with Superuser Privilege

Management (SPM)

Course Content
Preface Unit 1 Unit 2 Unit 3 Introduction and Overview Informer CUP Overview Unit 4 Unit 5 Unit 6 Using the Approver Module PRASA Workflows SPM - Firefighter

Unit 1 Objectives
After completing this unit you will be able to:
Discuss Explain List

Client Considerations

key features and benefits of RA&R

the major components of RA&R

What is GRC
Governance Risk and Compliance is a suite of products

Preventative Compliance

Technical Architecture

Segregation of Duties Concept

Segregations of Duties (SoD) are a primary internal control intended to prevent or decrease the risk of errors or irregularities, identify problems, and ensure corrective action is taken. This is achieved by assuring no single individual has control over all phases of a business transaction.
Four general categories of duties

Authorization Custody

Record keeping Reconciliation

Client Considerations
PRASA Faces significant Security Challenges including:

Negative Audit Reports Segregation of Duties and Excessive Access

Security Administration Process

Internal Controls Repository Maintenance of a Clean Environment ERP Upgrades Escalating Helpdesk Costs Change Management Compliance Awareness and Responsibility

RA&R is about the Potential to perform certain tasks and not necessarily who has done them

What is RA&R

RA&R Provides Comprehensive Capabilities for:

Testing and Enforcing Segregation of Duties (SOD) Controls

Monitoring critical actions across enterprise applications

Features and Benefits

Cross Enterprise Risk Analysis End-to-End Automation Simulation and Remediation

Summary and Drill Down Reports

Mitigation Controls

Mass Maintenance Functionality Audit Trail of Rule Updates

Preventive as Well as Detective

Methodology

Cross Enterprise Analysis

Centralized Web Architecture

RA&R Informer Tab

RA&R Rule Architect Tab

RA&R Mitigation Tab

RA&R Alert Monitor

Demonstration

The instructor will demonstrate how to navigate RA&R

Review
Which of the following is a feature of RA&R?
a) RA&R is preventive as well as detective b) RA&R provides an audit trail of rule updates c) RA&R provides the functionality to execute risk analysis across multiple systems and applications d) All of the above e) None of the above

Which of the following is not a RA&R tab name

a) b) c) d) Rule Architect Risk Analysis Informer Mitigation

Unit Summary

You should now be able to:

Discuss Explain List

Client Considerations
key features and benefits of RA&R

the major components of RA&R

Course Content
Preface Unit 1 Unit 2 Unit 3 Introduction and Overview Informer CUP Overview Unit 4 Unit 5 Unit 6 Using the Approver Module PRASA Workflows SPM - Firefighter

Unit 2 Objectives
After completing this unit you will be able to:
Discuss Run Run

and use the Management View

the Risk Analysis Report the Audit Reports

Run

the Security Reports

the Background Jobs functionality

Describe

Management View Risk Violations

The following reports are accessed from the Management View menu:

Risk Violations
Users Analysis Role Analysis

Comparisons
Alerts Rules Library Controls Library

Risk Violations

Interactive Pie Chart (1)

Interactive Pie Chart (2)

Interactive Pie Chart (3)

SOD Violations By Process

Management View User Analysis

The following reports are accessed from the Management View menu:

Risk Violations Users Analysis

Role Analysis
Comparisons Alerts

Rules Library
Controls Library

User Analysis

Critical Actions and Roles

Management View Role Analysis

The following reports are accessed from the Management View menu:

Risk Violations
Users Analysis Role Analysis

Comparisons
Alerts Rules Library

Controls Library

Role Analysis

SOD Violations by Roles and Users

Management View - Comparisons

The following reports are accessed from the Management View menu:

Risk Violations
Users Analysis Role Analysis

Comparisons
Alerts Rules Library Controls Library

Comparisons

Management View - Alerts

The following reports are accessed from the Management View menu:

Risk Violations
Users Analysis Role Analysis Comparisons Alerts Rules Library Controls Library

Alerts

Risks Violations Alert

Conflicting Action Alerts By Process

Management View Rules Library

The following reports are accessed from the Management View menu:

Risk Violations
Users Analysis Role Analysis

Comparisons
Alerts Rules Library

Controls Library

Rules Library

Management View Controls Library

The following reports are accessed from the Management View menu:

Risk Violations
Users Analysis Role Analysis Comparisons Alerts Rules Library Controls Library

Controls Library

Risk Analysis

Report Types
There are six report types, each of which can be formatted in several ways. Action Level SoD reports Generating this report type produces a list of SoDs at the action level. Permission Level SoD reports Generating this report type produces a list of SoDs at the permission level. Critical Actions reports Generating this report type limits the list to Critical actions available. Critical actions are defined under the Rule Architect tab. Critical Permissions reports Critical Roles/Profiles reports Generating this report type lists only the Critical Roles and Profiles associated with the User, Role, HR Object, or Organization. This report does not list any risks. Mitigation Control reports Generating this report type lists valid Mitigation Controls assigned to the User, Role, HR Object, or Organization included in the analysis.

Report Formats
Executive Summary This report format lists each risk as a single line item and displays the total number of conflicting actions producing the Risk. Management Summary This report format lists each Risk as a single line item, displays the Risk severity level and provides a link to the Risk Resolution page where options are available for resolving the risk. Drill down further by clicking the risk to view more detailed information, including conflicting functions. Summary - This report format lists the combination of conflicting actions that produce the risk in one line item. Detail This report format lists each Risk as a single line item, displays the Risk severity level and provides a link to the Risk Resolution page where options are available for resolving the risk. Drill down further by clicking the risk to view more detailed information, including conflicting functions.

Running A Risk Analysis

Running Risk Analysis In Background Mode

Simulation What If Scenarios

Audit Reports

Security Reports

Background Jobs

Demonstration

The instructor will demonstrate how to navigate RA&R

Unit Summary

You should now be able to:

Discuss

and use the Management View

Run
Run Run

the Risk Analysis Report

the Audit Reports the Security Reports the Background Jobs functionality

Describe

Course Content
Preface Unit 1 Unit 2 Unit 3 Introduction and Overview Informer CUP Overview Unit 4 Unit 5 Unit 6 Using the Approver Module PRASA Workflows SPM - Firefighter

Unit 3 Objectives
After completing this unit you will be able to:
Navigate Discuss

CUP

the CUP Modules

Overview

CUP automates the access provisioning approval process by combining roles and permissions with workflow. When a user (Requestor) makes an access request to resources for which they do not have permission, CUP automatically forwards the access request to designated managers and approvers within a predefined workflow. This workflow is customized to reflect your company policy. Roles and permissions are automatically applied to the enterprise directories when the access request are approved. CUP automates the role provisioning process within the identity management environment. It ensures corporate accountability and compliance with SarbanesOxley along with other laws and regulations.

Workflows
The workflows are configured by the CUP Administrator to reflect your corporate policies and business unit practices. CUP allows you to track your request and view its status. As your request goes through each stage of the workflow, you can view all comments appended by Managers, Approvers, and Security.

CUP in Action Scenario (1)

The following scenario depicts a general usage of CUP in a typical enterprise environment: 1) Upon logging in to CUP , the end-user or Requestor makes an access request for a specific application (SAP and/or non-SAP) for which they do not have the necessary roles. 2) CUP provides the Requestor an Access Request page where certain attributes can be pre-populated with default values based on the Request Type. The Access Request page can be set to specific or multiple data sources (such as SAP HR systems or a non-SAP application servers) to complete the access request process. 3) After completing the Access Request page, the Requestor submits the request thereby triggering a workflow process. The workflow process is made up of a series of pre-defined approval stages. The entire workflow is customized to reflect the business policies and security procedures.

CUP in Action Scenario (2)

4. At each approval stage, the Approver receives email notification of the access request. The Approver can then retrieve additional information from multiple sources to provide the data necessary for a complete risk analysis, including Segregation of Duties (SOD) assessments that are automatically evaluated by the Risk Analysis and Remediation engine. When a conflict of interest do arise, the Approver can mitigate the problem or reject the access request. Mitigating a conflict can be a onetime exception for a particular request or a policy change within the business unit. 5. Upon approval, the access request is routed to the next stage, which can be the IT security team for entry to the SAP backend system or application server. It can also be automatically provisioned to the target system. CUP documents the audit trail of the executed user request and approval for security, legal, and regulatory compliance monitoring. 6. Managers, Approvers, and IT Security team can view reports that show the number of provisioned users in a given time frame or within a certain Service Level Agreement. Reports can also show analytical breakdown of SOD violations and mitigation resolutions.

Getting Started

Creating Requests
CUP provides standard request types that are defaults, which cannot be deleted or modified. The request types of your access request will determine how the request is processed for approval in the workflow.

More Screen

Selecting Roles
In SAP, roles are a collection of transactions that an enduser is permitted to perform. When a role is assigned to an end-user, all transactions within that role are available to that user. Roles in SAP can be single or composite. Composite roles are a group of single roles.

Using the Attachments Tab

Before approving the request, you can attach files that are relevant to the request by using the Attachment tab.

Using the Comments Tab

Before approving the request, it is recommended that you document any information regarding the request by using the Comments tab. To add a comment, click the Plus (+) icon. The field becomes active.

Copy Request
The Copy Request option allows you to create a new request based on an existing request. You can copy an existing request for multiple users. For example, if you have multiple users who have requested access to the same system or roles, you can copy an existing request to create multiple requests with similar information.

Unit Summary

You should now be able to:

Navigate Discuss

CUP

the CUP Modules

Demonstration

The instructor will demonstrate how to navigate CUP and introduce CUP modules

Course Content
Preface Unit 1 Unit 2 Unit 3 Introduction and Overview Informer CUP Overview Unit 4 Unit 5 Unit 6 Using the Approver Module PRASA Workflows SPM - Firefighter

Unit 4 Objectives
After completing this unit you will be able to:
Discuss Manage View

Approver Module

Requests through the Approval Process

Requests Status

Overview
CUP provides a standardized decision-making process for approving requests. It also provides a comprehensive view of information needed to make approval decisions. Authorized Approvers can be managers or members of various departments (such as IT Security), who are assigned to the appropriate workflow stages in the approval process. These assignments to workflow are configured by the CUP Administrator.

Approver Types
CUP provides three standard Approver types but other types can be added to CUP. The standard Approver types are:

Manager Approver Role Owner

Security Approver

PRASA Approver Types:

Business Process Approvers (BPO) IT Governance Security

Requests For Approval

Once a you have submitted an access request, you will receive an email notification about the request as well as have it listed in your in-box (Request for Approval page).

Approving and Rejecting Access Requests

The Request Information page provides action buttons to process the access request. As an Manager Approver, you would normally approve a request submitted by someone from your group.

Using the Roles/Profiles Tab

Before approving the request, it is recommended that you review the Roles/Profiles tab.

Selecting Roles
In SAP, roles are a collection of transactions that an enduser is permitted to perform. When a role is assigned to an end-user, all transactions within that role are available to that user. Roles in SAP can be single or composite. Composite roles are a group of single roles.

Using the PD Profile Tab

Before approving the request, it is recommended that you review the PD Profiles tab.

Using the Risk Violations Tab

Before approving the request, it is recommended that you review the Risk Violations tab.

Using the Mitigations Tab

Before approving the request, it is recommended that you review the Mitigation tab.

The Mitigation tab is read only. It displays what risks are mitigated and the details on the mitigation control.

Mitigation Controls

Using the Comments Tab

Before approving the request, it is recommended that you document any information regarding the request by using the Comments tab. To add a comment, click the Plus (+) icon. The field becomes active.

Using the Request Justification Tab

Before approving the request, it is recommended that you view the Request Justification tab for any information regarding this request. This tab is readonly.

Using the Attachments Tab

Before approving the request, you can attach files that are relevant to the request by using the Attachment tab.

Performing Risk Analysis

Before deciding to approve an access request, you should perform a Risk Analysis on the request to uncover any SoD violations and conflicts. When you perform Risk Analysis, you can check prospective request approvals for compliance and audit exposure. Risk Analysis can be performed before or after assigning roles to an access request either manually or by modeling an existing profile.

Performing Mitigation
The Mitigation option enables you to resolve risk violations by allowing exceptions to the rules defined using Risk Analysis and Remediation (mitigation controls). The Mitigation option allows you to monitor risks over a specific time period. On the Mitigation page, you can:

Create a new mitigation control for a specific risk violation

Assign an existing mitigation control to a specific violation

Performing Advanced Analysis

The Advanced Analysis option enables you to drill down through the various levels of granularity (Role, Transaction Code, or Authorization Object) to uncover the risk violation.

Forwarding Requests
During the approval process, you can forward the request to another approver.

Reroute Requests
During the approval process, you can reroute the request to another approver.

Search Request
The Search Request option allows you to search for an Open, Closed, Hold, or Rejected requests. You can specify specific search criteria to filter your request. The request information that is returned is view only. You cannot modify the information that appears in the result page.

Approver Delegation
The Approver Delegation option enables you to delegate your approver authority to another member of your team. For example, if you are out-of-the-office for a period of time, you can delegate your approval permissions to the designated proxy on your team. You have to specify a duration of time for which you want to allocate your work to your proxy.

Request Audit Trail

The Request Audit Trail option allows you to view a request audit trail, which shows the request approval history at any time. The audit trail displays details of a request, such as, when the request was created, who submitted the request, and which Approvers approved the request.

Reaffirm
As a Role Owner Approver, you need to reaffirm roles with dates that have expired. The reaffirm dates are initially set by the CUP Administrator, using the Configuration Module. In the Roles>Create Roles page, the Administrator should have defined a specific time period in which the role needs to be reaffirmed.

Holding Access Request

As an Approver, you can put an access request on hold if you deem it necessary. Once the request has a hold status, you can further investigate any SoD violations and/or apply any mitigation controls to the request.

Request On Hold
The Request on Hold option allows you to view all requests that you put on hold to process at a later time. You then can select a request from the displayed list and perform the appropriate action.

Unit Summary

You should now be able to:

Discuss Create View

Requestor Module

Requests

Requests Status

Demonstration

The instructor will demonstrate how the Approver modules functions

Course Content
Preface Unit 1 Unit 2 Unit 3 Introduction and Overview Informer CUP Overview Unit 4 Unit 5 Unit 6 Using the Approver Module PRASA Workflows SPM - Firefighter

Unit 5 Objectives
After completing this unit you will be able to:
Discuss

Workflows configured for PRASA

PRASA Workflows
The following workflows have been configured for PRASA: Change Account New Account Lock / Unlock Account Role Approval Create, Change & Delete Risks Create, Change & Delete Mitigation Controls Assignment of Mitigation Controls Assignment of Firefighter IDs

Change Account

New Account

Lock / Unlock User

Role Approval

Create, Change & Delete Risks

Create, Change & Delete Mitigation Controls

Mitigation Control Assignment

Assignment of Firefighter ID

Course Content
Preface Unit 1 Unit 2 Unit 3 Introduction and Overview Informer CUP Overview Unit 4 Unit 5 Unit 6 Using the Approver Module PRASA Workflows SPM - Firefighter

Unit 6 Objectives
After completing this unit you will be able to:
Discuss: Explain

What is Super User Privilege Management

key features and benefits of Super User

Privilege Management
List

the major components of Super User Privilege

Management
How

to use Super User Privilege Management

What is Super User Privilege Management

Previously known as Fire Fighter it is a solution used for:
Emergency

Situations that requires excessive access to

the SAP systems.

Situations When

that require extensive and/or special access

you dont have time to obtain logins, passwords,

etc

Features of SPM

Strategy
SPM provides the ability for selected personnel to act as a Firefighter
Perform

tasks outside of their normal role or profile in an

emergency situation
Only

certain individuals / owners can assign these

Firefighter IDs
Extended

capability is provided to users while creating

and auditing layer to monitor and record usage

Logging Information
Firefighter gathers logging information from the following:

Statistical Records/User Activities (STAT) The SAP Systems also log activities categorized by transaction and user in statistical records.

Change Documents (CDHDR) The SAP Systems capture changes with change documents, i.e. entries into the CDHDR table.

Transactions All transactions that are successfully entered are reported (whether any updates were made or not).

Programs Executed If transactions SA38 or SE38 are executed and a program is run, the program name will be reported.

SPM Roles / Users

Firefighter users are assigned specific roles which determines what features are accessible within the Firefighter program. These roles are:
Administrator Owner Firefighter Controllers

Administrator Role
Firefighter Administrators have complete access to the Firefighter program. Administrators are the only Firefighter user who can create Firefighter ID passwords. All other Firefighter users receive an error when they attempt to open the Firefighter Security table. Administrators are responsible for assigning Firefighter IDs to Owners and can also assign Firefighter IDs to Firefighters. Administrators are also the only Firefighter users with the ability to access the Firefighter Tool Box and generate reports. The exception is the Log report, which is accessible from the Administration menu and the toolbar in the Firefighter Cockpit.

Owners Role
Owners can assign Firefighter IDs to Firefighters and Controllers. When accessing the Firefighter program. Owners only see Firefighter IDs assigned to them by the Firefighter Administrator. Owners can be Controllers by assigning any Firefighter IDs in the Controllers table. Owners can not assign Firefighter IDs to themselves another owner must assign them.

Firefighters Role
Firefighters have access to the Firefighter IDs assigned to them and can use the Firefighter IDs to perform any tasks permissible by the Firefighter ID roles.

Controllers Role
Controllers audit Firefighter ID usage by viewing the Firefighter Log report and receiving email notification of Firefighter ID logins. Controllers can view the Log report within Firefighter or have the Log report emailed as a text file attachment.

Firefighters ID
A Firefighter ID is a user ID with specific roles that allow the Firefighter to perform the required tasks. Each Firefighter is assigned specific Firefighter IDs for a designated period of time. Once a Firefighter initiates the Firefighter application, only assigned Firefighter IDs are displayed and available for use. Each time a Firefighter logs-in using a Firefighter ID, the login event and any subsequent transaction usage are recorded. Any existing user ID can be designated as a Firefighter ID. However, once a Firefighter ID is specified, it can no longer be used for normal login purposes.

Reports

Assignment of Firefighter ID

User Interface
The two parts of Firefighter are the Firefighter Cockpit and the Firefighter Tool Box. Cockpit

Administrators and Firefighter ID Owners use the Firefighter Cockpit to configure

and maintain Firefighters

Firefighter ID Controllers and Firefighters use the Firefighter Cockpit use Firefighter features.

The Firefighter Cockpit contains menus, a toolbar, and the Firefighter Dashboard.

The Firefighter Tool Box provides Administrator access to Firefighter reports.

Menus

Toolbar (1)
The Firefighter toolbar makes it easy to access most of the administrative and reporting features in the program.

Refresh Click this button to refresh the data in the Firefighter Dashboard. Log Report Click this button to display the Log report form used to generate the Log report. Owners Click this button to display the table used to assign Firefighter IDs to Owners. Firefighters Click this button to display the Firefighters table, to assign Firefighter IDs to Firefighter. Controllers Click this button to display the Controllers table, to assign Firefighter IDs to Controllers.

Toolbar (2)
The Firefighter toolbar makes it easy to access most of the administrative and reporting features in the program.

Security Click this button to display the Firefighter ID Security table to assign passwords for Firefighter IDs. Reason Code Click this button to display all the reason codes and descriptions. Configuration Click this button to display the Configuration table. Critical Codes Click this button to display the Critical Transactions Codes table. Note If you are use the Critical Transactions table from Risk Analysis and Remediation this table is not accessible from Firefighter. Toolbox Click this button to display the Firefighter Tool Box. The Tool Box is accessible to Firefighter Administrators. The Tool Box lists all the reports available in Firefighter.

Firefighter Dashboard

The Firefighter Dashboard is the entry point for Firefighters.

Users with any of the three Firefighter roles assigned to their user ID will have Firefighter appear in their SAP Easy Access menu. If it does not, use the transaction code [/n/virsa/vfat] to access the Firefighter program. The Firefighter Dashboard is displayed in the Firefighter Cockpit. The Dashboard is used by Firefighters to login with a Firefighter ID. The Dashboard also displays which Firefighters are logged in with what Firefighter ID and enables all Firefighter users to send messages to anyone using a Firefighter ID.

Login with a Firefighter ID

Sending a Message to a Firefighter

There may be occasions when a Firefighter ID is in use by one Firefighter and another Firefighter user needs to use the same Firefighter ID.

Web Reports

Log Summary Report

Reason / Activity Report

Transaction Usage Report

Log Report

SOD Violations Report

Demonstration

The instructor will demonstrate how to navigate SPM User Interface, Cockpit, Produce Web Based & Toolbox Reports

Questions

141

Thank you