1 1 1 30 marzo 2009 – ANDREA CAVALLERI
Dec 05, 2014
1 11
30 marzo 2009 – ANDREA CAVALLERI
The company
� Aglea was founded in 2003 as a company specializingin the management of users and authorizations of theSAP world
� Work directly or beside major System Integrator
2 22Security Analyzer29.9.09
� AGLEA is part of APL Italian SpA, owner of the software "SOFIA" ® (portfolio manager titles Banks and Insurance)
Le competenze
� I FOCUS:
� Consulting� SAP Security project
� New implementations
� Authorizations review based on RBE (Reverse Business Engineering)
� Authorizations upgrade
� Auditing
� Sarbanes Oxley / Dlgs 231/2001 / L 262/2005 Dlgs 196/2003
3 33Security Analyzer29.9.09
� Sarbanes Oxley / Dlgs 231/2001 / L 262/2005 Dlgs 196/2003� Segregation of Duties
� Risk management
� Sod Anlysis
Software
� Security Analyzer
Security Analyzer
� Security Analyzer (SA) is the application that managesthe SAP Security (users and authorization)
� Is formed by
� two ABAP that download security information from aSAP System
5 55Security Analyzer29.9.09
SAP System
� a Microsoft Access application for import and processdata
� SA is compatible with SAP systems starting from release 4.6 of R/3
Strengths
S.A. :
� Customizable. This means it can be adapted to specific customer requirements
� Lets cross our authorizations with the statistics, even in the SOD analysis
� SOD tab contains an SoD matrix of risks (based on transactions SAP R/3-ECC)
6 66Security Analyzer29.9.09
transactions SAP R/3-ECC)
� Performs special analysis that help identify "non-compliance" to use the profile generator
� Is very quick to install and use
� Allows you to make retrospective analysis
� Is fully developed by Aglea, which operates exclusively in the consulting SAP security
Integrazione con GRC
� SA is not an alternative to the SAP GRC Access Control. The “point of contatc” is in the SOD
� Security Analyzer is ideal for analyzing a SAP system in review of authorizations and monitoring role model adopted
7 77Security Analyzer29.9.09
adopted
� Reporting of SA is complementary to the GRC and is particularly useful when REMEDIATION
Security Analyzer
� After installing the two reports in ABAP system to analyze the process of documentation and analysis is very simple
� Extracting data from SAP (53 + tables usage statistics) and place in a directory
� Design (one time) of a project in SA and customize your settings
8 88Security Analyzer29.9.09
settings
� Importing data into SA
� Generation of reports needed
� Conducting analysis more specific� analysis on authorizations (a “SUIM” more powerful)
� analysis of SOD-based transactional
Project definition
The first action is tocreate a project
With a client SAP
SA can keep data online for one system
9 99Security Analyzer29.9.09
line for one systemat a time
Project definition
Form in which you can specify the specific attributes of project
101010Security Analyzer29.9.09
Importazione
Rapid import (about 15minutes) of dataexported from SAP
You can even importsome tables, divided by
111111Security Analyzer29.9.09
some tables, divided bysubject
A dedicated LOGprovides usefulinformation on anyproblems encounteredduring the import
Reports
Mask for the opening ofthe output
you can:
• obtain a query to beexported to Excel
•directly save xls
121212Security Analyzer29.9.09
•directly save xls
•print report format(PDF), choosing amongthe more than 100models currently
Reports
131313Security Analyzer29.9.09
Reports
141414Security Analyzer29.9.09
Organizational Analysis
If the scenario is implemented HR, can be analyzed off-line organizational structure
There are specific
151515Security Analyzer29.9.09
There are specific information and features not available directly from SAP
Indicators
The main information of the Security are summarized in a single screen.
161616Security Analyzer29.9.09
Con essa è possibile supervisionare lo stato di salute del sistema in pochi minuti
Auditing
Can do analysis in the audit focused on authorization objects
You can create as many audits by
171717Security Analyzer29.9.09
many audits by excluding from analysis any blocked users or SAP_ALL and SAP_NEW
Auditing
The details are specified in theaffected and the values to befound
You can enter up to 3 values in"OR".
181818Security Analyzer29.9.09
SOD Analysis
5. Transactions statistics used.
The analysis of SOD may be conducted on 5 items SAP
1. Composite role(Job Role)
2. Simple role (Task), Menu tcode level
3. Simple role (Task), Authorizations tcode level (S_TCODE)
4. Permissions assigned to the user (User). In this case, if a user has a permissionon S_TCODE range or with asterisks, are still identified all transactionsmatching
191919Security Analyzer29.9.09
5. Transactions statistics used.This feature allows you toact quickly on the real risksand then into the potential
You can also generate an additionalSOD matrix-based Job Roles.
SOD Analysis
202020Security Analyzer29.9.09
SOD Analysis
212121Security Analyzer29.9.09
Mapper
� The function mapper lets you find the best set of roles (chosen from a list of "candidates") to be assigned to a user based on his statistics
222222Security Analyzer29.9.09
Mapper
Creating a composed role - identifying TASK
232323Security Analyzer29.9.09
Mapper
Mapping users and roles according to statistics
242424Security Analyzer29.9.09
Version and Licensing
252525Security Analyzer29.9.09