Overview of SAP Business Objects Access Control 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 1

Overview of SAP BusinessObjects

Access Control 10.0

Applies to:

SAP BusinessObjects Access Control 10.0, SAP NetWeaver 7.0, Enhancement Package 2. For more information, visit the Governance, Risk, and Compliance homepage.

Summary

With the release of SAP BusinessObjects Access Control 10.0 there has been a lot of excitement regarding the enhanced version and its capabilities. This article provides a high level understanding of SAP GRC Access Control 10.0. It’s compiled from the information available on various SAP sites and from the expert sessions on GRC 10.0.

Author: Charukesh R Gaikwad

Company: KPMG India

Created on: 10 May 2011

Author Bio

Charukesh Gaikwad is working as SAP GRC Consultant in KPMG ERP Advisory services.

Overview of SAP BusinessObjects Access Control 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 2

Table of Contents

Access Control 10.0: Introduction ....................................................................................................................... 3

Access Control 10.0: Landscape .................................................................................................................... 3

New and Enhanced Features: Released Notes .............................................................................................. 5

New Focus Areas: ........................................................................................................................................... 6

What’s new in Risk Analysis? ............................................................................................................................. 7

New Risk Analysis Framework ....................................................................................................................... 7

System Specific Mitigation .............................................................................................................................. 7

Approval process for functions: ....................................................................................................................... 7

Additional Audit trail tracking ........................................................................................................................... 7

Work Centers in Access Control: ........................................................................................................................ 8

Related Content ................................................................................................................................................ 11

Disclaimer and Liability Notice .......................................................................................................................... 12

Overview of SAP BusinessObjects Access Control 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 3

Access Control 10.0: Introduction

SAP BusinessObjects Access Control is an enterprise software application that enables organizations to control access and prevent fraud across the enterprise, while minimizing the time and cost of compliance. The application streamlines compliance processes, including access risk analysis and remediation, business role management, access request management, superuser maintenance, and periodic compliance certifications. It delivers immediate visibility of the current risk situation with real-time data.

Access Control 10.0 is part of newly released SAP Governance Risk & Compliance (GRC) 10.0 which also comprised of Process control 10.0, Risk Management 10.0 and Global Trade Services. The greatest value in GRC 10.0 is the Harmonization of Access Control, Process Control and Risk management which ultimately results in shared processes, data and user interface with reduction in redundancy.

Access Control 10.0: Landscape

The GRC 10.0 suite runs on AS ABAP 7.02 SP6 or higher. Access Control, Process Control and Risk Management are contained in one ABAP add-on ―GRCFND_A‖

Source: GRC 10.0 Pre installation Guide on SAP BPX

Front end:

The front-end needs a web browser or (optionally) a client installation of the NetWeaver Business Client 3.0 (NWBC)

The web browser can be used to access the embedded NWBC or GRC via the NetWeaver Portal

The Adobe flash player 10 is used for displaying dashboards e.g. RM heat map

Overview of SAP BusinessObjects Access Control 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 4

SAPGUI 7.10 PL 15 or higher is required for administration or customizing tasks –note that SAPGUI 7.20 is recommended due to the end-of-maintenance of SAPGUI 7.10

The Crystal Reports Adapter (CRA) is required for viewing (GRC) Crystal Reports.

Portal:

The NetWeaver Portal 7.02 can be used optionally

The GRC Portal Content contains the GRC Portal UI elements to access the GRC suite

The Portal’s AS Java can contain an Adobe Document Services instance, in effect Portal and ADS may be shared on one AS Java instance

ERP and Non SAP Business Applications:

The GRC solutions can communicate with SAP ERP and non-SAP business applications via plug-ins

NW Function Modules hold the AC functions for ERP systems without HR (former non-HR RTA)

PC relevant features are contained in the plug-in GRCPIERP, for example, for running automated controls and the HR relevant functions for AC (former HR RTA)

GTS functions are part of the SLL-PI plug-in, for example, for GTS integration into the Logistics, HR, FI/CO and/or HCM processes in SAP ERP

Non-SAP ERP systems can also be connected via adapters from an SAP Partner company

BI Content:

NetWeaver BW can be used for reporting via the GRC BI Content

The GRC BI Content is part of BI Content 7.06

NetWeaver BW 7.02 is used for the GRC BI Content.

Identity Management:

AC can be integrated bi-directionally to IdM solutions for provisioning and risk analysis

NetWeaver IdM7.2 is required for integrating with AC 10.0

Adobe Document Services:

An instance of Adobe Document Services (ADS) should be accessible from the GRC AS ABAP for generating offline forms .

Although it is technically optional, it is highly recommended for generating PDF reports

These ADS can be an existing instance and can also be shared with other applications

The Portal’s AS Java can contain an Adobe Document Services instance, so Portal and ADS may be shared on one AS Java instance.

Overview of SAP BusinessObjects Access Control 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 5

New and Enhanced Features: Released Notes

Enhanced Visualization and Streamlined Navigation – This enhancement provides a common look and feel with configurable role-based user access for GRC functions from the SAP Portal or SAP NetWeaver Business Client (NWBC). Streamlined user navigation with shared work centers emphasizes function rather than component. This significantly reduces duplication of menu items (e.g., one inbox, not three) and makes possible sharing of data and functions. Menu items seen by the individual user within each work center is controlled by the user’s GRC role(s). This also enables data shared across components to be viewed differently by different users.

Improved Reporting – GRC reporting leverages the Business Suite ABAP List Viewer (ALV) – Crystal integration framework to present and personalize ABAP (WebDynpro) reports and convert into Crystal reports. This lowers the TCO and extends the benefits of Crystal without the need for a separate BOE server. It also reduces the time spent by business users on reporting needs. Custom Crystal reports with embedded graphics can also be created easily with Crystal Designer.

Analyze and Manage Access Risk – This release provides a robust user interface for efficient creation and maintenance of functions, actions, and permissions. It uses a workflow-driven process for function maintenance. Audit trail tracking is available for most maintenance activities. In this release, it will be possible to mitigate risk at the rule level or at the system level.

Design and Manage Access Risk – Access Control 10.0 introduces a central role repository. Role definitions are shared across the application, allowing the user to create and maintain roles in one place. Business roles are introduced to improve the role management process by providing the ability to define roles similar to a job function. Authorizations are maintained through PFCG leveraging all the capabilities provided by PFCG. User is able to directly import roles from the backend system without the need for a file. Enhanced role methodology management allows users to update role methodology of a role that is already in use. Role comparison has been enhanced to compare role definitions from multiple backend systems. Role certification allows the role owners to certify the role content on a periodic basis to meet regulatory compliance requirements.

Provision and Manage Users – New enhancements include the ability to customize end user access request forms. Templates can be created for Access Requests. Approver view is now customizable. IdM integration has been enhanced with new web services.

Emergency Access Management – Access Control 10.0 introduces the ability to centrally administer firefighters. Firefighter assignments can be made in the central console and the firefighter session can be initiated centrally. Firefighters can be provisioned through the enhanced provisioning feature. A standardized workflow process has been introduced for reviewing firefighter logs

Overview of SAP BusinessObjects Access Control 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 6

New Focus Areas:

Source: SAP GRC Solutions 10.0: Live Expert Sessions

Overview of SAP BusinessObjects Access Control 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 7

What’s new in Risk Analysis?

The Enhanced Risk Analysis engine allows for end user customization and personalization streamlining the risk analysis. It has certainly increased the degree of automation and have empowered users to derive maximum value to suit his business/compliance requirements.

With the provisions of bulk maintenance, enhanced audit trail and increased mitigation options the tool has now becomes more user friendly resulting in faster and efficient response.

New Risk Analysis Framework

Different conditions can be configured and combined.

Multiple risk analysis reports can be run at a time.

Multiple selections can be imported from a file.

Drill downs available across the reports.

Column in the reports can be hidden and rearranged.

Reports provide transaction execution data.

Crystal and pdf reports available.

The reports can be sorted by any column.

The Key benefit of enhanced risk analysis framework is access to right data at right time in the right format.

This ultimately results into faster and consistent response.

System Specific Mitigation

Mitigation options have being expanded to address the complexities involved in Mitigation procedure and to

streamline the overall mitigation process.

In the enhanced version it’s possible to assign mitigation controls to a specific system

Multiple systems can also be chosen while assigning mitigation controls.

Mass Mitigation which allows mitigation of multiple risk at one go

This enhancement aims to provide more flexibility and simplify and speed up the mitigation process.

Approval process for functions:

All changes to functions will trigger workflows for approval.

Additional Audit trail tracking

All changes to access rules can now be tracked. Components like functions, risk, org rule, supplementary

rule, critical role, critical profile, rule set can have an audit trail.

The key benefit is quick access and higher visibility to the changes made with comprehensive information about the changes.

Overview of SAP BusinessObjects Access Control 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 8

Work Centers in Access Control:

Access Control is available both as a standalone application and as part of the GRC 10.0 application.

Although the structure of work centers for the Access Control standalone application differs from the Access

Control in the GRC10.0 Application the functions within the application are the same.

Following table tries to capture the key features in these functions.

Functions Description Features

My Home My Home provides a central location to view and act on your assigned tasks, and accessible objects.

View, access, and address workflow tasks assigned to you, including completed reports that you scheduled.

Assign delegates to perform your tasks or activities.

View and process your user data.

*Perform document searches across all documents (including document content) for which you have authorization.

Rule Setup/ Setup : Access Rule Maintenance

This is used to manage the following access rule entities:

Rule sets — These are categories or groupings of rules used primarily for determining the group of access risks to use when running an access risk analysis.

Functions — These are a collection of one or more actions that an employee needs to complete to perform a specific goal.

Access risks — These are objects that identify potential access problems that your enterprise might encounter

Using the Access Rule Maintenance section, you can do the following:

Search and display existing rule sets, functions, and access risks

Create new rule sets, functions, and access risks

Modifying existing rule sets, functions, and access risks

Delete rule sets, functions, and access risks, as necessary

Access Management

It is the place where you do all the Role Management, Role maintenance, Role Mining activities. Mitigated Access and Scheduling is also present in this work center.

1 Mitigated Access

Mitigated Access allows you to manage the risks associated with access control by identifying risks, assessing the level of those risks, and assigning mitigating controls to users,

Use mitigating controls to:

Create mitigating controls that you cannot remove

Overview of SAP BusinessObjects Access Control 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 9

2 Role Management

3 Role Mining

4 Role Mass

Maintenance

roles, and profiles to mitigate access rule violations.

A risk is identified through risk analysis and cannot be mitigated unless the control has been previously defined.

The first step in defining, or creating, a mitigating control is to create a mitigating control ID. This ID appears in risk analysis reports. All risk IDs associated with the control must also be mitigated with this control.

Role Management allows you to manage roles from multiple systems with a single unified role repository. The roles can be documented, designed, analyzed for control violations, approved, and then automatically generated. It enables standardized practices to ensure that role definitions, development, testing, and maintenance are consistent across the entire enterprise

Role Mining groups together features that allow you to target roles of interest, analyze the roles, and then take action. For example, find all roles that are due to expire and affirm if they are still relevant

You can use Role Mass Maintenance to import and change authorizations and attributes for multiple roles.

Assign mitigating controls to users, roles, and profiles that contain a risk

Establish a period of time during which the control is valid

Specify steps to monitor conflicting actions associated with the risk

Create administrator, control monitors, approvers, and risk owners and assign mitigating controls to them

The application allows role owners and security administrators to:

Track progress during role implementation

Monitor the overall quality of the implementation

Perform risk analysis at role design time

Set up a workflow for role approval

Provide an audit trail for all role modifications

Maintain roles after they are generated to keep role information current.

Features

Action Usage

Role Comparison

Role Reaffirm

The Role Mass Maintenance process is composed of the following procedures:

Importing Multiple Roles

Updating Multiple Roles

Updating Org. Values for Multiple Derived Roles

Deriving Multiple Roles

Analyzing Risk for Multiple Roles

Generating Multiple Roles

Overview of SAP BusinessObjects Access Control 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 10

Reports and Analytics

Reports and Analytics

The Reports and Analytics work center contains the following sections:

Access Dashboards

Access Risk Analysis Reports

Access Request Reports

Role Management Reports

Security Reports

Audit Reports

Superuser Management Reports

#Superuser Assignment

In the Superuser Assignment section, you can perform activities such as assigning firefighter IDs to owners and assigning firefighters and controllers to firefighter IDs.

The Superuser Assignment section provides the following links:

Owners

Firefighter IDs

#Superuser maintenance

In the Superuser Maintenance section, you can perform activities such as searching and maintaining firefighters and controllers, and assigning reason codes by system

The Superuser Maintenance section provides the following links:

Firefighters

Controllers

Reason Codes

# Superuser Assignment and Superuser maintenance is part of Access management for Work centers for Access control in the GRC Application whereas its part of Setup for Work centers for Access Control Standalone.

*Perform document Searches is for Work centers for Access control in the GRC Application

Overview of SAP BusinessObjects Access Control 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 11

Related Content

SAP BUSINESSOBJECTS ACCESS CONTROL 10.0

SAP Library-Access Control

SAP GRC Solutions 10.0: Live Expert Sessions

For more information, visit the Governance, Risk, and Compliance homepage.

Overview of SAP BusinessObjects Access Control 10.0

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 12

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.

SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.

SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.