Presentation is loading. Please wait.

Presentation is loading. Please wait.

Optimizing User Administration in SAP

Similar presentations

Presentation on theme: "Optimizing User Administration in SAP"— Presentation transcript:

1 Optimizing User Administration in SAP
ISACA Geek Week - Atlanta August 13, 2014

2 Today's Presenters Aric Quinones Managing Director Protiviti
ERP Solutions Practice Senior Consultant Aric Quinones Protiviti Chris Aramburu Connor Hammersmith John

3 Who We Are Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000® and 40 percent of FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. 3,100 professionals Over 20 countries in the Americas, Europe, the Middle East and Asia- Pacific 70+ offices Our revenues: US $ million in

4 The Risk Universe of SAP Security
GRC and ERM framework * SAP Security Risks Security Standards Segregation of Duties and Sensitive Access Powerful Users Access Management User and Role Provisioning Process General IT Risks Application Interface Controls IT Infrastructure Controls Change Management Security Administration Backup and Recovery Steering Committee Board of Directors Compliance (Regulatory Requirements) External / Internal Audit * SAP Business Process and Transactional Data Risks Configurable Application Controls Detective / Monitoring Controls / Reports Procedural Business Process Controls SOX Controls (compliance purposes) Other Project / Implementation Risks Project Cost Identification Transaction and Master Data Conversion Go/No Go Decision Criteria Testing and Training Strategy Post Go-Live Support Requirements * Continuous Monitoring Applications and Processes Control Documentation Update, Compliance and Risk Management Optimization and GRC Software Configuration

5 What We’ll Cover Common Issues with User Administration in SAP
Recap of Session Takeaways Case Study Wrap-up Common Issues with User Administration in SAP Solutions to Common Issues with User Administration in SAP 5

6 A Few Questions How many people use one of the major ERP systems (SAP, Oracle or MS Dynamics)? How many people actually use SAP? How many people use a GRC tool for Segregation of Duties (SoD) Analysis – such as SAP GRC, Oracle GRC, or Fastpath? What is an SoD Analysis? How many people know what a t-code is?

7 Common Issues with User Administration
Security Related Standardized Role Architecture Change Management Development of Custom Transactions, Objects, Programs, & Tables Backend System Configurations GRC Related User Provisioning Segregation of Duties (SoD) Management of Temporary / Emergency Access 7

8 Standardized Role Architecture
Key Risks Role-level SoD issues Inappropriate organizational level restrictions Duplicative transaction assignments Powerful roles with unnecessary access Excessive number of transactions granting unintended access to end users Increased efforts of the Security Team for role maintenance and user provisioning B. Smith, Finance Manager Assigned 114 active roles Providing access to 6,636 unique transactions (919 duplicate via multiple role assignment) Of the 6,636 transactions only 6,328 transactions are executable Transactional History Analysis 115 executable transactions were executed a total of 12,946 times The top 25 transactions accounted for 89% of the activity Root-Causes Inconsistent role standards Lack of role governance Roles not managed globally Unintuitive role naming convention Lack of role documentation 8

9 Choosing the Appropriate Role Architecture
Derived versus Enabler Job Based versus Task Based Ensuring the Architecture is Scalable Aligns with SAP Resource Skillset & Compliance Culture Standardized Role Naming convention

10 Change Management The lack of Change Management can impact role maintenance which is critical to maintaining a secure SAP environment and standardized role architecture. Key Risk: Roles unaligned with the new and existing global business processes 10

11 Development of Custom Transactions, Objects, Programs & Tables
Key Risks Lack of functionality knowledge Circumventing security & gaining unauthorized access to sensitive data Bypass organizational level security restrictions Excessive privileges within the scope of the specific transaction Unauthorized execution of programs Root-Causes Absence of SAP customizing governance processes Poor design documentation and/or lack of communication Custom program coded to call powerful transactions (i.e. SE38, SA38, SM30, etc.) Authorization checks not coded in custom program Not assigning custom programs to custom transactions 11

12 Backend System Configurations
There are several security related backend tables and configuration that are critical to maintaining a controlled security environment that are often overlooked or maintained which could become a significant security risk. Company Code 1000 Plant 100 Purchasing Group 1 Purchasing Group 2 Purchasing Org 1900 Purchasing Group 3 SU24 SE54 RSCSAUTH RSPARAM 12

13 Governance: Policies & Procedures
A security governance policy contains standards for the SAP ECC production environments to ensure consistency and minimize significant risk to the environment. The should be designed to create standards around the following key areas: User Access Management Custom Program and Table Security Requirements Backend System Configurations Role Creation and Maintenance Standards Password Management Security Parameters

14 SAP solutions for Governance, Risk, and Compliance
SAP Access Control SAP Process Control SAP Risk Management Manage access risk and prevent fraud Ensure effective controls and ongoing compliance Preserve and grow value

15 GRC Access Control Overview
Primary GRC Risks to be discussed today: User Provisioning SoD / Sensitive Access Monitoring Management of Temporary / Emergency Access

16 User Provisioning Key Risks
Assignment of excessive and/or sensitive access Documenting appropriate approvals for compliance purposes Delay in provisioning or deprovisioning Selection of correct roles User access reviews Root-Causes The user does not know the appropriate role to select due to current naming convention User provisioning is a manual process Approvals are documented offline or via Master data has not been maintained appropriately 16

17 Solution Enhancements
User Provisioning GRC automates the SAP access request and provisioning process by providing customizable workflow options that integrate seamlessly with the SoD Risk Analysis User Provisioning: Integrates with SAP to prevent SoD Violations Customizable access request workflows Template based access requests Complete audit trail to satisfy compliance requirements Eliminates manual provisioning to end users Workflows also available for: User Access Reviews FF Log Review SoD Remediation Mitigating Control Assignment / Review Standardized on SAP Business Workflow Technology Solution Enhancements Business workflow reduces manual tasks and streamlines access request processing Gain visibility of User Access Risks before entering a production environment Faster and easier for users to request the roles they need Leverage existing resources for workflow administration and configuration Utilize existing HR structure for automated and compliant position based role assignment Improved security and richer request context Key Benefits

18 Segregation of Duties (SoD)
Key Risks A user with excessive or sensitive access within the system has the ability to perform fraudulent activity Internal controls may be circumvented by excessive access Root-Causes Over the course of time a user may switch job functions It may be necessary for the user to have the access within SAP to perform both business functions during the transition period After the transition period is over the user may still retain this excessive access SoD violations can quickly spiral out of control because in some organizations users submit access requests by replicating a user performing the same job function 18

19 SoD / Sensitive Access Monitoring
Products such as SAP Access Control can be used to monitor SoD Violations, as well as Sensitive Access. A custom “rule set” containing function conflicts (e.g., Create Vendor vs. Manual Payments), as well as sensitive transactions/objects can be tailored to your specific risk environment. Simulations and “what if” analyses can be run before actual security changes are made. Can be integrated into the user provisioning and role creation process.

20 Customizing Your Ruleset
It is import to customize your own ruleset by reviewing with all of the key stakeholders: Risk Relevance - Inactive vs. active Criticality Level - Low, medium, high, or critical Modify Rules – There are authorizations which need to be adjusted to ensure accuracy for your organization and to remove false positives Review Custom Transactions and Tables – All new custom transactions and programs should be reviewed for inclusion in the ruleset Define SoD Ruleset Ruleset Analysis Against Leading Practices Incorporate Feedback from Internal Audit Communicate Proposed Ruleset to Business Controllers Update SoD Ruleset with Feedback Finalize SoD Ruleset

21 Management of Temporary / Emergency Access
Key Risks Superuser or privileged access should be approved and reviewed in a timely manner A user can perform critical actions either accidentally or maliciously to interrupt system availability Root-Causes Certain sensitive or critical transactions are necessary to keep the system running smoothly Restricting and monitoring sensitive access within the system is a top audit concern Log review is a very tedious and time consuming process Some users are assigned the profile SAP_ALL granting unrestricted access 21

22 Management of Temporary / Emergency Access
Emergency Access Management SAP Access Control or Firefighter, can be used to effectively handle temporary and elevated system access. All activity and the changes performed within Firefighter are logged for review/signoff. Log review can be integrated into workflow to automatically route and track Firefighter log approvals. Provisioning of Firefighter IDs can be integrated into Access Request (ARQ). Centrally managed across all systems (end-user does not need an ID in the target system, only the GRC system).

23 Administered Centrally on GRC System
How Firefighter Works? The workflow functionality within SAP GRC can provide an automated and auditable process for: Requesting elevated access Routing request for approval Automatically assigning approved access for the specified time period Logging and routing the activity logs to the Firefighter Controller for review. Reduces the effort required to grant and provision emergency access to multiple systems. Provides a structured, documented process around emergency access Enables documented account of the controller’s review GRC R3 CRM BI Administered Centrally on GRC System

24 Protiviti’s Control Library:
Control Optimization Sometimes we cannot avoid certain risks within the ERP systems we manage. Luckily, SAP has many configurable controls that can be enabled to help mitigate some of these risks. For example: Check for duplicate invoices 3-Way Match Protiviti’s Control Library:

25 SAP Access Control – Sample Roadmap
Start Quick Wins Enhanced Functionality Optimization Access Request Management Solution Design Access Risk Analysis SoD SAP PC/RM Integration Technical Installation / Upgrade Emergency Access Integration with Non-SAP Applications Business Role Management Data Migration Ruleset Optimization & Reporting Streamlined super user process Automated SAP Provisioning Change Mgmnt. for users & roles Risk Mitigation End to end Provisioning SAP Security Remediation Upgrade Solution Components Process Improvement 25

26 Recap of Session Takeaways
Case Study Wrap-up Common Issues with User Administration in SAP Solutions to Common Issues with User Administration in SAP 26

27 Key Points to Take Home Remember:
A standardized role architecture simplifies user administration in SAP A strong change management policy is vital when maintaining good SAP Security practices There are many tools available to assess the security in your SAP environment Achieve buy-in & sponsorship across organization Strong Security & Governance policies are crucial to maintaining a secure ERP environment

28 What We’ll Cover Common Issues with User Administration in SAP
Recap of Session Takeaways Case Study Wrap-up Common Issues with User Administration in SAP Solutions to Common Issues with User Administration in SAP 28

29 Results - Other Role Redesign Project Metrics
Before Security and GRC Redesign After Security and GRC Redesign % Reduction New User to be provisioned 15 days 4 hours 98.889% # of transactions per role 77 7.3 90.519% Average transactions per user 2,281 371 83.735% Number of detailed SoD violations 13,054,616 3,149 99.976% Intra Role SoD Conflicts 94,458 3 99.997% 29

30 Questions?

31 Thank You! Aric Quinones Chris Aramburu Connor Hammersmith
3343 Peachtree Road, NE Suite 600 Atlanta, GA 30326 Powerful Insights. Proven Delivery.® Direct: Chris Aramburu 3343 Peachtree Road, NE Suite 600 Atlanta, GA 30326 Powerful Insights. Proven Delivery.® Direct: Connor Hammersmith 3343 Peachtree Road, NE Suite 600 Atlanta, GA 30326 Powerful Insights. Proven Delivery.® Direct:


Download ppt "Optimizing User Administration in SAP"

Similar presentations

Ads by Google