SOLUTION HIGHLIGHTS

๏ Cross-platform Solution defines SoD policy centrally, and enforces it over all SAP and non-SAP applications

๏ Activity-based SoD Model enables SoD policy definition in terms of business-oriented activities

๏ Integrated Access Request Workflow implements all kinds of authorization, escalation and mitigation processes

๏ Realtime SoD Scans at any point in authorization workflow

๏ SoD Domains reduce false SoD warnings

๏ SAP Role Analysis enforces best-practices for SAP role design

๏ “What-if” Analysis tests the effect of changes to SoD policy before releasing to production

Segregation of Duty (SoD) is a powerful approach to managing risk in business processes. By requiring that certain activities be performed by separate people, errors and conflicts of interest can be avoided, and transparency is improved.

Segregation of Duty for SAP (SoD for SAP) is part of the IDEAS platform for Identity and Access Governance from CrossIdeas. SoD for SAP extends IDEAS’ powerful SoD functionality to SAP systems.

Native Support for SAP Authorization Objects

SoD for SAP supports native inspection of SAP roles and low-level SAP authorization objects. SoD for SAP correlates SAP entitlements with enterprise SoD policy and flags SoD conflicts in realtime when they occur. In addition, SAP Role Analysis checks SAP roles automatically for design weaknesses and security risks.

Realtime SoD Checks in Access Request Workflow

SoD for SAP integrates closely with IDEAS’ powerful access request workflow, and checks for SoD risks in realtime at the point where access is requested or assigned. Managers and security administrators have immediate feedback about SoD risks of an access request, and can act appropriately, or escalate the request.

SoD Mitigation

It isn’t possible to prohibit every SoD conflict. There will always be business processes that cannot immediately be made SoD compliant, or for which the cost of fixing the process outweighs the SoD risk. For this reason, SoD Mitigation facilities are an essential part of a SoD solution.

IDEAS and SoD for SAP address real-world business processes with tools for tracking and managing SoD risks. IDEAS’ integrated access request workflow allows security administrators to assign SoD compensative controls, such as transaction monitoring, and to assure that users are subjected

IDEAS Segregation of Duty for SAP

PRODUCT OVERVIEW

Activity-Based SoD Model

SoD for SAP employs an innovative activity-based SoD model, which defines SoD conflicts in terms of high-level business-oriented activities. This approach allows business experts to define and maintain SoD policy separately from from low-level entitlements, which are administered by IT specialists. Also, SoD for SAP uses SoD domains to segment the model and reduce false cross-domain SoD warnings. Finally, “what-if`” analysis tests the effect of policy changes before releasing these to production.

Together, these features result in a more scalable SoD administration for large or complex businesses.

Cross-Platform Compatibility

To be most effective, SoD must encompass all critical enterprise transactions. Next to SAP, many databases, SOA services and custom applications also play a role. Conceived from the bottom-up to support all kinds of entitlements, IDEAS provides the means to secure business processes across both SAP and non-SAP applications.

About CrossIdeas

CrossIdeas is a leading innovator of Identity and Access Governance Solutions, enabling businesses to achieve their identity, audit and compliance goals.

Founded in 2011, CrossIdeas serves large and very large customers internationally and across different industries.

IDEAS Technical Specifications

๏ J2EE Architecture – Three tiered architecture with web-based presentation, EJB business logic and relational database persistence

๏ Technical Platform – Compatible with all J2EE application servers, Unix/Linux and Windows operating systems and SQL databases.

๏ Scalability and High Availability –Compatible with standard application server clustering and optimized for multi-threaded performance.

๏ Connector list – Native connectors available for SAP HR, SAP R/3, Active Directory, LDAP, JDBC, JMS, File, IBM Security Identity Manager, NetIQ Identity Manager

๏ Open APIs and Standards – Native support for SOAP, WSDL, XPDL, SAML, SPML. APIs for external J2EE and .Net applications

CrossIdeasViale Luigi Schiavonetti, 27800173 Rome, Italy

Web: www.crossideas.comEmail: info@crossideas.comTel.: +39 06 88811250

IDEAS

Real*me  SoD  Check

IDEAS  SoD  Engine

• Business  Ac+vity  model• SoD  compliance  rules• En+tlements

IDEAS  SoD  for  SAP

• SAP  authoriza+on  mapping

• SAP  role  analysis

Access  Request  Workflow

Iden*tyProvisioning

SAP

SAP

IDEAS  SoD  for  SAP  Agent

(ABAP)

Provisioning  Connectors

SAP  Roles  andAuthoriza*on  Objects