mitigation process

8/22/2019 Mitigation Process

1/23

2011 SAP AG

Applies to:

SAP BusinessObjectsAccess Control 10.0, SAP BusinessObjects Process Control 10.0

Summary

SAP BusinessObjects Access Control (AC) is an enterprise software application that enablesorganizations to control access and prevent fraud across the enterprise, while minimizing the time andcost of compliance. The application streamlines compliance processes, including access risk analysis andremediation, business role management, access request management, superuser maintenance, andperiodic compliance certification. AC delivers immediate visibility of the current risk situation with real-timedata.

SAP BusinessObjects Process Control (PC) is an enterprise software solution for compliance and policy

management. The compliance management capabilities enable organizations to manage and monitortheir internal control environment. This provides the ability to proactively remediate any identified issues,and then certify and report on the overall state of the corresponding compliance activities. The policymanagement capabilities support the management of the overall policy lifecycle, including the distributionand attestation of policies by target groups. These combined capabilities help reduce the cost ofcompliance and improve management transparency and confidence in overall compliance managementprocesses.

With the release of GRC 10.0, Access Control and Process Control are offered as an integrated solution,both at the data layer and at the user interface layer. This new unified platform enables increasedharmonization of key master data. Organization, process and control structures can now be sharedacross components of Access Control and Process Control, which supports a more integrated approachto governance, risk, and compliance. Access risks identified in Access Control can be mitigated using

controls managed by Process Control, as an example. This document details methods for harmonizingdata across Access Control and Process Control.

Authors: Ankur Baishya, SAP Customer Solution Adoption

GRC Solution Management

Created on: 31 August, 2011

Version: 3.0

SAP BusinessObjects GRC10.0 Integration Guide Access & Process Control 10.0


2/23

2011 SAP AG

Typographic Conventions

Type Style Description

Example Text Words or characters quoted

from the screen. These

include field names, screen

titles, pushbuttons labels,

menu names, menu paths,

and menu options.

Cross-references to other

documentation

Example text Emphasized words or

phrases in body text, graphic

titles, and table titles

Example text File and directory names and

their paths, messages,names of variables and

parameters, source text, and

names of installation,

upgrade and database tools.

Example text User entry texts. These are

words or characters that you

enter in the system exactly as

they appear in the

documentation.

Variable user entry. Angle

brackets indicate that youreplace these words and

characters with appropriate

entries to make entries in the

system.

EXAMPLE TEXT Keys on the keyboard, for

example, F2 orENTER.

Icons

Icon Description

Caution

Note or Important

Example

Recommendation or Tip


3/23

2011 SAP AG

Table of Contents

Applies to: ....................................................................................................................................... 1Summary ......................................................................................................................................... 11. Management Overview ........................................................................................................ 92. Technical Prerequisites .................................................................................................... 103. Enable PC Controls for AC Assignment ......................................................................... 10

3.1 Shared Data ................................................................................................................ 103.2 Maintain Owners ......................................................................................................... 113.3 Maintain Organization Unit ......................................................................................... 123.4 Assign Owners to Org Unit ......................................................................................... 133.5 Select Organization Unit Subprocess / Control .......................................................... 143.6 Edit Local Control for Assignment in Access Control ................................................. 14 3.7 Assign Local Control to Access Risk .......................................................................... 16

4. Manage AC Created Controls in Process Controls ........................................................ 184.1 Identify Business Processes in Process Control to be shared with Access Control .. 184.2 Create Access Control Business Processes .............................................................. 194.3 Map AC Business Processes to PC Processes ......................................................... 214.4 Create AC Mitigating Control ...................................................................................... 244.5 Maintain the Mitigating Control in Process Control .................................................... 26

5. Related Content ................................................................................................................. 286. Feedback ............................................................................................................................ 28


4/23

SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0

Page 9

2011 SAP AG

1. Management OverviewTwo main scenarios are described in this document:

Enabling local controls in Process Control for assignment in Access Control

Managing Access Control mitigating controls in Process Control

The GRC 10.0 platform provides the option of sharing master data across capabilities. Specifically,

organizations, processes, subprocesses, and controls can be shared between Access Control and

Process Control. Organization data can be shared or segmented based on a companies internal policies.

Access to data is controlled by user authorization.

Integration provides various benefits across different application uses, including:

Unified Master Data decreases the total cost of ownership and provides more consistent data

across the system landscapes

Shared Application Roles no redundancy in control and risk owners

Full cycle remediation process end-to-end compliance across GRC processes

Integration is also available by creating a PC SOD Control, which offers automated access risk analysis

from an automated control in Process Control.


5/23


Page 10

2011 SAP AG

2. Technical Prerequisites

In previous releases, AC and PC integration used web services. However, with the harmonized GRC10.0

platform, the use of web services is no longer required.

NOTE

This guide discusses only AC and PC Integration scenarios and associated process steps. Priorknowledge of AC and PC concepts is recommended.

The prerequisites include the following:

Install the GRCFND_A software component and activate AC and PC on the same client.

Complete the post-installation steps for AC and PC listed in the SAP BusinessObjects Access

Control 10.0 / Process Control 10.0 / Risk Management 10.0 Installation Guide at

http://service.sap.com/instguides.

For new deployments, the Organization, Control, Business Process, and Subprocess data sharedbetween AC and PC must be identified and maintained in the platform.

For customers upgrading to the 10.0 release, Organization, Control, Business Process and

Subprocess data shared between AC and PC must go through data transformation before

migration and upgrade. See the SAP BusinessObjects Access Control 10.0 Migration Guide

(http://service.sap.com/instguides) for details.

You must configure Access Risk Analysis in AC. Create the connector to your ERP system, either

upload or activate the rule set, generate the rules, and perform synchronization in the following

order:

o PFCG

o Role

o Profile

o User

3. Enable PC Controls for AC AssignmentData is shared between Access Control and Process Control. This data includes Organizations, BusinessProcesses, Subprocesses, and Controls. How this data is exposed and shared to your users depends onhow your business utilizes AC and PC. This chapter describes the steps to assign local controls inProcess Control for use as mitigating controls in Access Control. This option allows customers with bothproducts to leverage a single set of controls. The option also enables Access Control customers tomeasure the effectiveness of their mitigating controls via Process Controls automated and semi-

automated testing.

3.1 Shared Data

GRC 10.0 is a harmonized platform. Although maintenance of data within AC and PC is similar in 10.0 asit was in previous releases, there are some key differences. The following master data is shared betweenAC and PC for the release 10.0 integration scenario.
http://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguideshttp://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguideshttp://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguideshttp://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguideshttp://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguideshttp://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguideshttp://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguides


6/23


Page 11

2011 SAP AG

Organizations

Business Processes

Business Subprocesses

Controls

This diagram provides an overview of the steps required to enable local PC controls for assignment asmitigating controls in Access Control:

3.2 Maintain OwnersGo to Access Owners Access Control Owners Create

On this screen, identify the users or user groups who should be Mitigation Monitors and Approvers.

Select

Compliance

Org Unit

Assign Monitor

& Approver(Org Unit)

Assign Owners

as Monitors &

Approvers

Select Process

/ Subprocess

(Org Unit)Select PC Local

Control

(Org Unit)

Assign

Mitigating

Control IDAssign Access

Risks A


7/23


Page 12

2011 SAP AG

3.3 Maintain Organization UnitGo to Master Data Organizations

Navigate to the appropriate Organization Unit and click Open.

Navigate to all tabs associated with the Organization Unit.


8/23


Page 13

2011 SAP AG

3.4 Assign Owners to Org UnitOrganization Unit Owners Tab. Assign the appropriate owners to the Organization Unit by using theAdd Row button. The list of owners available is based on the owners identified in step 3.2.


9/23


Page 14

2011 SAP AG

3.5 Select Organization Unit Subprocess / ControlOrganization Unit Subprocess Tab. Select the subprocess and control which will be assigned to an

access risk. Click Open to view/edit the local control.

3.6 Edit Local Control for Assignment in Access ControlLocal Control General Tab. Update the Mitigating Control ID field.

Note: Once saved, the mitigating Control ID cannot be changed.


10/23


Page 15

2011 SAP AG

Local Control Access Risks Tab. Assign the Access Risks that the Control will be available to mitigate

in Access Control.

Local Control Owners Tab. Assign a Mitigation Approver and Mitigation Monitor to the Control; one of

each is required. The list of available owners is based on the owners assigned to the organization unit in

step 3.4. Save changes to the control.


11/23


Page 16

2011 SAP AG

3.7 Assign Local Control to Access RiskAccess Risk Analysis User Level Risk Analysis. Define and run an access risk analysis.

Access Risk Analysis Risk Analysis Results. In the risk analysis results, select the access risks you

assigned to the control in Step 3.6. Click the Mitigate Risk button.


12/23


Page 17

2011 SAP AG

Access Risk Analysis Assign Mitigation Controls. In the Assign Mitigation Control window you see the

mitigating Control ID assigned to the access risks along with the Monitor ID. If you do not see the correct

Control ID, search for it in the Control ID column. You can also view details of the control by highlighting a

row and clicking View Details /Control ID. Click Save to save the mitigation control assignment.


13/23


Page 18

2011 SAP AG

4. Manage AC Created Controls in Process ControlsThis section discusses how to maintain Mitigating Controls (created in Access Control) in Process Control.This option allows users familiar with Access Control to continue maintaining Mitigating Controls in thesame user interface they used before. However, the control they maintain will also display and beavailable from Process Control. The benefit of this option is there is little impact on existing Access Controlusers. Yet the mitigating controls can be measured for effectiveness via Process Controls automated andsemi-automated testing.

4.1 Identify Business Processes in Process Control to

be shared with Access Control

Master Data

Activities and Processes

Business Processes. Identify the Process and Subprocessthat will be shared between Access Control and Process Control.

Select

Compliance

Org Unit

Assign Monitor

& Approver(Org Unit)

Assign Owners

as Monitors &

Approvers

Create Control

(Access Risk)

Assign

Mitigating

Control IDAssign Access

Risks A

Create Process

& Subprocess(IMG)

Map PC

Process &

Subprocess


14/23


Page 19

2011 SAP AG

4.2 Create Access Control Business Processes

Access Control Business Processes are maintained in the backend IMG.

SPRO SAP IMG Reference Governance, Risk and Compliance Access Control Maintain

Business Processes and Subprocesses

Create Business Processes and Subprocesses which map to the Business and Subprocesses in ProcessControl identified in 4.1.


15/23


Page 20

2011 SAP AG

Enter the Business Process, save it and select the green arrow to go back.

Select the process you created and double click Business Subprocess

Enter the Subprocesses, save it and select the green arrow to navigate back


16/23


Page 21

2011 SAP AG

4.3 Map AC Business Processes to PC Processes

Master Data Activities and Processes Business Processes. In this step you map the processes

created in the AC IMG to the Processes in PC. This step allows controls created in AC to be assigned in

PC.


17/23


Page 22

2011 SAP AG

Select the Process and click Open.

In the Process, map the Process you created in Step 4.2. These display in the Business Process drop

down.

Next, choose a subprocess to map and click Open.


18/23


Page 23

2011 SAP AG

In the Subprocess, map the Subprocess you created in Step 4.2. These display in the Business

Subprocess dropdown.


19/23


Page 24

2011 SAP AG

4.4 Create AC Mitigating ControlThe Mitigating Control screen is used by Access Control for creating mitigating controls that are assigned

to access risks. Although this screen is not needed to create mitigating controls (as described in Chapter

3), customers may continue creating mitigating controls using this interface. It is important to have

completed the mapping steps described in section 4.3 before creating controls using this interface.

In the Mitigating Controls list, click the Create button to create a new mitigating control


20/23


Page 25

2011 SAP AG

Enter the Mitigating Control information. Select the correct Organization Unit to assign the mitigating

control. Select the Process and Subprocess. These display based on the entries done in Step 4.2

Assign the Access Risks that this mitigating control is valid for.

Assign an Approver and Monitor Owner to the mitigating control. One of each is required. Review Chapter

3 for more information on assigning owners.


21/23


Page 26

2011 SAP AG

4.5 Maintain the Mitigating Control in Process ControlThe Mitigating Control created in Step 4.4 can now be maintained using the Process Control maintenance

screens.

Go to Master Data Organization. Find the Organization Unit you assigned the mitigating control, and

click Open

On the Organization Screen, select the Subprocess tab. On this tab you will find the Subprocess andControl assigned to Organization Unit. Select the control and click Open

The control information entered on the mitigating control screen is available. The control can now be

updated with testing plans and other effectiveness testing details. The Access Risks and Owners tabs are

also available and contain the details of the access risks and owner assignments made from the mitigating

control screen.


22/23


Page 27

2011 SAP AG

The Access Risks Screen.

The Owners Screen.


23/23


Page 28

5. Related Content

On the Web go to:

http://help.sap.com Business User Governance, Risk and Compliance

www.sdn.sap.com/irj/bpx/grc

6. Feedback

Your feedback regarding this document is important to us. Send comments [email protected]

Copyright/Trademark

7. copyrigth Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAPAG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other softwarevendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10,z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel EnterpriseServer, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks ofCitrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, MassachusettsInstitute of Technology.

Java is a registered trademark of Oracle Corporation.

JavaScript is a registered trademark of Oracle Corporation, used under license for technology invented and implemented byNetscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and servicesmentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and othercountries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius,and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registeredtrademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this documentserves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAPGroup") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errorsor omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth inthe express warranty statements accompanying such products and services, if any. Nothing herein should be construed asconstituting an additional warranty.
http://help.sap.com/http://help.sap.com/http://www.sdn.sap.com/irj/bpx/grchttp://www.sdn.sap.com/irj/bpx/grcmailto:[email protected]:[email protected]:[email protected]://www.sap.com/company/legal/copyright/index.epxhttp://www.sap.com/company/legal/copyright/index.epxhttp://www.sap.com/company/legal/copyright/index.epxmailto:[email protected]://www.sdn.sap.com/irj/bpx/grchttp://help.sap.com/

mitigation process

Documents