mitigation process
TRANSCRIPT
-
8/22/2019 Mitigation Process
1/23
2011 SAP AG
Applies to:
SAP BusinessObjectsAccess Control 10.0, SAP BusinessObjects Process Control 10.0
Summary
SAP BusinessObjects Access Control (AC) is an enterprise software application that enablesorganizations to control access and prevent fraud across the enterprise, while minimizing the time andcost of compliance. The application streamlines compliance processes, including access risk analysis andremediation, business role management, access request management, superuser maintenance, andperiodic compliance certification. AC delivers immediate visibility of the current risk situation with real-timedata.
SAP BusinessObjects Process Control (PC) is an enterprise software solution for compliance and policy
management. The compliance management capabilities enable organizations to manage and monitortheir internal control environment. This provides the ability to proactively remediate any identified issues,and then certify and report on the overall state of the corresponding compliance activities. The policymanagement capabilities support the management of the overall policy lifecycle, including the distributionand attestation of policies by target groups. These combined capabilities help reduce the cost ofcompliance and improve management transparency and confidence in overall compliance managementprocesses.
With the release of GRC 10.0, Access Control and Process Control are offered as an integrated solution,both at the data layer and at the user interface layer. This new unified platform enables increasedharmonization of key master data. Organization, process and control structures can now be sharedacross components of Access Control and Process Control, which supports a more integrated approachto governance, risk, and compliance. Access risks identified in Access Control can be mitigated using
controls managed by Process Control, as an example. This document details methods for harmonizingdata across Access Control and Process Control.
Authors: Ankur Baishya, SAP Customer Solution Adoption
GRC Solution Management
Created on: 31 August, 2011
Version: 3.0
SAP BusinessObjects GRC10.0 Integration Guide Access & Process Control 10.0
-
8/22/2019 Mitigation Process
2/23
2011 SAP AG
Typographic Conventions
Type Style Description
Example Text Words or characters quoted
from the screen. These
include field names, screen
titles, pushbuttons labels,
menu names, menu paths,
and menu options.
Cross-references to other
documentation
Example text Emphasized words or
phrases in body text, graphic
titles, and table titles
Example text File and directory names and
their paths, messages,names of variables and
parameters, source text, and
names of installation,
upgrade and database tools.
Example text User entry texts. These are
words or characters that you
enter in the system exactly as
they appear in the
documentation.
Variable user entry. Angle
brackets indicate that youreplace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 orENTER.
Icons
Icon Description
Caution
Note or Important
Example
Recommendation or Tip
-
8/22/2019 Mitigation Process
3/23
2011 SAP AG
Table of Contents
Applies to: ....................................................................................................................................... 1Summary ......................................................................................................................................... 11. Management Overview ........................................................................................................ 92. Technical Prerequisites .................................................................................................... 103. Enable PC Controls for AC Assignment ......................................................................... 10
3.1 Shared Data ................................................................................................................ 103.2 Maintain Owners ......................................................................................................... 113.3 Maintain Organization Unit ......................................................................................... 123.4 Assign Owners to Org Unit ......................................................................................... 133.5 Select Organization Unit Subprocess / Control .......................................................... 143.6 Edit Local Control for Assignment in Access Control ................................................. 14 3.7 Assign Local Control to Access Risk .......................................................................... 16
4. Manage AC Created Controls in Process Controls ........................................................ 184.1 Identify Business Processes in Process Control to be shared with Access Control .. 184.2 Create Access Control Business Processes .............................................................. 194.3 Map AC Business Processes to PC Processes ......................................................... 214.4 Create AC Mitigating Control ...................................................................................... 244.5 Maintain the Mitigating Control in Process Control .................................................... 26
5. Related Content ................................................................................................................. 286. Feedback ............................................................................................................................ 28
-
8/22/2019 Mitigation Process
4/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 9
2011 SAP AG
1. Management OverviewTwo main scenarios are described in this document:
Enabling local controls in Process Control for assignment in Access Control
Managing Access Control mitigating controls in Process Control
The GRC 10.0 platform provides the option of sharing master data across capabilities. Specifically,
organizations, processes, subprocesses, and controls can be shared between Access Control and
Process Control. Organization data can be shared or segmented based on a companies internal policies.
Access to data is controlled by user authorization.
Integration provides various benefits across different application uses, including:
Unified Master Data decreases the total cost of ownership and provides more consistent data
across the system landscapes
Shared Application Roles no redundancy in control and risk owners
Full cycle remediation process end-to-end compliance across GRC processes
Integration is also available by creating a PC SOD Control, which offers automated access risk analysis
from an automated control in Process Control.
-
8/22/2019 Mitigation Process
5/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 10
2011 SAP AG
2. Technical Prerequisites
In previous releases, AC and PC integration used web services. However, with the harmonized GRC10.0
platform, the use of web services is no longer required.
NOTE
This guide discusses only AC and PC Integration scenarios and associated process steps. Priorknowledge of AC and PC concepts is recommended.
The prerequisites include the following:
Install the GRCFND_A software component and activate AC and PC on the same client.
Complete the post-installation steps for AC and PC listed in the SAP BusinessObjects Access
Control 10.0 / Process Control 10.0 / Risk Management 10.0 Installation Guide at
http://service.sap.com/instguides.
For new deployments, the Organization, Control, Business Process, and Subprocess data sharedbetween AC and PC must be identified and maintained in the platform.
For customers upgrading to the 10.0 release, Organization, Control, Business Process and
Subprocess data shared between AC and PC must go through data transformation before
migration and upgrade. See the SAP BusinessObjects Access Control 10.0 Migration Guide
(http://service.sap.com/instguides) for details.
You must configure Access Risk Analysis in AC. Create the connector to your ERP system, either
upload or activate the rule set, generate the rules, and perform synchronization in the following
order:
o PFCG
o Role
o Profile
o User
3. Enable PC Controls for AC AssignmentData is shared between Access Control and Process Control. This data includes Organizations, BusinessProcesses, Subprocesses, and Controls. How this data is exposed and shared to your users depends onhow your business utilizes AC and PC. This chapter describes the steps to assign local controls inProcess Control for use as mitigating controls in Access Control. This option allows customers with bothproducts to leverage a single set of controls. The option also enables Access Control customers tomeasure the effectiveness of their mitigating controls via Process Controls automated and semi-
automated testing.
3.1 Shared Data
GRC 10.0 is a harmonized platform. Although maintenance of data within AC and PC is similar in 10.0 asit was in previous releases, there are some key differences. The following master data is shared betweenAC and PC for the release 10.0 integration scenario.
http://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguideshttp://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguideshttp://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguideshttp://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguideshttp://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguideshttp://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguideshttp://uspalshare/groupshare/Knowledge_Management/Projects/GRC10/PC10/Upgrade%20Guide/service.sap.com/instguides -
8/22/2019 Mitigation Process
6/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 11
2011 SAP AG
Organizations
Business Processes
Business Subprocesses
Controls
This diagram provides an overview of the steps required to enable local PC controls for assignment asmitigating controls in Access Control:
3.2 Maintain OwnersGo to Access Owners Access Control Owners Create
On this screen, identify the users or user groups who should be Mitigation Monitors and Approvers.
Select
Compliance
Org Unit
Assign Monitor
& Approver(Org Unit)
Assign Owners
as Monitors &
Approvers
Select Process
/ Subprocess
(Org Unit)Select PC Local
Control
(Org Unit)
Assign
Mitigating
Control IDAssign Access
Risks A
-
8/22/2019 Mitigation Process
7/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 12
2011 SAP AG
3.3 Maintain Organization UnitGo to Master Data Organizations
Navigate to the appropriate Organization Unit and click Open.
Navigate to all tabs associated with the Organization Unit.
-
8/22/2019 Mitigation Process
8/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 13
2011 SAP AG
3.4 Assign Owners to Org UnitOrganization Unit Owners Tab. Assign the appropriate owners to the Organization Unit by using theAdd Row button. The list of owners available is based on the owners identified in step 3.2.
-
8/22/2019 Mitigation Process
9/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 14
2011 SAP AG
3.5 Select Organization Unit Subprocess / ControlOrganization Unit Subprocess Tab. Select the subprocess and control which will be assigned to an
access risk. Click Open to view/edit the local control.
3.6 Edit Local Control for Assignment in Access ControlLocal Control General Tab. Update the Mitigating Control ID field.
Note: Once saved, the mitigating Control ID cannot be changed.
-
8/22/2019 Mitigation Process
10/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 15
2011 SAP AG
Local Control Access Risks Tab. Assign the Access Risks that the Control will be available to mitigate
in Access Control.
Local Control Owners Tab. Assign a Mitigation Approver and Mitigation Monitor to the Control; one of
each is required. The list of available owners is based on the owners assigned to the organization unit in
step 3.4. Save changes to the control.
-
8/22/2019 Mitigation Process
11/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 16
2011 SAP AG
3.7 Assign Local Control to Access RiskAccess Risk Analysis User Level Risk Analysis. Define and run an access risk analysis.
Access Risk Analysis Risk Analysis Results. In the risk analysis results, select the access risks you
assigned to the control in Step 3.6. Click the Mitigate Risk button.
-
8/22/2019 Mitigation Process
12/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 17
2011 SAP AG
Access Risk Analysis Assign Mitigation Controls. In the Assign Mitigation Control window you see the
mitigating Control ID assigned to the access risks along with the Monitor ID. If you do not see the correct
Control ID, search for it in the Control ID column. You can also view details of the control by highlighting a
row and clicking View Details /Control ID. Click Save to save the mitigation control assignment.
-
8/22/2019 Mitigation Process
13/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 18
2011 SAP AG
4. Manage AC Created Controls in Process ControlsThis section discusses how to maintain Mitigating Controls (created in Access Control) in Process Control.This option allows users familiar with Access Control to continue maintaining Mitigating Controls in thesame user interface they used before. However, the control they maintain will also display and beavailable from Process Control. The benefit of this option is there is little impact on existing Access Controlusers. Yet the mitigating controls can be measured for effectiveness via Process Controls automated andsemi-automated testing.
4.1 Identify Business Processes in Process Control to
be shared with Access Control
Master Data
Activities and Processes
Business Processes. Identify the Process and Subprocessthat will be shared between Access Control and Process Control.
Select
Compliance
Org Unit
Assign Monitor
& Approver(Org Unit)
Assign Owners
as Monitors &
Approvers
Create Control
(Access Risk)
Assign
Mitigating
Control IDAssign Access
Risks A
Create Process
& Subprocess(IMG)
Map PC
Process &
Subprocess
-
8/22/2019 Mitigation Process
14/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 19
2011 SAP AG
4.2 Create Access Control Business Processes
Access Control Business Processes are maintained in the backend IMG.
SPRO SAP IMG Reference Governance, Risk and Compliance Access Control Maintain
Business Processes and Subprocesses
Create Business Processes and Subprocesses which map to the Business and Subprocesses in ProcessControl identified in 4.1.
-
8/22/2019 Mitigation Process
15/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 20
2011 SAP AG
Enter the Business Process, save it and select the green arrow to go back.
Select the process you created and double click Business Subprocess
Enter the Subprocesses, save it and select the green arrow to navigate back
-
8/22/2019 Mitigation Process
16/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 21
2011 SAP AG
4.3 Map AC Business Processes to PC Processes
Master Data Activities and Processes Business Processes. In this step you map the processes
created in the AC IMG to the Processes in PC. This step allows controls created in AC to be assigned in
PC.
-
8/22/2019 Mitigation Process
17/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 22
2011 SAP AG
Select the Process and click Open.
In the Process, map the Process you created in Step 4.2. These display in the Business Process drop
down.
Next, choose a subprocess to map and click Open.
-
8/22/2019 Mitigation Process
18/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 23
2011 SAP AG
In the Subprocess, map the Subprocess you created in Step 4.2. These display in the Business
Subprocess dropdown.
-
8/22/2019 Mitigation Process
19/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 24
2011 SAP AG
4.4 Create AC Mitigating ControlThe Mitigating Control screen is used by Access Control for creating mitigating controls that are assigned
to access risks. Although this screen is not needed to create mitigating controls (as described in Chapter
3), customers may continue creating mitigating controls using this interface. It is important to have
completed the mapping steps described in section 4.3 before creating controls using this interface.
In the Mitigating Controls list, click the Create button to create a new mitigating control
-
8/22/2019 Mitigation Process
20/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 25
2011 SAP AG
Enter the Mitigating Control information. Select the correct Organization Unit to assign the mitigating
control. Select the Process and Subprocess. These display based on the entries done in Step 4.2
Assign the Access Risks that this mitigating control is valid for.
Assign an Approver and Monitor Owner to the mitigating control. One of each is required. Review Chapter
3 for more information on assigning owners.
-
8/22/2019 Mitigation Process
21/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 26
2011 SAP AG
4.5 Maintain the Mitigating Control in Process ControlThe Mitigating Control created in Step 4.4 can now be maintained using the Process Control maintenance
screens.
Go to Master Data Organization. Find the Organization Unit you assigned the mitigating control, and
click Open
On the Organization Screen, select the Subprocess tab. On this tab you will find the Subprocess andControl assigned to Organization Unit. Select the control and click Open
The control information entered on the mitigating control screen is available. The control can now be
updated with testing plans and other effectiveness testing details. The Access Risks and Owners tabs are
also available and contain the details of the access risks and owner assignments made from the mitigating
control screen.
-
8/22/2019 Mitigation Process
22/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 27
2011 SAP AG
The Access Risks Screen.
The Owners Screen.
-
8/22/2019 Mitigation Process
23/23
SAP BusinessObjects GRC 10.0 Integration Guide Access & Process Control 10.0
Page 28
5. Related Content
On the Web go to:
http://help.sap.com Business User Governance, Risk and Compliance
www.sdn.sap.com/irj/bpx/grc
6. Feedback
Your feedback regarding this document is important to us. Send comments [email protected]
Copyright/Trademark
7. copyrigth Copyright 2011 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAPAG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other softwarevendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10,z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel EnterpriseServer, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks ofCitrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, MassachusettsInstitute of Technology.
Java is a registered trademark of Oracle Corporation.
JavaScript is a registered trademark of Oracle Corporation, used under license for technology invented and implemented byNetscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and servicesmentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and othercountries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius,and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registeredtrademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this documentserves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAPGroup") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errorsor omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth inthe express warranty statements accompanying such products and services, if any. Nothing herein should be construed asconstituting an additional warranty.
http://help.sap.com/http://help.sap.com/http://www.sdn.sap.com/irj/bpx/grchttp://www.sdn.sap.com/irj/bpx/grcmailto:[email protected]:[email protected]:[email protected]://www.sap.com/company/legal/copyright/index.epxhttp://www.sap.com/company/legal/copyright/index.epxhttp://www.sap.com/company/legal/copyright/index.epxmailto:[email protected]://www.sdn.sap.com/irj/bpx/grchttp://help.sap.com/