Segregation of Duties Review (SOD Review) Description and Workflow Configuration

GettingStarted Newsletters Store

SearchtheCommunity

Welcome,Guest Login Register

Products Services&Support AboutSCN Downloads

Industries Training&Education Partnership DeveloperCenter

LinesofBusiness UniversityAlliances Events&Webinars Innovation

AddedbyShailyKulshreshtha,lasteditedbyShailyKulshreshthaonNov28,2014

Governance,RiskandCompliance / / AccessRequest(ARQ)

SegregationofDutiesReview(SODReview)DescriptionandWorkflowConfiguration

SegregationofDutiesReview(SODReview)SegregationofDutiesReviewisaprocesswherethesystemchecksperiodicallyforanyriskandviolationsassociatedwithauserorfunctions.ThisfunctionalitycanbeusedduringtheinitialcleanupofriskviolationsaswellasalongtermstrategytoreviewandaffirmpreviousMitigationassignments.

WhenSODreviewisperformed,itgeneratesrequestsautomatically,basedonorganizationsinternalpolicy.SODreviewprovidesWorkflowBasedreviewandapprovalprocess.

PurposeThisdocumentwillexplaincompetefunctionalityofSODreview.

SODReviewOverviewKeyfeatureofSOSReview:

DecentralizedreviewofSegregationofDutiesviolation.WorkflowrequestforAccessReviewandapprovalReaffirmationofMitigationControlassignmentAudittrailandReportforAudits

SODReviewProcessThereisabackgroundjobwhichgeneratesSODReviewrequest.ThesystemsendsSODreviewnotificationtoreviewers.Thereviewerreviewtherequestandperformthefollowingoption.

RejectRequestItemsMitigateRiskbyassigningMitigationControl.RemoveAccessforitemsthatarecreatingviolations.ThereisonemoreoptionalstepwherewecaninvolveAdminforAdminreviewbeforesendingrequesttoreviewers

SODReviewProcessExplanationAdminReview.

ThereisanoptionforAdminReviewwhichprovidesadministratortovalidaterequestdataafterrequestaregenerated(bySODreviewjob)butbeforegeneratingWorkflowtask(butpriorSODReviewupdateWorkflowjob).IfanyreviewerinformationismissionorneedtobemodifythenAdmincandosobeforegeneratingworkflow,orcanalsodeleterequestsifrequired

ReviewStageWecanspecifywhetherReviewerstageisaddressedbyusersManagerorRoleOwner.

SecurityStage:WecanalsoincludeSecuritystageifrequired.

WorkflowStageConfigurationsAfterdecidingwhichstagetoincludeintheSODreviewworkflow,weneedtodeterminethespecificbehaviorforeachstagetoreflectthereviewprocess.Like

EmailNotificationFirstofallweneedtodeterminethecontentoftheemailnotificationtobesendtoapproverofeachstage.Recipientalsoneedstobedetermined.

ReminderWecanalsosetEmailreminderinthiscase.Wecanspecifytheintervalofremindernotification.

EscalationYoucanspecifyEscalationoneachstagebasedontimespentinaparticularstage.IfaReviewerdoesnotcompletehisreviewwithinthetimespecifiedinthedateparameterdefinedinconfiguration,thentherequestwillbeescalated.TheAuditlogwillshowthisescalation.Wecanalsospecifywhetherescalationautomaticallyremovestheaccessthatisnotapprovedbyacertaindate.

RolesinSODReviewThefollowingrolecanappearinSODReviewRequest

AdministratorAdministratorsperformSoDReviewspecificadministrativetaskssuchasperforminganAdminReviewbeforegeneratingaworkflowfortherequest

ReviewerReviewersareapproversattheReviewerstage.AReviewercanbeaUsersManagerortheRiskOwner

UsersManagerUsersManageristhedirectmanagerofaparticularuser,asdefinedintheUserDetailsDataSource.

RiskOwnerRiskOwneristheownerspecifiedinyourRiskAnalysisandRemediation(RAR)masterdata.

CoordinatorCoordinatorsareusersassignedtooneormoreReviewers.CoordinatorsmonitortheSoDReviewprocessandcoordinateactivitiestoensurethattheprocessiscompletedinatimelymanner

Prerequisites

ThefollowingjobsshouldbeexecutedinthebelowsequencebeforerunningSODreviewJobs.

RepositorysyncforUser,Role,Profile(SPRO>GRC>AccessControl>SynchronizationJobs>RepositorySync)BatchRiskAnalysisJob(SPRO>GRC>AccessControl>AccessRiskAnalysis>BatchRiskanalysis>ExecuteBatchRiskAnalysis)ActionUsageReport(SPRO>GRC>AccessControl>SynchronizationJobs>ActionUsageSync)RoleUsageSync(SPRO>GRC>AccessControl>SynchronizationJobs>RoleUsageSync)AlsomakesurethatRiskOwnersaremaintained.

ConfigurationSettingsThissectionwillexplainsyouSODReviewConfigurationsettings

IMGConfigurationBeforerunningSODreviewjobtherearesomeIMSsettingsthatneedstobedone

GotoIMG>GRC>AccessControl.>MaintainConfigurationSettings>

1. ForPARAMRiskAnalysis:SetParameter1027EnableOfflineRiskAnalysistoYES2. ForPARAMSODReview:SetthebelowParameters

a. 2016RequestTypeforSOD:ChooseDefaultRequesttypeforSODb. 2017DefaultPriorityforSOD:ChooseDefaultPriorityforSODc. 2018WhoAreReviewers:ChooseRoleOwner/Managersd. 2019AdminReviewrequiredbeforesendingtasktoReviewer:ChooseYES/Noe. 2020NumberofuniquelineitemsperSODrequest:Maximumvalueofthisparametercanbe9999.Beyond9999,therequestwillgetsplitandallitemswillbemovedtoanewrequest.

ThisparameterisintroducedinGRC10.0SP17(SAPNote#1994429)f. 2021Isactualremovalofroleallowed:ChooseYes/No

ManagingCoordinatorsGoToNWBC>AccessManagement>ComplianceCertificationReview>ManageCoordinators

Screenwillopen.Nowselectanylineitemtochangeorcreateanewone.

SpecifyingEscalationsGoToSPRO>GRC>AccessControl>UserProvisioning>MaintainServiceLevelAgreement

HereyoucancreateSLAforSODreviewprocess.YoucanspecifythisviatypeFixedbyDateorFixedbynumberofdaysandFormula.

GeneratingdataforRequest

ForgeneratingdataforSODreviewyouneedtoscheduleajobfromNWBC>AccessManagement>Scheduling>BackgroundScheduler

YoucangiveJobNameandselectGeneratedataforAccessRequestSODReviewandclickonnext.

AfterclickingonNextscreenyoucangivetheparametersforwhichyouwanttorunthisjob.

Now,onclickingNextandthenFinishthejobwillbescheduled

YoucancheckthisjobunderNWBC>AccessManagement>Scheduling>BackgroundJobs

RequestReviewThisstepisonlyrequiredifyouhaveenabledAdminReviewoption.

TheadministratorreviewstherequeststoensurecompletenessandaccuracyoftherequestinformationpriortosendingtoReviewers.

GotoAccessManagement>ComplianceCertificationReview>RequestReview

OntheRequestReviewscreen,searchfortheSoDReviewrequestsbyselectingtheSoDRiskReviewWorkflowandthenreviewthedatatoconfirmtheReviewerandCoordinatorinformationisaccurate.

Onthisscreenyoucanenterinformationaboutthereviewertotherequestsifnotavailable.

AnAdministratorcanalsocanceltherequestifSoDReviewsarenotrequiredorifthereisincorrectdata.

UpdateWorkflowJobThisstepisonlyrequiredifyouhaveenabledAdminReviewandtheAdminReviewhasbeencompleted.

ExecutetheSoDReviewUpdateWorkflowJobtopushtheworkflowtaskstotheReviewers.

GotoAccessManagement>Scheduling>BackgroundScheduler.ClickBackgroundscheduler.TheScheduleAccessManagementScreenwillappear.ChooseCreatetocreateanewrequestforUpdateWorkflow.TheCreateSchedulescreenwillappear.EnterScheduleName.SelectScheduleActivityfromthedropdownlist.ForSoDRequests,selectUpdateWorkflowforSoDRequest.

ChooseFinish.GotoRequestReview,andcheckthestatusoftherequestifithasbeencompleted.Aftercompletingalloftheabovementionedsteps,therequestswillnowcometotheReviewersWorkInboxtoworkonit.

NowyoucanviewthatrequestintheWorkinbox.Onopeningtherequestitwilllookasbelow.

SinceYESwasselectedforActualremovalofRolesduringtheconfigurationprocess,theACTUALREMOVALpushbuttonappearsonthescreen.IfNOwasselected,thenthePROPOSEREMOVALpushbuttonappearsinstead.

ByselectingRiskandthenchoosingtheActualRemovalpushbutton,youcanremovetheactualroleassociatedwiththisRisk.BychoosingtheProposeRemovalpushbuttonyoucanonlyproposetheremoval,noactualremovalisdoneonanyroles.ChooseSubmittocompletetheReviewprocess.

WorkflowConfigurationToprocessSODreview,youneedtosettheworkflowsettingsfromMSMP.

ProcessID:SAP_GRAC_SOD_RISK_REVIEW

YoucanmaintainRuleatthe2ndstep.YoucanconfigureFunctionModulerules,BRFplusrules,ABAPclassbasedrules,andBRFplusflatrules.

Therulescanbeoneofthefollowingtypes:

InitiatorRule:TocheckwhichpathyourrequestwilltakeRoutingRule:TodirectyourrequesttotakeadetourAgentRule:Tocheckforagents(Reviewers)fortherequestinaparticularstageNotificationRule:Usedfornotificationpurposesonly

Atthe3rdstepyoucandefineAgent

Thepossibleagenttypesare:

DirectlyMappedUsersAgroupofuserscreatedwithintheworkflowconfigurationPFCGRolesAlluserswhohavespecifiedPFCGroleassignmentsPFCGUserGroupAlluserswhoarepartofthespecifiedPFCGgroupGRCAPIRulesAllusersreturnedbytheconfiguredruleforagents

Oncetheagentsaremaintained,choosetheNEXTpushbuttontomaintaintheVARIABLESANDTEMPLATES.

Inthisscreen,youcanmaintaincustomnotificationtemplatesaswellastheirvariablesandreminders.

Nextstepistomaintainpaths

SelectapathandchoosetheADDorMODIFYpushbuttonstodefinethepathstages.

IntheMaintainStagestable,choosetheMODIFYTASKSETTINGSbuttontochangethestagesettings.

IntheApprovalTypecolumn,selectAllApproversorAnyOneApproverfromthedropdownlist.Thisdeterminesifallapproversoranyoneapproverisrequiredtoapprovethestage.

IfyouchooseYesforEscalation,specifytheescalationsettingbyenteringtheidletimeinminutes.Idletimeistheamountoftimebywhich,ifthestageisnotapprovedorrejected,thetaskiseithersenttothespecifiedagentortheworkflowmovestothenextstage.

ChoosetheNEXTpushbuttontogototheMaintainRouteMapppingscreen.Inthisstepyoucanmaintainroutemappingsbetweentheinitiatorrulesresultandtheactualpathfortheresult.

NowGenerateMSMPversion

CheckingSODReviewRequestsAfterarequestisgenerated,itissenttothereviewersWorkInboxandcanbeaccessedbyperformingthefollowingsteps:

YoucanalsosearchthisrequestunderSearchRequest>SelectProcessIDasSODRiskReviewWorkflow

ManagingRejectionThelineitemsthatarerejectedbyanapprovercanbeaccessedandreworkedfromtheManagingRejectionsscreen.

GoToAccessManagement>ComplianceCertificationReviews>ManageRejections.

SelecttheProcessTypeandclickonSearch

Youcanfindtherejectionsonthisscreen.

RelatedDocuments

TherearemanymajorSODreviewfixesafterSP14GRC10.0

BelowaretheimportantSAPNoteregardingthis.

1994429UAM:RunningBatchRiskAnalysisismandatoryforSODReviewRequestcreation

2057848UAM:IncorrectvalueisdisplayedfortheVariableREQUESTER_NAMEintheSODNotifications

2058766Removalofreviewernotpossiblefromrequestreviewer

1888260UAM:IssueswithSODReviewrequest

1973155ProvidingtablesortingoptioninSODReviewrequestandmitigationsnotsavedonsavingSODrequest

Nolabels

FollowSCNContactUs SAPHelpPortalPrivacy TermsofUse LegalDisclosure Copyright

Segregation of Duties Review (SOD Review) Description and Workflow Configuration

Documents

Transcript of Segregation of Duties Review (SOD Review) Description and Workflow Configuration

Gene's SOD Presentation

A risk-based approach to segregation of duties › wp-content › uploads › 2018 › ...Segregation of Duties (SoD) is top of mind for many professionals, from compliance managers

DDB Unlimited, Inc. W A R ANTY SOD SERIES SOD … Unlimited, Inc. SOD SERIES SOD-102420 Why Choose the SOD Series? The SOD series enclosure is the ultimate choice for your outdoor

SOD , dtic

Segregation of Duties gia - University System of Georgia · Segregation of Duties - Matrix DOAA SOD Matrix gia 4 n n O O r r k r r n E E h t s s n e n s k Process COSO Procedure/Function

SAP GRC SOD

Counterpoint, Sod

Rapidly reduce Segregation of Duty Violations in Oracle ... · PDF fileWe can not use Oracle “seeded” Responsibilities because of inherent SOD conflicts. GL Supper User can Enter

Managing Segregation of Duties (SOD) in R3 Session Code: 808 Donnie Looper, Eastman Chemical Company Jasvir Gill, Virsa Systems.

Northern Segregation ◦ De jure segregation Segregation by law ◦ De facto segregation Segregation by practice and custom Harder to fight Requires.

Cybersecurity and Data Security - Elliott Davis · bank has any segregation of duties (SoD) of conflicts. If conflicts exist management should have mitigating controls (business process

GRC Links Segregation of duties (SoD) for SAP

Segregation of Duties Remediation for Infor-Lawson Software€¦ · SoD reports validate that the correct checks and balances have been implemented within the security model to avoid

SOD-523 Plastic-Encapsulate Diodes SOD-523...SOD-523 Package Outline Dimensions SOD-523Suggested Pad Layout A 0.510 0.770 0.020 0.031 A1 0.500 0.700 0.020 0.028 b 0.250 0.350 0.010

Segregation of Duties - SP+ University€¢ Describe the Sarbanes-Oxley Act (SOX) • Define Segregation of Duties (SOD) • Describe the benefits of Segregation of Duties • Demonstrate

ScienceOfGettingRichNotes SOD

Enforcing Segregation of Duties (SoD)ma.axiomatics.com › acton › attachment › 10529 › f-0006 › 1...Enforcing Segregation Of Duties In recent years many IT organizations have

Housing Affordability and Segregation - · PDF fileHousing Affordability and Segregation Europe and Southeast Asia An International Federation for Housing and Planning review on the

Automating PeopleSoft Segregation of Duties: …ww1.prweb.com/prfiles/2015/05/06/12704691/Automating SoD...Automating PeopleSoft Segregation of Duties: Financials/HCM/Campus Solutions

How A Fortune 500 Global Security Company Reduced Segregation of Duties (SoD) Auditing Time by 700+ Hours