AGLEA SAP Security Analyzer SoD Remediation SoX authorization

1 11

30 marzo 2009 – ANDREA CAVALLERI

The company

� Aglea was founded in 2003 as a company specializingin the management of users and authorizations of theSAP world

� Work directly or beside major System Integrator

2 22Security Analyzer29.9.09

� AGLEA is part of APL Italian SpA, owner of the software "SOFIA" ® (portfolio manager titles Banks and Insurance)

Le competenze

� I FOCUS:

� Consulting� SAP Security project

� New implementations

� Authorizations review based on RBE (Reverse Business Engineering)

� Authorizations upgrade

� Auditing

� Sarbanes Oxley / Dlgs 231/2001 / L 262/2005 Dlgs 196/2003


� Sarbanes Oxley / Dlgs 231/2001 / L 262/2005 Dlgs 196/2003� Segregation of Duties

� Risk management

� Sod Anlysis

Software

� Security Analyzer

Security Analyzer

� Security Analyzer (SA) is the application that managesthe SAP Security (users and authorization)

� Is formed by

� two ABAP that download security information from aSAP System


SAP System

� a Microsoft Access application for import and processdata

� SA is compatible with SAP systems starting from release 4.6 of R/3

Strengths

S.A. :

� Customizable. This means it can be adapted to specific customer requirements

� Lets cross our authorizations with the statistics, even in the SOD analysis

� SOD tab contains an SoD matrix of risks (based on transactions SAP R/3-ECC)


transactions SAP R/3-ECC)

� Performs special analysis that help identify "non-compliance" to use the profile generator

� Is very quick to install and use

� Allows you to make retrospective analysis

� Is fully developed by Aglea, which operates exclusively in the consulting SAP security

Integrazione con GRC

� SA is not an alternative to the SAP GRC Access Control. The “point of contatc” is in the SOD

� Security Analyzer is ideal for analyzing a SAP system in review of authorizations and monitoring role model adopted


adopted

� Reporting of SA is complementary to the GRC and is particularly useful when REMEDIATION

Security Analyzer

� After installing the two reports in ABAP system to analyze the process of documentation and analysis is very simple

� Extracting data from SAP (53 + tables usage statistics) and place in a directory

� Design (one time) of a project in SA and customize your settings


settings

� Importing data into SA

� Generation of reports needed

� Conducting analysis more specific� analysis on authorizations (a “SUIM” more powerful)

� analysis of SOD-based transactional

Project definition

The first action is tocreate a project

With a client SAP

SA can keep data online for one system


line for one systemat a time

Project definition

Form in which you can specify the specific attributes of project

101010Security Analyzer29.9.09

Importazione

Rapid import (about 15minutes) of dataexported from SAP

You can even importsome tables, divided by


some tables, divided bysubject

A dedicated LOGprovides usefulinformation on anyproblems encounteredduring the import

Reports

Mask for the opening ofthe output

you can:

• obtain a query to beexported to Excel

•directly save xls


•directly save xls

•print report format(PDF), choosing amongthe more than 100models currently

Reports


Organizational Analysis

If the scenario is implemented HR, can be analyzed off-line organizational structure

There are specific


There are specific information and features not available directly from SAP

Indicators

The main information of the Security are summarized in a single screen.


Con essa è possibile supervisionare lo stato di salute del sistema in pochi minuti

Auditing

Can do analysis in the audit focused on authorization objects

You can create as many audits by


many audits by excluding from analysis any blocked users or SAP_ALL and SAP_NEW

Auditing

The details are specified in theaffected and the values to befound

You can enter up to 3 values in"OR".


SOD Analysis

5. Transactions statistics used.

The analysis of SOD may be conducted on 5 items SAP

1. Composite role(Job Role)

2. Simple role (Task), Menu tcode level

3. Simple role (Task), Authorizations tcode level (S_TCODE)

4. Permissions assigned to the user (User). In this case, if a user has a permissionon S_TCODE range or with asterisks, are still identified all transactionsmatching


5. Transactions statistics used.This feature allows you toact quickly on the real risksand then into the potential

You can also generate an additionalSOD matrix-based Job Roles.

SOD Analysis


Mapper

� The function mapper lets you find the best set of roles (chosen from a list of "candidates") to be assigned to a user based on his statistics


Mapper

Creating a composed role - identifying TASK


Mapper

Mapping users and roles according to statistics


Version and Licensing


AGLEA SAP Security Analyzer SoD Remediation SoX authorization

Technology

Transcript of AGLEA SAP Security Analyzer SoD Remediation SoX authorization