SAP Governance, Risk & ComplianceOverview

SAP GRC – The Solutions

Access Control 5.3 & 10.0

• Compliant User Provisioning/ Access Request Manag: User Access Management • Enterprise Role Management/ Business Role Manag: Business Role Governance • Super user Privilege Management/ Emergency Access Manag : Super user• Risk Analysis and Remediation/ Access Risk Analysis : Risk Analysis

GRC – Process Control

GRC – Risk Management

GRC – Global Trade Services

GRC – Sustainability

GRC – Environmental Health & Safety Compliance

What is difference..

From a technical perspective, SAP has moved from Java programming language to the Advance Business Application Programming (ABAP) platform, which enable consistent security and standardize configuration settings between GRC 10.0 products. This standardization allows centralized support across all components, and the solution`s new platform improves changes management processes by leveraging SAP`s standard transport system and background job scheduling and archiving features.

SAP ECC/ R/3

Netweaver ABAP/JAVA

GRC 5.3 GRC 10

SAP ECC/ R/3

Netweaver ABAP/Java

Access Request Management

• Automates provisioning• Tests for segregation of duties issues• Streamlines approvals to unburden IT staff

GRC

CRMECC BI

Few Imp features of GRC ARM:

AC product includes some pre-delivered workflows for user access management:

One significant enhancement is the ability to incorporate MSMP workflow configuration into user access approval routing

MSMP : Multi Stage Multi Paths

One initiator rule ID

Agents/Approver : Role, Custom Group, Agent ID & User group

Mass user Creation.

Access Request Analysis

ARA EAM

BRM

ARM

Risk Analysis and Remediation , which supports real-time compliance to detect, remove and prevent access and authorization risks by preventing security and control violations before they occur.

Real-time compliance to detect, remove, and prevent access and authorization risk by controlling violations before they occur

The ability to perform mass mitigation of SoD risks at the user or risk level will allow business users and control owners to experience increased productivity by reducing time spent on the mitigating access risks

Build Rules

Risk Analysisat Action / permission

levels

Reports

Remove access

Or Mitigate

Free from violations

Why ARA

Ability to filter, Save reports and run multiple and custom risk analyses simultaneously

custom risk analyses simultaneously : transaction code and permission level

User can save risk reports in PDF file.

Crystal Reports is not integrated in GRC 10.0 solution, enabling report customization and the user of charts and graphs to represent risk analysis

GRC 10 give mass mitigation of SoD risk at the user or risk level will allow business users and control owners to experience increased productivity by reducing time spent on mitigation access risks.

In previous versions of the GRC suite, mitigation only could be applied to one user across all systems (instead of a subset of system)

Centralized Emergency Access

.

MM Module

FICO Module

PP Module

SD Module

No SAP_ALL

SD FF ID Log MM FF ID Log FICO

FF ID Log PP FF ID Log

• Preassigned firefighter IDs• Access restrictions• Validity dates• Field-level changes tracked in audit log• Easy Monitoring

Super-user monitoring capabilities have been moved to a centralized environment in GRC 10.0

Previously Firefighter had to be installed and configured for each target system.

This will allows monitoring of emergency access from one GRC system and streamlining of the administration process

GRC 10.0

ECC 6 BI system CRM system ECC 6

The Business Role Management component of the GRC solution automates role definition and management of roles

Provides SAP Security Administrators, Role Designers, and Role Owners with a simplified means of documenting and maintaining important role information

Access Control can be the central repository for all SAP systems connected in the landscape

Business Role Management

Ensure consistency in naming conventions

Track the status of the role during maintenance

Be the central repository for role management

Identify duplicate or nearly duplicate roles

Identify roles that may no longer be needed

Business Role Management is tightly integrated with the Access Request Management engine,

Roles are maintained in BRM, these same roles are updated immediately for use in access requests

GRC 10.0 BRM Sample Screen