SAP Discovery System - Community Archive · SAP Discovery System SAP AG ... It was decided after...

SAP Discovery System August 2006 English

SAP Discovery System SAP AG Dietmarr-Hopp-Allee 16 69190 Walldorf Germany

SAP GRC Virsa Access Enforcer for SAP Demonstration Script August 2006

Discovery Box – Access Enforcer Scenarios

© SAP AG of 39

Contents Introduction ..................................................................................................................... 3 Submit a Request............................................................................................................ 4 Manager Approver......................................................................................................... 20 Security Approver.......................................................................................................... 30 AE Administrator Activities – Nicholas Frost ................................................................. 37


© SAP AG of 39

Introduction It was decided after last year’s audit that an automated user request system would be implemented to better track the security authorization approvals, to enforce our SOD policies as well as provision the security to the users. Access Enforcer by Virsa was chosen for its flexible workflow configuration, its ability to provision to any SAP system, as well as other systems in the future, and the integration of the user request system with the Compliance Calibrator SOD process. Once Access Enforcer was installed, a SAP GRC consultant arrived to assist us with a two week Quick Start implementation, which provided us with training and our initial workflow paths so we could begin our access request testing and provisioning. Our workflow path for a New User consists of two stages. A User Request is submitted, the manager approves and then the security team will verify the request and provision the security through Access Enforcer.


© SAP AG of 39

Submit a Request We will begin by entering an Access Enforcer request for a new user in the Finance Department. Betty Adams, the Finance Department Admin, has been asked to submit an Access Enforcer request for Joe Barns, a new employee to the department, to receive an SAP User id into the R/3 production system. Betty begins by entering the URL for Access Enforcer and choosing the “Request Access” option on the left side of the screen She enters her user id: BADAMS Her Password: virsa1 Places a check in “requesting for other user” box for she is requesting this access for Joe and then presses Logon Data FIELD DATA User Id BADAMS Password Virsa1 Requesting for Other User Yes


© SAP AG of 39

Access Enforcer displays a screen with several options for requesting access. Betty will choose to enter a new request by selecting and double clicking on the option for “New Account”.


© SAP AG of 39

As you can see the Request Type of New has defaulted into the request by the choice of the previous screen. Although this has defaulted in, it can be changed to any other request type by using the dropdown selection. The priority has defaulted to Normal but other priorities could be chosen by using the dropdown functionality. All of these fields with drop down selection functionality are completely configurable by the client. Choose a Functional Area using the dropdown (we will choose Finance) Now we will choose the Applications with this request will be for by double clicking on the search button (eye-glass) at the end of the application field. Data FIELD DATA Request Type New Priority Normal Priority Functional Area Finance Applications ERP


© SAP AG of 39

On this screen, Betty can choose between one or several systems to submit on the request for Joe. With this version of Access Enforcer, Access Enforcer will provision to any of the SAP systems. There are multiple tabs for the different types of systems; Production, Not-Production and Other. So it is feasible that the Development and Quality instances also available for provisioning through the same Access Enforcer request. In our demo today, Betty will only be requesting access to the ERP Production system, client 200. Choose the Production Application of ERP by placing a check mark in the box in front of the ERP System – Client 200. Press Select button at the bottom of this screen to select the marked applications.


© SAP AG of 39

The selected applications appear in the Application field. Betty will enter the request reason: New user in Finance Data FIELD DATA Request Reason New User in Finance


© SAP AG of 39

Since this request is for a new user, the user information will need to be entered in the User Data field. If this request were a “change” request for an existing user, Betty would press the search button (eye-glass) and find the user. Betty enter the User Name as Joe Barns Enters the user id: JBARNS Enters email address: [email protected] And Telephone number 555-234-1111 Although there are fields for the user’s Department and Location, these fields are not required for the processing of this type of Access Request, therefore we will not ask the requestor to enter them. Choose the Company by using the drop down selection. Choose Northwest Chemical. Employee Type will remain blank for this demonstration for it is not required for the processing of a new user request. Betty’s user information for the Requestor data fields has been defaulted in when she logged onto the system. Now Betty will choose the Manager by clicking on the search button (eye-glass) Data FIELD DATA User Name (Firstname Lastname) Joe Barns User ID JBARNS Email Address [email protected] Telephone Number 555-234-1111 Company Northwest Chemical (NWCHEM)


© SAP AG of 39

Now Betty will choose the Manager by clicking on the search button (eye-glass) The Select Approver screen will appear Betty will search for Joe’s manager by enter the last name of “Green” (this is case sensitive so it is important to properly reflect the cases of the letters.) Press Search Select Tom Green by clicking on the radio button in front of his user id Press Select button at the bottom of the screen to choose this manager Data FIELD DATA Last Name Gr*


© SAP AG of 39

The manager’s information is pulled back into the request. The header information of the request is now complete. Betty will now select the security roles for Joe’s access by pressing the Select Roles button


© SAP AG of 39

There are three different ways that Betty can select roles for the user Joe Barns. First – if Betty knows the roles that Joe should have, she will search for them by choosing the “ROLES’ type of Access and choosing the appropriate categories of roles that she would like to search for. In this instance, Betty knows that the roles she is looking for are in the Business Process area of General ledger. So she chooses the business process drop down and scrolls until she finds the General Ledger and double clicks on it to select it. Betty notices the Functional Area and the Company name have defaulted in correctly from what was entered on the request header. Although there are other categories to selecting roles, Betty knows that these are they only ones she needs for she is already familiar with these roles. Betty presses “Go” to retrieve the roles. The roles that have met the selected criteria will display on the lower half of the screen. Betty selects the roles to be added on the request by clicking on the box in front of each of the roles. She chooses two roles Choose VS::FI_GL_ACCT_MASTER_DATA Choose VS::FI_GL_PERIOD_END_CLOSING Then presses Add at the bottom of this window to add the selected roles to the request. Data FIELD DATA Select the System ERP Select the Type of Access Roles Business Process General Ledger Functional Area Finance Company Northwest Chemical (NWCHEM)


© SAP AG of 39

On the role screen display, the view switched from the “Search Results” tab to the “Selected Roles/Profiles” tab. In the Selected Roles/Profile tab, the two roles Betty selected appear. If Betty is satisfied with the roles selected, she would press the Submit button to submit the request. Betty could also search for additional roles by re-selecting the Business process and/or other categories to find additional roles. The roles already added to the request will remain on the request, no matter how many more searches Betty does. Of course Betty can remove any roles by removing the check mark in for of the role on the Selected Roles/Profiles tab. Before we press submit, there are two other ways that the requestor can select the type of access. The first was to select by searching for Roles. The second will be to search by “create my account like another user” and the third will be to search by Transaction code. Before we press submit, we will review the other two ways of selecting the roles to be on the request.


© SAP AG of 39

To search by “create my account like another user”, using the drop down functionality of select the type of access, choose “create my account like another user”. We may now enter the user id for the user we wish to copy the roles – Enter TJOHNSON, for Tom Johnson. Press Go. The roles display under the Search Results tab will be the roles that the user TJOHNSON has assigned to him in the system listed on the top of this screen. Once these roles are display, the requestor will have to choose which roles are submitted on the request by clicking the box in front of the role and pressing Add. Data FIELD DATA Select the System ERP Select the Type of Access Create my account like another user User ID TJOHNSON


© SAP AG of 39

The third way is by choosing the type of access by the transaction code; Using the dropdown for Select the Type of Access Choose “Transaction” Enter the transaction code: OB52 This will display all the roles in the selected system with the transaction code of OB52. Roles from the search appear in two ways. Several roles have a grayed out box in front of the role name. These roles have the transaction code OB52 in the selected system but have not been made available to be assigned in Access Enforcer. Part of the AE Administrator’s responsibility and a configuration step is to verify which roles for each of the system would be available to assign through Access Enforcer. Data FIELD DATA Select the System ERP Select the Type of Access Transaction User ID OB52


© SAP AG of 39

Now before we submit this request, we should review the roles actually assigned to these request by pressing the “Selected Roles/Profiles” tab. Betty notices that the request has the two roles required on it. So she presses the Submit button.

The message with the status of the request and the Request No. if it was successfully created has been displayed on Betty’s screen.

The request for Joe Barns has been submitted so Betty logs out of Access Enforcer using the Logout option on the top right side of the AE window.


© SAP AG of 39

Manager Approver The Access Request for Joe Barns has been submitted, the manager will be the first approver in the workflow for a New Account/User id. So Tom Green, the manager has received an email notification of the request and that is request is awaiting his approval. Tom, using the URL link in the email, brings up the Access Enforcer main menu. As an approver, Tom needs to log into Access Enforcer using the “User Login” option on the left side of the Access Enforcer main window. Tom enters his user id: TGREEN His Password: virsa1 And presses the Logon button Data FIELD DATA User Id TGREEN Password Virsa1

As Tom logs into Access Enforcer, the Request for Approval screen is displayed and his open items are displayed. Tom will only see the requests that are awaiting his approval. Tom double clicks on the Request for Joe Barns – in this case request number 14.


© SAP AG of 39

Tom can now review all the request details. Based on the configuration options of this stage, as the manager approver, Tom can perform all the tasks that appear on buttons on the bottom of this screen. Tom decides to run a Risk Analysis to see if the roles being requested for Joe will have any Segregation of Duty conflicts; Tom presses the Risk Analysis button.


© SAP AG of 39

The Risk Analysis is run with the Compliance Calibrator by Virsa and the results are displayed back on the screen Two Risks were found. On the Risk Violations tab, Tom can see the details of the risks and the conflicts. Risk F001 – The ability to maintain fictitious GL account & hide activity via postings and Risk F018 – the ability to open closed periods and inappropriately post entries. By clicking on the “plus” sign in front of the risk F001, the transaction code combinations are revealed. By clicking on the “plus” sign next to each transaction code combination, the transaction codes and the roles that contain those transaction codes are displayed. Now the manager/approver can view the two different roles that are creating this SOD conflict.

Tom has two choices. He can choose to mitigate the risk, assign a Mitigating Control through Compliance Calibrator by Virsa or he can remove one of the security roles that are causing the conflict.


© SAP AG of 39

To review the current Mitigation controls available, Tom highlights the Risk id F001 and presses the Mitigate Button. The mitigation screen appears. Tom needs to press the search button on the Reference No. field to see if there are any existing mitigating controls for this risk.

There is one Mitigation Control available. To select this control, click on the radio button in front of the control and press continue at the bottom of the screen.


© SAP AG of 39

The system brings Tom back to the Mitigation screen, where Tom then needs to choose a Mitigation Monitor for this control. Tom uses the drop down selection criteria and choosing HASSELT. Now Tom can Save this mitigation control assignment and the SOD conflict will be mitigated in the Compliance Calibrator by Virsa. Data FIELD DATA Mitigation Monitor HASSELT

But in this case Tom decides not to mitigate but remove a role so he presses the Cancel button.

In the case that Joe is a new employee, Tom decides not to accept this risk and remove the VS::FI_GL_PERIOD_END_CLOSING role from the request. Tom removes this role by clicking on the green check box in front of the role he wants to delete. The check mark becomes an X and the line turns red. Now Tom presses the Simulate to see if that clears up the SOD conflicts.


© SAP AG of 39

The issues are cleared because no Risks are found.

Pressing Continue at the bottom of this screen will take him back to the approval screen. Although Tom simulated removing this role, he will now have to remove it from the request. Tom clicks on the green check box in front of the VS::FI_GL_PERIOD_END_CLOSING role that he wants to remove and put a comment explaining why he was removing that role from the request. Data FIELD DATA Please Enter Comments This closing role caused SOD Conflicts so it

needed to be removed from the request. Joe cannot receive this role.

When Tom saves the comments, the green check for this role will go to Red. This role will continue on the request as a rejection and will not be provisioned to Joe’s user id at the end. Tom’s comments will be visible on the request.


© SAP AG of 39

Tom is ready to approve this request so he presses the Approve button. The Approval Path Status shows what stage in the path the request is in and who is responsible for that stage. The yellow line shows the request in the Manager stage and Tom Green is the responsible manager. (Not on this screen below but it will be on your demo) Tom has one final review of the request by opening any of the plus signs of the left of the sections. After his final review, he decides to approve this request with only one role, by pressing the Approve button at the bottom of this screen.

The message is then displayed that the Request has been approved and forwarded to the next stage. The green line on the Approval path status shows the manager stage is now completed. The yellow line on the Security stage now shows that this request is in the security stage.


© SAP AG of 39

Security Approver The AE Request has been forwarded to the next stage which is the security stage and an email notification is sent to the Security Group. Greg Thomas, the security team member responsible for the Access Enforcer requests today, logs into Access Enforcer by choosing the “User Login” option on the left side of the Access Enforcer main window. He enters User id: GTHOMAS His Password: virsa1 And presses Logon Data FIELD DATA User Id GTHOMAS Password Virsa1

The Request for approval screen is displayed and those open items for the security team are displayed. Greg double click on the Request for Joe Barns, in this case Request No. 14


© SAP AG of 39

Greg sees all of the actions available to the Security approver and can review all the request details. In this workflow, the approver in the security stage cannot select additional roles for this request therefore that button does not appear. For this demo, auto-provisioning is not enabled; therefore the security user will see two buttons, Create User and Assign Roles/Profiles to provision the request. After careful review, Greg is ready to provision and approve the request. His first step will be to create the user so he presses the Create User button.

(In the screen print below there are two roles but remember, one role will be red because the manager has removed the role.)


© SAP AG of 39

The Create User in SAP screen will appear. Greg will need to choose which systems will be included in the provisioning and if CUA is involved. Click on the box in front of ERP system to place a check mark there. Since there is not CUA, Greg should leave this CUA field box blank (or with select) Greg needs to enter initial password: init123 And then confirm or re-enter the password under Confirm Password: init123 Greg presses Continue Data FIELD DATA ERP Places check mark in front of ERP Initial Password Init123 Confirm Password Init123


© SAP AG of 39

Message is displayed “Successfully created user” and the screen returned to the detail request view. Now Greg presses the Assign Roles/Profiles button


© SAP AG of 39

Greg has to choose the type of system assignment types, in which he can just leave the defaults. (Direct assignment and no CUA) He presses Continue


© SAP AG of 39

Message appears at the top of the screen “Successfully provisioned roles” and display is transferred back to the detail request view. Now Greg presses the Approve button to complete the request.


© SAP AG of 39

The Approval Path Status is displayed for the final Approve step. Again yellow line shows the stage that is request is currently in. Since several users may be in the security group, a specific approver is not listed. Greg, presses Approve at the bottom of this screen to complete the request.

The message is displayed that the request is approved and closed. And an email notification is sent to the Joe Barns with his user id and notifying him of his password.


© SAP AG of 39

AE Administrator Activities – Nicholas Frost Nicholas Frost, the Access Enforcer Administrator has been asked to report on the number requests going through Access Enforcer. Nicholas log into Access Enforcer by choosing the “User Login” option on the left side of the Access Enforcer main window He enters User id: NFROST His Password: virsa1 Presses Logon Data FIELD DATA User Id NFROST Password Virsa1

There are three tabs at the top of the AE window. Access Enforcer, Informer and Configuration Access Enforcer: contain the activities for approvers. Most approvers should only be given the UME permissions for this tab.


© SAP AG of 39

Informer: display data on the various Access Requests in the system in a variety of ways. Here Nicholas has a variety of charts and graphs to accumulate the Access Enforcer data that his manager has asked him to retrieve. This provides the information that Nicholas needed.


© SAP AG of 39

Nicholas can also review the configuration tab: all AE configuration data is contained on this tab and available to the administrator.

SAP Discovery System - Community Archive · SAP Discovery System SAP AG ... It was decided after...

Documents

Transcript of SAP Discovery System - Community Archive · SAP Discovery System SAP AG ... It was decided after...