SAP GRC Access Control Document
-
Upload
pkumar1012275 -
Category
Documents
-
view
446 -
download
24
description
Transcript of SAP GRC Access Control Document
Customer Solution Adoption
June 2011
AC 10.0 Centralized Emergency Access
Version 2.0
Purpose of this document
This document is a detailed guide on the emergency access capability of
Access Control 10.0. It explains the basic concepts about emergency
access and provide details on how to configure the application. Also this
document includes additional information on the types of logs available for
monitoring emergency access.
© 2011 SAP AG. All rights reserved. 3
Agenda
Introduction
Configuration
Centralized Firefighting
Reporting
Introduction• New Feature Highlights
• Centralized Emergency Access Overview
© 2011 SAP AG. All rights reserved. 5
What Does It Do? What Is the Value?Focus Area
New Feature HighlightsCentralized Emergency Access
Lowers TCO by eliminating redundancy in
administration, configuration, setup, and
end user training.
An enterprise GRC platform approach
allows you to have complete management
of all risks and controls from a single
environment
Tailoring of routing requirements for
simple to highly complex organizations.
New request forms improve user adoption
and usability.
Streamlines management of technical
roles and eases identification and
selection of appropriate roles for users,
positions, and jobs.
Reduces the effort required to grant and
provision emergency access to multiple
systems. Provides a structured,
documented process around emergency
access
Provides flexibility to ensure an enterprise
wide, compliant provisioning process
Unifies all AC capabilities on a standardized
ABAP platform, offering enterprise
supportability, granular security, transport, and
archiving.
Harmonizes Access Control with Risk
Management & Process Control offers shared
processes, data, and user interface across the
GRC suite.
Standardizes on improved workflow that
supports flexible, multi-tiered routing and
approval matrices. Dynamic user request forms
based on user or system selected.
Provides a standardized role compliance
framework, centralized across organizations,
systems, and applications. Translates roles into
terms business users can understand.
Centralizes firefighting and administration
across all systems. New workflow provides an
auditable process for tracking log report
approval.
Improves compliant provisioning for customers
already using IdM. Allows for initiation of risk
analysis and remediation from IdM or enables
use of IdM to provision compliant requests.
Access Control Harmonization
Unified Compliance Platform
Streamlined User Access
Management
Improved Identity Management
Integration
Centralized Emergency Access
Business Role Governance
© 2011 SAP AG. All rights reserved. 6
Simplified management and
firefighting activities
Reduces repetitive
assignments, easing
administration
Improves log review efficiency
by capturing previously
undocumented activity
Improves log report navigation
Enables documented account of
the controller’s review
Administrators centrally manage
firefighter assignments,
controllers, and other master
data. Centralized firefighters.
New options for group owners
and controllers and improved
provisioning.
New ability for firefighters to
update the activity log with
unplanned firefighting tasks
Access specific log reports from
transaction report
New workflow driven firefighter
log report
New categorization of firefighter
access signifies criticality and
drives workflow logic
Solution Enhancements Key Benefits
Centralized Emergency AccessOverview
Access Control centralizes firefighter
access and administration, enhances
provisioning and introduces automation to
the log review process.
© 2011 SAP AG. All rights reserved. 7
Centralized Emergency AccessOverview
ERP 01
ERP 02
RFC
RFC
Admin
Admin
GRC 10.0
SPM v5.3SAP GUIWebdynpro
Admin,
Reporting,
Logon: ERP 02
Admin,
Reporting,
Logon: ERP 01
ERP 01
ERP 02
RFC
RFC
Central Admin &
Reporting for
ERP 01 & 02
GRC 10.0
System
• FF ID
• Firefighter
• FF Owner
• FF Controller
• Reason Code
• Reporting
Central Logon
ERP 01 & 02Firefighter
Firefighter
Admin Firefighter
Configuration• Overview
• Architecture
• Prerequisites
• Assign an Owner to Firefighter IDs
• Assign a Firefighter ID to Controllers and Firefighters
• Create Reason Codes
© 2011 SAP AG. All rights reserved. 9
The purpose of Emergency Access Management is to allow users to take
responsibility for tasks outside their normal job function. This component allows
temporary access for users when assigned with solving a problem, giving them
provisionally broad, but regulated access.
This temporary access is monitored and recorded in the application.
New in 10.0Access Control 10.0 has been enhanced in the area of Emergency Access
Management with the ability to manage and utilize firefighting activities centrally
from the Access Control 10.0 application.
Also the log file can be distributed to controllers and owner via workflow for
additional approval.
Emergency Access ManagementOverview
© 2011 SAP AG. All rights reserved. 10
The following concepts have not changed since the previous release and are
mentioned here for completeness:
Firefighter: user requiring emergency access
Firefighter ID: user ID with elevated privileges, it can only be accessed in the
GRC server using transaction GRAC_SPM
Firefighting: the act of using a firefighter ID
Owner: user responsible for a firefighter ID and the assignment of controllers and
firefighters.
Controller: reviews and approves (if necessary) the log files generated by a
firefighter.
Emergency Access ManagementTerminology
© 2011 SAP AG. All rights reserved. 11
ID Based Firefighter: The firefighter ID created in the remote system will be
assigned to the user in the GRC system, either manually or via an access
request. The firefighter accesses their assigned firefighter ID in the GRC
server using the SAP GUI and transaction GRAC_SPM. The firefighter ID for
all remote systems assigned to the firefighter will be accessed from this
transaction.
Role Based Firefighter: The firefighter roles created in the remote system
will be assigned to the user in the GRC server. The firefighter directly logs
into the remote system using their user ID and performs activities which are
provided in the user’s role and firefighter role assigned to the user.
This is configured in IMG using parameter 4000 (Application Type)
Only one application type can be configured at a given time.
Emergency Access ManagementFirefighter Application Types
© 2011 SAP AG. All rights reserved. 12
ArchitectureGRC Server Package
The main application run in the GRC server. It is possible to maintain the user
assignments for all systems using NWBC or the Portal. Provisioning of the
emergency access can also be done via access requests (workflow)
The web interface facilitates the following: Firefighter ID/Role Owner Maintenance
Firefighter ID/Role Controller Maintenance
Reason Code Maintenance (system specific)
Firefighter ID/Role assignment to Firefighter, Owner, Controller
Firefighter access is done centrally using the GRC server. Firefighters will log on to
the GUI backend and execute transaction GRAC_SPM. Firefighter IDs for
emergency access for all systems assigned to the user will displayed.
© 2011 SAP AG. All rights reserved. 13
ArchitectureRemote Component: Plug-in
There is a component called plug-in which is installed in the remote system
Emergency Access Management accesses the plug-in using RFC
GRC System
Plug-In
ECC 6.0
Plug-In
Other ABAP
Plug-In
R/3
© 2011 SAP AG. All rights reserved. 14
To create access requests it is required to have the SUPMG scenario linked to the
connector, this is done via IMG:
PrerequisitesAdding connector to SUPMG scenario
© 2011 SAP AG. All rights reserved. 15
Please create users and roles as needed. Remember to synchronize again the
users with program GRAC_ROLEREP_USER_SYNC via SE38. These roles are
provided as examples and customer roles need to be created based on their
authorizations.
In the AC system Role
Firefighter user SAP_GRAC_SUPER_USER_MGMT_USER
Firefighter controller SAP_GRAC_SUPER_USER_MGMT_CNTLR
Firefighter owner SAP_GRAC_SUPER_USER_MGMT_OWNER
In the target system Role
Firefighter ID SAP_GRAC_SPM_FFID (configured in parameter 4010)
Reminder: end users will require also the roles based on SAP_GRC_FN_BASE
and SAP_GRC_FN_BUSINESS_USER
PrerequisitesCreating users and assigning roles
© 2011 SAP AG. All rights reserved. 16
Configuring a firefighter IDStep Summary
The following steps are required to configure a firefighter ID
Maintain Access Control Owners
Assign an Owner to a Firefighter ID
Assign a Firefighter ID to Controllers and Firefighters
Create the Reason Codes
After this steps are followed the firefighter is ready to start a firefighter session from
the GRC server
© 2011 SAP AG. All rights reserved. 17
Superuser Assignment and MaintenanceAccessing using the NWBC
User assignments for all systems are done via NWBC or a Portal
Provisioning for Firefighter IDs and roles is possible using access requests
© 2011 SAP AG. All rights reserved. 18
There are 4 types of owners that can be maintained for emergency access.
ID based Application
Firefighter ID Owner
Firefighter ID Controller
Role Based Application
Firefighter Role Owner
Firefighter Role Controller
Access Control OwnersMaintenance
© 2011 SAP AG. All rights reserved. 19
Assign an Owner to Firefighter IDs Step 1
Go to Setup Superuser Assignment Owners
© 2011 SAP AG. All rights reserved. 20
Assign an Owner to Firefighter IDs Step 2
The screen below shows the list of all existing owner assignments
All (new/change) operations relating to a Firefighter owner can be done from this
screen
© 2011 SAP AG. All rights reserved. 21
Assign an Owner to Firefighter IDs Step 3
Click on Assign and a new screen will show up
Select an owner and if needed multiple Firefighter IDs, when you are done click Save
Note: you must run the Sync User job after creating the FF ID role in the backend systems by
running program GRAC_ROLEREP_USER_SYNC, and assign the respective FF ID Role.
© 2011 SAP AG. All rights reserved. 22
Assign an Owner to Firefighter IDs Owner Assignment Ready
New assignments will be shown in the Firefighter Owner list
The list can be filtered by owner, system, or any other column in the list.
© 2011 SAP AG. All rights reserved. 24
Assign a Firefighter ID to Controllers and FirefightersStep 1
Go to Setup Superuser Assignment Firefighter IDs
© 2011 SAP AG. All rights reserved. 25
Assign a Firefighter ID to Controllers and FirefightersStep 2
The screen below shows the list of all existing firefighter ID assignments
The firefighter ID is assigned to a firefighter who can perform the activities in the
backend system. Multiple firefighters can be assigned to a single firefighter ID.
Controllers are also assigned to the firefighter ID for tracking and auditing the
firefighter
© 2011 SAP AG. All rights reserved. 26
Assign a Firefighter ID to Controllers and FirefightersStep 3
Click on Assign and a new screen will show up
Select an owner and if needed multiple Firefighters and Controllers, when you are
done click Save
© 2011 SAP AG. All rights reserved. 28
Create Reason CodesStep 1
Go to Setup Superuser Maintenance Reason Codes
© 2011 SAP AG. All rights reserved. 29
Create Reason CodesStep 2
The screen below shows the list of all existing Reason Codes
Whenever a firefighter starts a firefighter session the reason code needs to be
specified and maintained. A Reason Code can be created and assigned multiple
remote systems. This reduces the amount of duplicated administration across
systems
© 2011 SAP AG. All rights reserved. 30
Create Reason CodesStep 3
Click on Create and a new screen will show up
Maintain the reason code and systems and when you are done click Save
© 2011 SAP AG. All rights reserved. 31
Reason CodeGlobal Usage
Frequency of usage is tracked by reason code, by system. In the Reason Code
list, you will see the total usage of the reason code across all systems to which it is
assigned.
Usage can be reset for each system or across all systems and helps to determine
the usefulness of the term
© 2011 SAP AG. All rights reserved. 32
Reason CodeUsage by System
To see usage by system, select the Reason Code on the main list, then click Open
Centralized Firefighting• Overview
• Running a firefighter session
© 2011 SAP AG. All rights reserved. 34
Centralized FirefightingOverview
Access Control 10.0 provides a centralized logon pad for accessing the firefighter
IDs in all connected backend systems.
The centralized logon pad allows:
Displaying all firefighter ID assigned to the user
Logging in to all connected backend systems
Sending messages to other firefighters who are using a specific firefighter ID
Unlocking a firefighter session not closed properly
© 2011 SAP AG. All rights reserved. 35
Centralized FirefightingStep Summary
The following steps are required to use centralized firefighting:
The firefighter logons to central GRC system
Execute transaction GRAC_SPM, a screen will open up which will display all
firefighter IDs which are assigned to the current firefighter in various systems
Click Logon to log into any of the systems assigned
Select a Reason Code
Enter a description
Enter a list of the actions to be performed
Click on Execute
The Firefighter can now do firefighting activities on the connected backend system.
When finished you need to close the session.
© 2011 SAP AG. All rights reserved. 36
Centralized FirefightingOther Activities
These are some optional steps that can be executed from the centralized logon
pad:
Firefighter can click the Additional Activity button any time to enter more
information. If additional actions were done in the remote system that were not
listed during logon, these actions can now be updated using this functionality.
If firefighter ID is in use by another firefighter then notification can be sent to
other firefighter by clicking Message button.
The Unlock button can be used to unlock the firefighter ID in the event it is
locked
© 2011 SAP AG. All rights reserved. 37
Centralized FirefightingStep 1
Logon to the central AC system (here GF2) with the firefighter ID.
Execute transaction GRAC_SPM
© 2011 SAP AG. All rights reserved. 38
Centralized FirefightingStep 2
Click Logon to log into any of the systems assigned
Select a Reason Code, enter a description and also the actions to be performed
© 2011 SAP AG. All rights reserved. 39
Centralized FirefightingStep 3
You are now in the remote system (here GI7) using the firefighter ID selected
© 2011 SAP AG. All rights reserved. 40
Centralized Firefighting While a Firefighter Session is Running
While a firefighter session is open the status of the firefighter ID will turn to red
A firefighter can click Additional Activity any time to enter more information.
If a firefighter ID is in use by another firefighter, then notification can be sent to the
other firefighter by clicking Message
Unlock can be used to unlock the firefighter ID in the event it is locked
Reporting• Report Types
• Log Collection
• Log Retrieval
© 2011 SAP AG. All rights reserved. 42
ReportingReport Types
The reports can be accessed using the NWBC or the Portal and are located under
Reports and Analytics Superuser Management Reports
© 2011 SAP AG. All rights reserved. 43
ReportingReport Types
Consolidated Log Report: This report provides information based on the following
logs from the remote system:
Transaction Log: Captures transaction execution from transaction STAD
Change Log: Captures change log from change document objects (tables
CDPOS and CDHDR)
System Log: Captures Debug & Replace information from transaction SM21.
Security Audit Log: Captures Security Audit Log from transaction SM20
OS Command Log: Captures changes to OS commands from transaction SM49.
Invalid Superuser Report: This Report gives the details of all the users (firefighter,
controller, owner, firefighter ID) who are either Expired, Locked or Deleted. In the
case of Role Based Firefighter, it gives the details of whether the role has been
generated or not.
© 2011 SAP AG. All rights reserved. 44
ReportingReport Types
Firefighter Log Summary: Provides details of the session the firefighter logged into
the remote system using the FFID for the ID based FF Application.
Reason Code and Activity Report: This Report provides the details of information
of Reason and Activity used by the firefighter.
SOD Conflict Report for Firefighter ID: When the firefighter logs in to the remote
system using the FFID in to the remote system and performs certain transactions
which violates access risk rules.
© 2011 SAP AG. All rights reserved. 45
Log CollectionOverview
The details of the transaction executed by the firefighter lies in the remote system in
in the CDHDR, CDPOS, STAD, SM19, SM49, and debug & replace information.
The data from the remote system can be fetched using the Log Collector which can
be executed as a foreground or background job.
© 2011 SAP AG. All rights reserved. 46
Log Collection Foreground Job
The foreground Job for Log Collection can be executed from the Update
firefighter log button which can be found in the Consolidated Log Report
© 2011 SAP AG. All rights reserved. 47
Log CollectionBackground Job
The Background Job for log collection can be scheduled from SM36 which can be
scheduled on a periodic basis. The status of the background job can be checked
from the SM37 transaction
The program name for the background job is: GRAC_SPM_LOG_SYNC_UPDATE
© 2011 SAP AG. All rights reserved. 48
Consolidated Log ReportOverview
The consolidated log report is a new report which enables the user to segment the
various logs collected or view them all in one combined report.
© 2011 SAP AG. All rights reserved. 49
Consolidated Log ReportTransaction Log
The consolidated log report allows filtering criteria like System, Firefighter, FFID,
Reason Code, Transaction, Date or Owner .
© 2011 SAP AG. All rights reserved. 50
Consolidated Log Report Change Log
The Change Log can be retrieved from the consolidated Log Report by selecting the
Report type as Change Log
© 2011 SAP AG. All rights reserved. 51
Consolidated Log Report System Log
The System Log can also be found in the consolidated Log Report by choosing the
Report type as System Log
© 2011 SAP AG. All rights reserved. 52
Consolidated Log Report Audit Log
The Audit Log is also contained in the consolidated Log Report as Report type as
Audit Log. This audit function will show the details of the user(s) subject to auditing
The user(s) to be audited are configured/selected in transaction SM19
© 2011 SAP AG. All rights reserved. 53
Consolidated Log Report OS Command Log
An OS Command Log can be retrieved from the consolidated Log Report by
selecting the Report type as OS Command
This logs tracks the changes which the user makes in SM49 for OS Command
© 2011 SAP AG. All rights reserved. 54
Invalid Superuser Report
The Invalid Superuser Log is launched by the according link from the Super User
Management Reports area
This Log is used to analyze the users who are expired, locked or deleted.
© 2011 SAP AG. All rights reserved. 55
Firefighter Log Summary Report
Firefighter Log Summary Report can be found in the screen shown below
The Details of FFID Logged in sessions are captured in this Log Report
© 2011 SAP AG. All rights reserved. 56
Reason Code and Activity Report
Reason code and activity can be retrieved from the link in the portal for Reason
Code and Activity
This Report Gives the Details of the Reason Code and Activity used when FFID
Logs in to the Report System
Thank You!
Contact information:
Luis Bustamante
Customer Solution Adoption (GRC)
© 2011 SAP AG. All rights reserved. 58
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
© 2011 SAP AG. All rights reserved
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.