urity Overview1233Sec

7/27/2019 urity Overview1233Sec

1/15

Applied Materials Confidential/Business Transformation

Page 1

SAP Security Overview for BT

July 13, 2007

Ravi Koppakula


2/15

2

Applied Materials Confidential/Business Transformation

Page 2

Agenda Introduction

Security Overview

Role development approach

Role construction

Roles - Single, Composite, Master, Derived (Spin)

Role Naming Convention

Segregation of Duties

SAP GRC (Virsa) Compliance Calibrator

Q & A


3/15


4/15

4Applied Materials Confidential/Business Transformation

Page 4

Security Overview

SAP security is based on granting access to various authorizations within the

different object classes.

The groundwork of the design will be based on granting access to select

transactions which will limit the employees access.

The next step is to control the locations that the employee has access to, either

logical or physical, these locations are referred to as Hierarchy Elements or

Organizational Values.

The final step is controlling access to Key Objects which can be used to further

allocate access to specific sub functions of a process.

Hierarchy Elements / Organizational Values = Company Codes, Sale

Organizations, Plants, Warehouses, Purchasing Groups, Storage Locations,

Shipping Points, and Business Areas are all customer defined as needed

Key Objects = Order Types, Document Types, Movement Types, Account Types

and Authorization Groups


5/15


Page 5

Role Development Approach

Profile Generator Is a SAP provided tool that suggests authorization objects

and values based on the SAP transactions that are included in the specific job

role.

Role SAP terminology for user system access that was developed utilizing the

Profile Generator (PG). The Role contains a User Menu and system generated

profiles and authorizations that are unique to the Role. Profiles and

authorizations created with the PG are not used in any other Role.

Authorizations building blocks of the SAP Security Structure

Authorization Concept Combining a number of unique authorization objects to

enable the end user access to complete their designated tasks. There are more

than 40 SAP provided object classes which group similar authorization

objects.Each object may contain multiple combinations of values that can be

assigned within the individual object.


6/15


Page 6

Role Construction Analysis -

Security team along with Function and Business team will put together the

requirements. Impact analysis will be done.

Design

Security team will do the design, which included creating new roles, change in

SU24, Creating new t-code for reports.

Construction

The building process of the end user roles will utilize SAPs authorization

concept and the Profile Generator. After the initial roles are created a SOD tool

will be used to identify conflicts within the Role, so that Organizational

Alignment, Internal Audit and Functional Management can review issues before

the final design is approved. During this process the roles will be tested and

moved to QA.

Following guidelines will be followed while creating or modifying roles

T-code will be added using User Menu.

No object will be manually added to the role.

Roles will be generated and re-organized when required.

Derived role will only have Org. Element changes


7/15


Page 7

Master Derived Roles


8/15


Page 8

Master Derived Roles contd Derived roles refer to roles that already exist. The derived roles inherit the menu

structure and the functions included (transactions, reports, Web links, and so on)from the role referenced. A role can only inherit menus and functions if no

transaction codes have been assigned to it before.

The higher-level role passes on its authorizations to the derived role as default

values which can be changed afterwards. Organizational level definitions are not

passed on. They must be created anew in the inheriting role. User assignments

are not passed on either.

Derived roles are an elegant way of maintaining roles that do not differ in their

functionality (identical menus and identical transactions) but have different

characteristics with regard to the organizational level.

The menus passed on cannot be changed in the derived roles. Menu

maintenance takes place exclusively in the role that passes on its values. Any

changes immediately affect all inheriting roles.

You can remove the inheritance relationship, but afterwards the inheriting role is

treated like any other normal role. Once a relationship is removed, it cannot be

established again.


9/15


Page 9

Composite Role


10/15


Page 10

Composite Role contd

A composite role is a container with several different roles. For reasons of

clarity, it does not make sense and is therefore not allowed to add composite

roles to composite roles. Composite roles are also called roles.

Composite roles do not contain authorization data. If you want to change the

authorizations (that are represented by a composite role), you must maintain

the data for each role of the composite role.

Creating composite roles makes sense if some of your employees need

authorizations from several roles. Instead of adding each user separately to

each role required, you can set up a composite role and assign the users to that

group.

The users assigned to a composite role are automatically assigned to the

corresponding (elementary) roles during comparison.

R l N i C ti


11/15


Page 11Role Naming Convention


12/15


Page 12

Segregation of Duties

Segregation of duties (SOD) is a type of control needed in business processes to insure that fraud orunintended financial transactions do not occur.

Functionality versus Confidentiality

Broadly speaking, SoD encompasses both the functions available to an employee (i.e., what a

person can do) and the information available to an employee (i.e., what a person can see).

Our focus is at the technology level; we focus on the functionality component of SoD and this aspect

is most relevant to the financial reporting process.

The SoD review focuses on core business processes including: Revenue Procurement Inventory Management Asset Management General Ledger Accounting

HR/Payroll etc.,

SoD conflicts can happen within a manual process and an SAP or other application process.


13/15


14/15


Page 14

SAP GRC (Virsa) Compliance

Calibrator

Automated tool to identify, analyze and resolve all sod issues.

To run SOD reports against users and roles

Simulate roles and users before providing access

Create, change and maintain Rules and Mitigation controls, Owners, Approversand Monitors.

Mitigate roles in case of conflicts upon approvals

Mitigate users in case of conflicts upon approvals

Document Risk Mitigation users and controls.


15/15


Page 15

Cross System SOD

Q & A

urity Overview1233Sec

Documents

Transcript of urity Overview1233Sec