urity Overview1233Sec
-
Upload
yogeeswar5b9 -
Category
Documents
-
view
223 -
download
0
Transcript of urity Overview1233Sec
-
7/27/2019 urity Overview1233Sec
1/15
Applied Materials Confidential/Business Transformation
Page 1
SAP Security Overview for BT
July 13, 2007
Ravi Koppakula
-
7/27/2019 urity Overview1233Sec
2/15
2
Applied Materials Confidential/Business Transformation
Page 2
Agenda Introduction
Security Overview
Role development approach
Role construction
Roles - Single, Composite, Master, Derived (Spin)
Role Naming Convention
Segregation of Duties
SAP GRC (Virsa) Compliance Calibrator
Q & A
-
7/27/2019 urity Overview1233Sec
3/15
-
7/27/2019 urity Overview1233Sec
4/15
4Applied Materials Confidential/Business Transformation
Page 4
Security Overview
SAP security is based on granting access to various authorizations within the
different object classes.
The groundwork of the design will be based on granting access to select
transactions which will limit the employees access.
The next step is to control the locations that the employee has access to, either
logical or physical, these locations are referred to as Hierarchy Elements or
Organizational Values.
The final step is controlling access to Key Objects which can be used to further
allocate access to specific sub functions of a process.
Hierarchy Elements / Organizational Values = Company Codes, Sale
Organizations, Plants, Warehouses, Purchasing Groups, Storage Locations,
Shipping Points, and Business Areas are all customer defined as needed
Key Objects = Order Types, Document Types, Movement Types, Account Types
and Authorization Groups
-
7/27/2019 urity Overview1233Sec
5/15
5Applied Materials Confidential/Business Transformation
Page 5
Role Development Approach
Profile Generator Is a SAP provided tool that suggests authorization objects
and values based on the SAP transactions that are included in the specific job
role.
Role SAP terminology for user system access that was developed utilizing the
Profile Generator (PG). The Role contains a User Menu and system generated
profiles and authorizations that are unique to the Role. Profiles and
authorizations created with the PG are not used in any other Role.
Authorizations building blocks of the SAP Security Structure
Authorization Concept Combining a number of unique authorization objects to
enable the end user access to complete their designated tasks. There are more
than 40 SAP provided object classes which group similar authorization
objects.Each object may contain multiple combinations of values that can be
assigned within the individual object.
-
7/27/2019 urity Overview1233Sec
6/15
6Applied Materials Confidential/Business Transformation
Page 6
Role Construction Analysis -
Security team along with Function and Business team will put together the
requirements. Impact analysis will be done.
Design
Security team will do the design, which included creating new roles, change in
SU24, Creating new t-code for reports.
Construction
The building process of the end user roles will utilize SAPs authorization
concept and the Profile Generator. After the initial roles are created a SOD tool
will be used to identify conflicts within the Role, so that Organizational
Alignment, Internal Audit and Functional Management can review issues before
the final design is approved. During this process the roles will be tested and
moved to QA.
Following guidelines will be followed while creating or modifying roles
T-code will be added using User Menu.
No object will be manually added to the role.
Roles will be generated and re-organized when required.
Derived role will only have Org. Element changes
-
7/27/2019 urity Overview1233Sec
7/15
7Applied Materials Confidential/Business Transformation
Page 7
Master Derived Roles
-
7/27/2019 urity Overview1233Sec
8/15
8Applied Materials Confidential/Business Transformation
Page 8
Master Derived Roles contd Derived roles refer to roles that already exist. The derived roles inherit the menu
structure and the functions included (transactions, reports, Web links, and so on)from the role referenced. A role can only inherit menus and functions if no
transaction codes have been assigned to it before.
The higher-level role passes on its authorizations to the derived role as default
values which can be changed afterwards. Organizational level definitions are not
passed on. They must be created anew in the inheriting role. User assignments
are not passed on either.
Derived roles are an elegant way of maintaining roles that do not differ in their
functionality (identical menus and identical transactions) but have different
characteristics with regard to the organizational level.
The menus passed on cannot be changed in the derived roles. Menu
maintenance takes place exclusively in the role that passes on its values. Any
changes immediately affect all inheriting roles.
You can remove the inheritance relationship, but afterwards the inheriting role is
treated like any other normal role. Once a relationship is removed, it cannot be
established again.
-
7/27/2019 urity Overview1233Sec
9/15
9Applied Materials Confidential/Business Transformation
Page 9
Composite Role
-
7/27/2019 urity Overview1233Sec
10/15
10Applied Materials Confidential/Business Transformation
Page 10
Composite Role contd
A composite role is a container with several different roles. For reasons of
clarity, it does not make sense and is therefore not allowed to add composite
roles to composite roles. Composite roles are also called roles.
Composite roles do not contain authorization data. If you want to change the
authorizations (that are represented by a composite role), you must maintain
the data for each role of the composite role.
Creating composite roles makes sense if some of your employees need
authorizations from several roles. Instead of adding each user separately to
each role required, you can set up a composite role and assign the users to that
group.
The users assigned to a composite role are automatically assigned to the
corresponding (elementary) roles during comparison.
R l N i C ti
-
7/27/2019 urity Overview1233Sec
11/15
11Applied Materials Confidential/Business Transformation
Page 11Role Naming Convention
-
7/27/2019 urity Overview1233Sec
12/15
12Applied Materials Confidential/Business Transformation
Page 12
Segregation of Duties
Segregation of duties (SOD) is a type of control needed in business processes to insure that fraud orunintended financial transactions do not occur.
Functionality versus Confidentiality
Broadly speaking, SoD encompasses both the functions available to an employee (i.e., what a
person can do) and the information available to an employee (i.e., what a person can see).
Our focus is at the technology level; we focus on the functionality component of SoD and this aspect
is most relevant to the financial reporting process.
The SoD review focuses on core business processes including: Revenue Procurement Inventory Management Asset Management General Ledger Accounting
HR/Payroll etc.,
SoD conflicts can happen within a manual process and an SAP or other application process.
-
7/27/2019 urity Overview1233Sec
13/15
-
7/27/2019 urity Overview1233Sec
14/15
14Applied Materials Confidential/Business Transformation
Page 14
SAP GRC (Virsa) Compliance
Calibrator
Automated tool to identify, analyze and resolve all sod issues.
To run SOD reports against users and roles
Simulate roles and users before providing access
Create, change and maintain Rules and Mitigation controls, Owners, Approversand Monitors.
Mitigate roles in case of conflicts upon approvals
Mitigate users in case of conflicts upon approvals
Document Risk Mitigation users and controls.
-
7/27/2019 urity Overview1233Sec
15/15
15Applied Materials Confidential/Business Transformation
Page 15
Cross System SOD
Q & A