SAP Access Control: Key Capabilities and How to Use Them to Implement SoD
What is SAP Access Control?
SAP Access Control, part of SAP Governance Risk and Compliance, is an enterprise-grade software application that lets you control access to SAP applications and resources. It can help you make sure business users have the right access to SAP, minimizing the time and cost spent on achieving compliance. SAP Access Control provides real-time visibility into current risks and conflicts related to access control. The product is designed to streamline compliance processes, such as access review certifications, management of access requests and business roles, emergency access, as well as analysis of risks and remediation. It can also be used to identify role conflicts and manage Separation of Duties (SoD).
Why are SAP GRC Process Control and Access Control Important?
Controls for preventing, detecting, and mitigating misconduct are a requirement to comply with legislation such as Sarbanes-Oxley (SOX). Organizations are largely free to implement these controls as they see fit but are audited for compliance and can incur significant penalties if found inadequate.
Historically, organizations reviewed their access entitlements and roles manually to ensure regulatory compliance. This involved compiling data into audit reports that could be reviewed by large teams of internal auditors.
However, this manual process is slow and inefficient, often taking hundreds of hours to produce the wealth of data needed for a complete review. It is also prone to data entry errors or manual oversight, resulting in false positives and negatives. The reports can also be out of date by the time they are completed, so remediation efforts are delayed.
Another drawback of manual reporting is that you cannot see the effect of adding entitlements to a user in real time. Therefore, many users are provisioned with unnecessary privileges simply because the provisioning manager didn’t know what other entitlements that user had. This means that permissions can accrue and create unnecessary conflicts and risk that goes unmitigated.
If you don’t have SAP Process Control and Access Control, your remediation efforts are likely to fail. For example, you cannot do role redesign and see the outcomes of a role change in real-time. This means that many organizations might introduce a new compliance issue or increase the burden on SAP Governance Risk and Compliance efforts by creating overly complex roles.
SAP Process Control and Access Control automate most of the reporting process, along with the detection and remediation of compliance issues. Audit reports are using the data from changelogs, which minimizes error and enables a complete review of access processes.
Learn how to integrate SAP Access with other SAP systems in our blog post: Connecting SAP Access Control to Concur, Ariba, SuccessFactors, and More
Learn about additional GRC technologies in our blog post: The 20 best enterprise GRC software solutions
On-demand Webinar
3 Ways to Streamline SoD Control Monitoring in Your SAP Landscape
Learn how to identify potential SoD risks within and across business applications by continuously monitoring transactions and user activity.
SAP Access Control Capabilities
Here are key SAP Access Control features and modules:
Access Requests (ARQ)
ARQ can help you implement company policies dedicated to the creation and management of access requests. Here are key options:
- Users – can request access to systems and applications.
- Approvers – can review user requests, analyze Separation of duties (SoD) risks and existing user access, and then approve, deny, or modify a request.
Access Risk Analysis (ARA)
ARA lets you implement user access risks and SoD policies. Security analysts and business process owners can run reports to determine a user’s or role’s combination of entitlements. They can identify the root cause of the violation and correct the risk.
Business Role Management (BRM)
SAP lets you define and manage user authorization as roles. Role owners, role designers, and security analysts can use BRM to maintain roles and analyze each one for company policy violations.
Emergency Access Management (EAM)
You can use EAM to implement corporate policies governing emergency access. It lets users create self-service requests for any emergency access to applications or systems. Business process owners can view emergency access requests and grant access. Compliance officers can monitor compliance with company policies by performing regular usage and logging audits to see what users accessed in their sessions.
Periodic Reviews of User Access and Separation of Duties (SoD)
You can use SAP Access Control to enforce company policies related to regular compliance reviews. Security and business process owners can determine policies for regular review of access controls. During the review, auditors evaluate access controls and report issues, and security and business process owners determine whether a corrective action is required.
Image Source: SAP
SAP SoD Management Process
A key capability of SAP Access Control is to enable organizations to manage SoD and evaluate roles to identify inherent SoD conflicts and violations in the roles themselves.
An SoD management process can help eliminate or reduce the possibility of errors and fraud. SoD ensures that no one user has access to multiple steps in a sensitive business process.
Achieving separation of duties requires breaking down business processes and splitting responsibilities among multiple individuals. SAP Access Control can help support this process, which is typically separated into three phases.
Step 1: Risk Recognition
Start by defining a list of SoD conflicts that either enable fraud or can result in major errors. This can help you determine what are the unacceptable risks that should be reported, remediated, or mitigated. This step requires a solid understanding of organizational processes and relevant vulnerabilities.
Step 2: Rule Building and Validation
Create a set of technical rules based on the risks you have identified. This can help you create a set of technical rules for analyzing and identifying risks per user, role, or profile.
Phase 3: Risk Analysis
Analyze the results of the risk analysis. The ARA module lets you perform risk analysis on several aspects, including users, roles, profiles, and HR objects (positions, tasks, and so on). The results of the risk analysis determine whether a single user, single role, single profile, or job/position can perform the conflicting functions defined in Step 1. The results can help identify ways to reduce or eliminate the risk.
Step 4: Remediation
The goal of this step is to resolve user-level conflicts. SoD conflict often occurs when users are assigned privileges to tasks they do not actually require or when tasks are incorrectly scoped. See if you can isolate conflicting tasks and assign them to other users.
This step typically requires the implementation of role changes and role reassignment. This process minimizes the number of conflicts to ensure that only a few conflicts require mitigation.
Step 5: Mitigation
If a conflict cannot be remediated through reassignment or tasks and privileges, you must mitigate the remaining risks. Mitigation requires formal descriptions and actions to adequately mitigate the risk. Usually, mitigation requires adding monitoring procedures after an action occurs. Mitigating actions are implemented after an event occurs, which is why mitigation should be used as sparingly as possible.
Step 6: Continuous Compliance
This final step establishes a continuous review loop for all access requests, comparing them to the SoD matrix before provisioning. You should also ensure that all role changes are analyzed for risks and remedied prior to use. As a result, your system should remain free of violations in the long term.
The SoD management process is a systematic and crucial part of using SAP Access Control effectively. By following these steps, your organization can efficiently mitigate risks, reduce potential errors or fraud, and maintain a robust compliance posture with SAP Access Control.
SAP Access Governance with Pathlock
Pathlock is the proven SAP Solution Extension partner, which extends your SAP Access Control investment in several critical areas:
- With Access Violation Management, System Integration Edition, customers can extend their SAP Access Control (and SAP Process Control) implementation to monitor cross-application SOD risks in SAP cloud applications (like SAP Ariba and SuccessFactors) and non-SAP applications (like Salesforce and Workday)
- With Access Violation Management, Risk Analysis Edition, customers can supplement their SAP Access Control implementation with monitoring of violations of SoD risks to create mitigating controls that can highlight errors and fraud
- With Pathlock, customers can extend their SAP Access Control implementation with Emergency Access Management for SAP Cloud (SAP Ariba and SuccessFactors) and non-SAP applications (like Salesforce and Workday)
- With Pathlock connectors, customers can extend their SAP Process Control implementation to monitor business process controls across SAP cloud applications (like SAP Ariba and SuccessFactors) and non-SAP applications (like Salesforce and Workday)
- With Pathlock, customers can extend their Role Based Access Control to Attribute Based Access Control, providing fine-grained data masking and encryption to provide greater protection than broad roles can provide on their own
Interested to learn more about how you can extend your SAP Access Control investment with Pathlock? Request a demo of our industry-leading platform today!