SAP Access Control, part of SAP Governance Risk and Compliance, is an enterprise-grade software application that lets you control access to SAP applications and resources. It can help you make sure business users have the right access to SAP, minimizing the time and cost spent on achieving compliance. SAP Access Control provides real-time visibility into current risks and conflicts related to access control. The product is designed to streamline compliance processes, such as access review certifications, management of access requests and business roles, emergency access, as well as analysis of risks and remediation. It can also be used to identify role conflicts and manage Separation of Duties (SoD).
Controls for preventing, detecting, and mitigating misconduct are a requirement to comply with legislation such as Sarbanes-Oxley (SOX). Organizations are largely free to implement these controls as they see fit but are audited for compliance and can incur significant penalties if found inadequate.
Historically, organizations reviewed their access entitlements and roles manually to ensure regulatory compliance. This involved compiling data into audit reports that could be reviewed by large teams of internal auditors.
However, this manual process is slow and inefficient, often taking hundreds of hours to produce the wealth of data needed for a complete review. It is also prone to data entry errors or manual oversight, resulting in false positives and negatives. The reports can also be out of date by the time they are completed, so remediation efforts are delayed.
Another drawback of manual reporting is that you cannot see the effect of adding entitlements to a user in real time. Therefore, many users are provisioned with unnecessary privileges simply because the provisioning manager didn’t know what other entitlements that user had. This means that permissions can accrue and create unnecessary conflicts and risk that goes unmitigated.
If you don’t have SAP Process Control and Access Control, your remediation efforts are likely to fail. For example, you cannot do role redesign and see the outcomes of a role change in real-time. This means that many organizations might introduce a new compliance issue or increase the burden on SAP Governance Risk and Compliance efforts by creating overly complex roles.
SAP Process Control and Access Control automate most of the reporting process, along with the detection and remediation of compliance issues. Audit reports are using the data from changelogs, which minimizes error and enables a complete review of access processes.
Learn how to integrate SAP Access with other SAP systems in our blog post: Connecting SAP Access Control to Concur, Ariba, SuccessFactors, and More
Learn about additional GRC technologies in our blog post: The 20 best enterprise GRC software solutions
On-demand Webinar
Learn how to identify potential SoD risks within and across business applications by continuously monitoring transactions and user activity.
Here are key SAP Access Control features and modules:
ARQ can help you implement company policies dedicated to the creation and management of access requests. Here are key options:
ARA lets you implement user access risks and SoD policies. Security analysts and business process owners can run reports to determine a user’s or role’s combination of entitlements. They can identify the root cause of the violation and correct the risk.
SAP lets you define and manage user authorization as roles. Role owners, role designers, and security analysts can use BRM to maintain roles and analyze each one for company policy violations.
You can use EAM to implement corporate policies governing emergency access. It lets users create self-service requests for any emergency access to applications or systems. Business process owners can view emergency access requests and grant access. Compliance officers can monitor compliance with company policies by performing regular usage and logging audits to see what users accessed in their sessions.
You can use SAP Access Control to enforce company policies related to regular compliance reviews. Security and business process owners can determine policies for regular review of access controls. During the review, auditors evaluate access controls and report issues, and security and business process owners determine whether a corrective action is required.
Image Source: SAP
A key capability of SAP Access Control is to enable organizations to manage SoD and evaluate roles to identify inherent SoD conflicts and violations in the roles themselves.
An SoD management process can help eliminate or reduce the possibility of errors and fraud. SoD ensures that no one user has access to multiple steps in a sensitive business process.
Achieving separation of duties requires breaking down business processes and splitting responsibilities among multiple individuals. SAP Access Control can help support this process, which is typically separated into three phases.
Start by defining a list of SoD conflicts that either enable fraud or can result in major errors. This can help you determine what are the unacceptable risks that should be reported, remediated, or mitigated. This step requires a solid understanding of organizational processes and relevant vulnerabilities.
Create a set of technical rules based on the risks you have identified. This can help you create a set of technical rules for analyzing and identifying risks per user, role, or profile.
Analyze the results of the risk analysis. The ARA module lets you perform risk analysis on several aspects, including users, roles, profiles, and HR objects (positions, tasks, and so on). The results of the risk analysis determine whether a single user, single role, single profile, or job/position can perform the conflicting functions defined in Step 1. The results can help identify ways to reduce or eliminate the risk.
The goal of this step is to resolve user-level conflicts. SoD conflict often occurs when users are assigned privileges to tasks they do not actually require or when tasks are incorrectly scoped. See if you can isolate conflicting tasks and assign them to other users.
This step typically requires the implementation of role changes and role reassignment. This process minimizes the number of conflicts to ensure that only a few conflicts require mitigation.
If a conflict cannot be remediated through reassignment or tasks and privileges, you must mitigate the remaining risks. Mitigation requires formal descriptions and actions to adequately mitigate the risk. Usually, mitigation requires adding monitoring procedures after an action occurs. Mitigating actions are implemented after an event occurs, which is why mitigation should be used as sparingly as possible.
This final step establishes a continuous review loop for all access requests, comparing them to the SoD matrix before provisioning. You should also ensure that all role changes are analyzed for risks and remedied prior to use. As a result, your system should remain free of violations in the long term.
The SoD management process is a systematic and crucial part of using SAP Access Control effectively. By following these steps, your organization can efficiently mitigate risks, reduce potential errors or fraud, and maintain a robust compliance posture with SAP Access Control.
Pathlock is the proven SAP Solution Extension partner, which extends your SAP Access Control investment in several critical areas:
Interested to learn more about how you can extend your SAP Access Control investment with Pathlock? Request a demo of our industry-leading platform today!
Share