Transcription
SAP Solution in DetailSAP GRC Access ControlCOMPREHENSIVE,CROSS-ENTERPRISE ANALYSIS,REMEDIATION, AND PREVENTIONOF ACCESS RISK
Copyright 2007 SAP AG. All rights reserved.No part of this publication may be reproduced or transmittedin any form or for any purpose without the express permissionof SAP AG. The information contained herein may be changedwithout prior notice.Some software products marketed by SAP AG and its distributorscontain proprietary software components of other softwarevendors.HTML, XML, XHTML and W3C are trademarks or registeredtrademarks of W3C , World Wide Web Consortium,Massachusetts Institute of Technology.Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc.,used under license for technology invented and implementedby Netscape.MaxDB is a trademark of MySQL AB, Sweden.Microsoft, Windows, Excel, Outlook, and PowerPoint areregistered trademarks of Microsoft Corporation.IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,xSeries, zSeries, System i, System i5, System p, System p5, Systemx, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere,Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5 ,OpenPower and PowerPC are trademarks or registeredtrademarks of IBM Corporation.Adobe, the Adobe logo, Acrobat, PostScript, and Reader areeither trademarks or registered trademarks of Adobe SystemsIncorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks ofthe Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,VideoFrame, and MultiWin are trademarks or registeredtrademarks of Citrix Systems, Inc.2SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet,PartnerEdge, and other SAP products and services mentionedherein as well as their respective logos are trademarks or registeredtrademarks of SAP AG in Germany and in several other countriesall over the world. All other product and service names mentionedare the trademarks of their respective companies. Data containedin this document serves informational purposes only. Nationalproduct specifications may vary.These materials are subject to change without notice. Thesematerials are provided by SAP AG and its affiliated companies(“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not beliable for errors or omissions with respect to the materials. Theonly warranties for SAP Group products and services are thosethat are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should beconstrued as constituting an additional warranty.
CONTENTSExecutive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5A Better Approach to Managing Access and Authorization Controls . . . . . . . . . . . . . . . . . . . . 7The Access-Risk Analysis Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Collaboration Between Business and IT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Cross-Enterprise Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8– Cross-Functional . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9– Cross-Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Simplicity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10SAP GRC Access Control Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10– Access Risk Analysis and Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10– Compliant User Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11– Enterprise Role Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12– Privileged-User Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Enterprise Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Benefits of the Rules Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Largest Library of Predefined Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15More Than SoD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Rule Architect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Organizational Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16SAP GRC Access Control Software Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17The SAP NetWeaver Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17The Core Java Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18RTA: The Enterprise Software Real-Time Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Adapter Framework and RTAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18– Access Risk Analysis, Remediation, and Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Application-Specific Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19– Privileged-User Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19– Enterprise Role Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Extensibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Import and Export Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21– Rules Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21– Organization Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21– Role Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Sample Definition of File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Identity Management Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Workflow and Automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24SAP Software–Only System Landscapes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24– Basic Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24– Authoritative-User Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25– Compliant User Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Hardware and Performance Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28– Virsa Compliance Calibrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28– Virsa Access Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28– Virsa Role Expert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29– Virsa FireFighter for SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29– Combined Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Software Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Meeting Compliance Requirements with SAP GRC Access Control . . . . . . . . . . . . . . . . . . . . . . 30Appendix: Processes and Applications Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
EXECUTIVE SUMMARYLegislators in virtually every nation have promulgated laws thatmandate higher levels of corporate governance, risk management,and compliance (GRC). From the Sarbanes-Oxley Act (SOX) in theUnited States, to Bill 198 in Canada, to Japan‘s Financial Instrumentsand Exchange Law (the so-called J-SOX), the current regulatoryenvironment worldwide is one that demands that enterprises takeevery step to ensure the integrity of their finances, their data, theirprocesses, and their employees. Central to this is the need tocontrol access to corporate information, functions, and processesand to ensure that there is comprehensive segregation of duties(SoD) across the entire enterprise and at all levels of corporatefunctioning.Unfortunately, the cost in money and resources to ensure compliance with access control, segregation of duties, and compliantuser provisioning on an ongoing basis can be overwhelming formany companies. In fact, for companies using a multitude ofsoftware solutions and applications, this task may seem virtuallyimpossible. Establishing and maintaining a comprehensive andconsistent library of SoD policies and rules, provisioning new andtransferred employees, and adding new rules in accordance withchanges in functions, duties, and responsibilities is a difficultchallenge for any enterprise. Even companies that have deployedaccess control or risk management solutions can find that it isextremely difficult to translate the business definition of a particular risk into a technical definition of that risk that the solutionwill understand. To address these key business challenges andensure compliance consistently year after year in a sustainablefashion, forward-looking companies are seeking enterprise-readyGRC solutions.From the perspective of an executive and business process owner,an enterprise-ready solution must empower employees to do theright things, while enforcing that things are done right. The solution must enforce accountability and enable transparency so thatbusiness owners and executives can ultimately sign off on theirattestations with confidence. As a result, compliance issues suchas access control, proper segregation of duties, and compliantprovisioning must be managed by a solution that spans all corebusiness processes across all enterprise application software.A central policy repository can then ensure consistency acrossthe enterprise.From an IT perspective, this enterprise readiness translates into anumber of requirements. First, IT managers want an applicationdelivered with a predefined best-practice library of comprehensivecross-process and cross-application policies. On one hand, thisvast number of policy rules must be easy to enhance and to adjustas the business changes. On the other hand, rules must be granularenough to address all of the details of enterprise application software, catching all the violations without producing false positives.Second, the solution must empower employees across the enterprise. Efficient and effective collaboration between business andIT is one of the keys to success here. Automation and dynamicworkflow options not only ensure reliability and repeatability ofthe solution by avoiding manual errors and establishing institutional knowledg
With SAP GRC Access Control, you receive a rule set that has been developed and proven over ten years of successful implementations and backed by the deep process and industry expertise that only SAP can provide. From supply chain to core finance operations to production-floor operations, SAP GRC Access Control delivers access risk man-agement across your entire enterprise. It can be .
