Meta's Blog: mei 2014

Due to pressure of local regulatory compliance issues and/or corporate governance demands there is a growing awareness of Governance Risk and Compliance among executive management. But what do we need to do to get (and stay) in control?

1. What do we need to do to get in control?

First, get insight in the status of the current access governance: “Who can access which data and did they execute it? Who has broad access through different stages of the process and therefore segregation of duty conflicts and did they execute all activities within the conflict? Are all the backdoors secured? Are there inconsistencies in roles, user role assignments or in the rule set?” The questions are clear, but how to get to the answers?

1.1 Define overview and rule set with functionality and SOD conflicts that are business critical

First you have to define a company specific overview of all the functionality and Segregation of Duty (SoD) conflicts that are business critical. Once this overview is there, it must be translated into SAP technical authorizations. SAP authorization knowledge is needed for this translation and it will take many man hours to search and find the correct authorizations and transactions.

How CSI Authorization Auditor® 2014 can help in this step.

CSI Authorization Auditor® 2014 comes with a pre-defined rule set containing over 400 SOD conflicts and the critical functionality are already translated into authorization values and transactions (queries). This rule set is a real time saver. Instead of defining SOD conflicts from scratch, use the predefined SOD conflicts and decide which conflicts are critical for the organization.

1.2 Analyze the authorization concept

The bad news about analyzing the SAP authorization concept is that SAP does not support this process in their standard SAP system with user friendly reports or tools. The authorization data is stored in tables in the SAP database. Analyzing them manually is not recommended. It is a manual (returning) job, needs to be done in the correct way and is very time consuming. Problems with manual analyzing are:

· Mistakes are very easy to make because of the numerous reports that needs to run with the correct credentials. If a mistake is made unnoticed people are looking at incorrect data that leads to incorrect actions.

· Extracting the data is very difficult and can result in SAP system overloading and errors.

· Only a limited scope can be taken into account because analyzing all the company critical functionality and SOD data just takes too much time.

· SAP authorizations or even the rule set may change regular; therefore the check needs to be done recurring.

· Not all aspects of access governance can be taken into account. SAP systems have many backdoors that lead to critical data. With manual analyzing these backdoors cannot be taken into account.

· Company specific organizational levels are very difficult to include and maintain in the analysis.

· Comparing results over periods is a separate activity that needs to be done as well.

· Once the results are reported, an additional manual analysis needs to be done if SoD conflicts and access to access to critical functionality by users must be adjusted.

How CSI Authorization Auditor® 2014 can help in this step

Using CSI Authorization Auditor® 2014 will cut back the manual analyzing efforts that will take days (if not weeks) and reduce them to a couple of hours (and maybe less). CSI Authorization Auditor® 2014 helps getting insight in a fast and easy way of the current access governance. Who can access which data and did they execute it? Who has broad access through different stages of the process and therefore segregation of duty conflicts and did they execute all activities within the conflict? Are all the backdoors secured? Are there inconsistencies in roles, user role assignments or in the rule set? CSI Authorization Auditor® 2014 gives the answer using a multi layered analysis. The analysis will be done outside the SAP system and the data extraction can be scheduled. Therefore there will be no workload on the SAP system. Dashboards, reports and trending overview are standard available in CSI Authorization Auditor® 2014.

2. What do we need to do to stay in control?

Once the access governance is clean and compliant the next step will be “stay clean & compliant”; Define the Business processes, risks and controls. Monitor the security concept and store the evidence. This can be done manually (for example in Excel), but once again will be very time consuming. Checks like the correct configuration table values need to be checked in the SAP system manually and evidence needs to be stored.

How CSI Authorization Auditor® 2014 can help in this step

Define the Business processes, risks and controls on the fly. Monitor the security concept and store the evidence in CSI Authorization Auditor® 2014. Stay compliant with your clean security concept using CSI Authorization Auditor® 2014’s user request functionality with pre SOD checking for the authorization and user changes. Monitor the risks and controls and document all the evidence in CSI Authorization Auditor® 2014 to prove you are compliant.

The audit committee can use CSI Authorization Auditor® 2014 stand alone with their rule set to check the authorization structure independently. Changes to the rule set in CSI Authorization Auditor® 2014 are logged automatically.

Advantages CSI tooling:

CSI Authorization Auditor® 2014 covers all aspects of access governance
The audit committee can use CSI Authorization Auditor® 2014 PC based. Only they have access to the audit rule set and perform independent audits.
Documenting the security process can take a long time. CSI Authorization Auditor® 2014 can simultaneous implement and document the business process with risks and controls step by step. Add any information about the security process CSI Authorization Auditor® 2014 and make changes on the fly. Use CSI Authorization Auditor® 2014 to document the security process in a fast way.
Fast implementation time
Clear overview of SOD conflicts and how to solve them, results are on different views expandable.
A sequence of dialog boxes leads the user through a series of well-defined steps (wizard). Tasks that are infrequently performed are easier to perform using the wizard. CSI Authorization Auditor® 2014 supports reporting the right results in the fastest way. Because of the use of the new interface and wizards, users are guided through the application with additional information on the screen, this reduced training effort enormously.
CSI Authorization Auditor® 2014 comes with a large number of useful reports and dashboards. Is the report or dashboard not fitting the business requirements? Customizing is also possible to create new ones. End-users can define their own grouping of all data shown on screen and every view can be exported to different formats like xlsx, xml, pdf and accdb.
All audit reports have the full causing information available with insight how these access rights are assigned to users. On every level an indication is given whether or not the user needs the role based on transaction usage information.
CSI Authorization Auditor® 2014 gives a clear overview about the usage of SAP licenses. Reduce expensive license costs and pay only for the licenses and authorizations that are really being used.
Messages can be distributed according the RASCI matrix. Implement the organizations’ responsibility assignment matrix to automate the security task messages. People are informed automatically when they need to perform a task in the security process.
Work simultaneous with multiple users on the same data to see the results in a clear overview, no more manual report distribution.
CSI Authorization Auditor® 2014 uses two databases; an application database and an archive database. All original SAP data and all previously produced audit results are saved in the archive. Previous audit result are immediately available if needed, the current audit results can be compared in detail with previous audit results.
New reports and dashboards make it possible to compare the audit results over periods. See if the security concept is improving.
Analyze the correctness of role assignments with the use of role information and statistical data from the SAP system. CSI Authorization Auditor® 2014 also gives a clear view if access rights are accumulating in the security concept. This information can be used to clean up the authorization concept to get compliant.
All analyses are done separately on authorization level and transaction code level including executed information. The differences between these results give authorization managers an immediate insight of inconsistencies in the SAP roles and/or audit rules and/or in the access governance process.
Useful user information can now be found in CSI Authorization Auditor® 2014: which roles are assigned to the user, which transactions a user can (and did) execute (even if the transactions are already removed) and which authorizations are assigned to the user in his/her user buffer.
CSI Authorization Auditor® 2014 logs all changes made to the rule sets.

CSI Authorization Auditor and CSI Role Build and Manage are registered trademarks by CSI Tools bvba

www.csi-tools.com

How content is the organization with the current set up of the roles in SAP? Are your users happy with the assigned authorizations? If they are, the auditor probably is not happy with the assigned authorizations to the roles and users…..

Maybe there are already plans to redesign the current authorization concept…. How easy would it be if you can redesign the authorization concept with reverse business engineering? Instead of thinking and designing which authorization should be included in which role from scratch, just have a look at the authorization the users have and analyze the functionality the users have been using (or wanted to use) based on the executed transactions and assign these needed authorizations to the roles.

Example:

User John Smits is assigned to the composite role for system administrator S99-XXXX_SYSTADM. This system administrator role has 13 single roles assigned. In this overview the assigned roles are showed whether or not the user is using transactions from these roles. If transactions are used via the role, the executed colomn has a checkmark and the role is executed by the user (Figure 1).

Figure 1 Role details of user John Smits

If you double click on the role, you get the role details like the transactions, authorizations, executed transactions, if the transaction is locked in the SAP system et cetera (figure 2).

Figure 2 Transaction details of role

Let’s go back to the user John Smits. John wants to have broader access rights and was temporary assigned to a broad access role to solve an issue. This temp role was removed from the user after he solved the issue. Now let us have a look at the transactions of the user (figure 3).

Figure 3 Total transaction of user John Smits with executed and missing information

The transactions in red are no longer assigned to the user (also checkmark in column Missing (3)). The transactions in black are still assigned to the user. The checkmark column executed (1) means the user has executed the transaction. The column Frequency (2) shows the number of times the user has executed the transaction.

With this information you can search the single roles that have the missing transactions and analyze if the user should be assigned to this single role(s). If you double click on the transaction, a new screen shows the information about the transaction and the roles that have the transaction assigned. For this example we want to add transaction MB03 so we double clicked on the transaction MB03. The transaction is assigned to 2 single roles Display Material Documents Inv – S99MXXXXMADID and Display Material Documents Purchasing – S99MXXXXMADPD (figure 4).

Figure 4 Detail information about transaction including roles that have transaction included

SOD simulation

For this example we want to add the single role S99MXXXXMADID to the composite role S99-XXXX_SYSTADM of the user. To keep a compliant security concept we use the SOD simulation functionality of the CSI Role Build & Manage (RBM) tool (figure 5).

Figure 5 SOD simulation for role requests

Running the SOD simulation gives the overview “before” and “after” adding the single role to the composite role. In this case, no new SOD conflicts will be created by adding the role (Figure 6)

Figure 6 Results of SOD simulation for role request

And the request can be send automatically via workflow and email to the approver. After the request is approved by (all) the approver(s), it is even possible to have the change implemented in SAP directly, no longer manual role changes need to be done in the SAP system

Use reverse Business engineering to redesign of the complete role concept

The above example is just one way to use reverse Business engineering to redesign the security concept for just one user. Off course this is also possible for a complete redesign process. Instead of looking at one user, you look at the total usage of transactions of all the users and assign these used transactions with the correct authorizations to roles. (Figure 7).

Figure 7 User vs (executed) transaction overview

And the functionality for reverse engineering goes even further. The used organizational levels can be read from the existing roles and documented in the central codification functionality of CSI RBM. Usaging of the deriving functionality of CSI RBM you can automatically derive all the roles, both single and composite for the new role concept for both organizational (like company codes) and non organizational (like movement types)values.

(C) Meta Hoetjes 2014
CSI Authorization Auditor and CSI Role Build and Manage are registered trademarks by CSI Tools bvba
www.csi-tools.com

Meta's Blog

vrijdag 23 mei 2014

CSI Authorization Auditor instead of manual control