Large Utility Company in Singapore

Background

The Company was using multiple independent SAP instances and wanted to implement SAP GRC Access Control on 2 (two0 instances (SAP Customer Relationship Management (‘CRM’) and SAP Industry Solutions: Utilities (‘IS/U’)). This was the company’s first implementation of the SAP GRC tool, which was limited to the Access Risk Analysis (‘ARA’) and Emergency Access Management (‘EAM’) sub-modules.  For the ARA sub-module, a business access and SoD ruleset was also required to be defined. 

Objectives

(1) Install and implement SAP Business Object GRC 10.0 on the company’s SAP CRM and IS/U instances.

(2) Implement EAM sub-module based on the company’s established emergency access procedures.

(3) Implement the ARA sub-module by developing and customizing access and SoD risk rulesets that reflect the company’s current business setup and requirements.

Work Performed

(1) Hexadius worked together with the company’s IT infrastructure and operations teams to determine the proper hardware and sizing requirements for the tool. Three different environments (Development, Quality and Production) were installed in accordance to the company’s change management process. The proper connectors were defined to appropriately link the tool to the correct SAP instances.

(2) Hexadius worked together with the company’s IT security and IT application development teams to identify the various reason codes used for emergency access. Various EAM roles, which allowed users to approve emergency access requests and review emergency access sessions, were also configured and assigned according to the company’s requirements.

(3) Hexadius collaborated with the relevant departments and process owners, including the IT and Internal Audit departments, to understand the different access and SoD risks that are applicable within the covered processes and functions. Risks were documented and risk ratings were assigned and confirmed with the risk owners. The transaction codes associated with the various functions, and their corresponding authorizations, were identified and documented. Once finalized, the rulesets were uploaded into the GRC tool and tested by both the project team and the GRC users.

Outcome

The engagement resulted in the successful implementation of the GRC tool with an EAM sub-module that reflects the established emergency access procedures of the company and an ARA sub-module with a risk ruleset that is relevant to the business processes covered in the project.

Table of Contents