Business Profile
Our client multi-national businesses across asset classes such as residential, hospitality, retail, commercial, and logistics and industrial properties. It implemented SAP GRC Access Control (‘AC’) together with SAP S/4 HANA system to manage access and Segregation of Duties (‘SoD’) risks in SAP system. Access Risk Analysis (‘ARA’) module in SAP GRC AC was implemented with minimal consideration to its business requirements. SoD ruleset is the heart of SAP GRC AC and it did not change the pre-delivered and generic SoD ruleset to address its specific business risks. Also, the SAP GRC settings were not fine-tuned to deliver accurate and relevant SoD risk reports to business users. This resulted in disenchantment with the system and business was unable to address the real SoD risks facing the business.
Furthermore, Emergency Access Management (‘EAM’) module was also not configured to adequately control the emergency access by the SAP support team (for example, the tool could not deliver a comprehensive audit log for the reviewer).
Objective
Our client decided to generate business confidence in the SoD risk reports generated by SAP GRC AC by fixing existing issues in the SAP GRC AC ARA and EAM modules and to leverage the functionalities provided by SAP GRC to support its business. Further, it decided to leverage on the Access Request Management (‘ARM’) module in SAP GRC for user access provisioning.
The key objectives of the project were as follows:
- Winning back business confidence in SAP GRC AC risk analysis reports
- Ensuring return on investment on SAP GRC AC implementation
- Cleaning up recurring SAP authorization issues to support business in addressing SAP SoD risks
- Automating SAP user access provisioning process to address SoD risks as well as increasing the efficiency in the process.
- Leveraging SAP GRC AC system to automate the periodic user access and SoD review.
Work Performed
Our client engaged us to help them with this critical project. Hexadius worked with it to address the overall objectives through 3 different channels as follows:
- Change SoD Ruleset – Review of existing SoD ruleset and recommending changes to make it relevant to its business risks.
- Enhance SAP GRC AC
- Identify issues with the existing SAP GRC AC set up and make changes to fix the ARA and EAM modules
- Implement ARM module to automate the forms and workflow for SAP user access provisioning for both SAP S/4 HANA as well as SAP GRC AC systems
- Implement User Access Review (‘UAR’) module in SAP GRC AC system to automate the periodic access and SoD review
- Change SAP Roles – Review SAP S/4 HANA roles and make changes to support adequate SoD in SAP user access.
Accordingly, Hexadius performed the following activities:
- Change SoD Ruleset – Hexadius worked closely with business process owners, and financial controllers across various entities to understand key business process flows and accordingly, relevant SoD risks. Based on this understanding, Hexadius proposed changes to the SoD risks. The changes were discussed with key users as well as the internal audit and SAP functional team. The resulting changes helped it to ensure that the SoD ruleset reflected the actual business risks faced. Hexadius team then analyzed the technical definition (i.e., transaction codes and authorization checks) to identify incorrect or missing technical objects. Custom transactions were also analyzed and appropriately added to the SoD ruleset, where applicable. The final SoD ruleset was approved by the business representatives.
- Enhance SAP GRC AC – Hexadius worked with the SAP BASIS team to identify the upgrades required for SAP HANA database as well as NetWeaver platform to address various issues facing SAP GRC AC. Hexadius also installed multiple SAP GRC AC patches to address known issues and leverage some of the functionality enhancements.
- Hexadius changed some of the default settings in ARA module to ensure that business users can intuitively generate accurate SoD risk analysis reports. The revised and approved SoD ruleset was uploaded to replace the older ruleset.
- Hexadius worked together with its SAP security and SAP support teams to agree on controlled emergency access management procedures. Reason codes, FFID list, FFID owners and controllers, EAM roles, etc were redefined to ensure that EAM module was correctly used.
- Hexadius also corrected the SAP GRC system landscape to ensure that SAP GRC AC systems were connected to the correct SAP S/4 HANA systems.
- Hexadius conducted workshops with the SAP security team to understand the required user access provisioning process and then developed prototypes for further testing and feedback. Hexadius developed enhancements to take care of complex user access approval requirements. The ARA module was configured for end-to-end user access provisioning using SAP GRC AC.
- Hexadius also configured UAR module to allow automatic generation and review of user access and SoD risk analysis reports by identified reviewers.
- Hexadius conducted multiple targeted training sessions for various SAP GRC AC users to empower them to effectively use the system.
- Change SAP Roles – Hexadius worked closely with the SAP Security team, Business Process Owners and SAP Functional Support team to review and identify inappropriate authorizations in the SAP roles. Hexadius also identified structural issues with the SAP role design, which made removing excessive access from business users difficult.
Benefit
The successful completion of the project resulted in the following benefits for our client:
- Business acceptance of the SoD ruleset and SoD risk violations identified by SAP GRC AC
- Enhanced and accurate SoD risk analysis reporting, which can be used to address the risk violations.
- Tighter control around user access provisioning with greater control exercised by business users over the access rights granted to users in SAP system
- Freeing up SAP team’s time from routine user access provisioning activities to more value-adding activities to support key business operations and challenges
- Increased efficiency, traceability and manageability through workflows
- Greater control over use of privileged/ emergency/ super users
- Greater transparency to business users through multi-dimensional and multi-functional reports
- Efficient and effective governance and internal controls over user access provisioning and SoD risks in SAP systems.