cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC Report for SAP_ALL

Go to solution
Former Member

on ‎03-05-2014 9:04 AM

0 Kudos

Hi Experts,

There are several requirements from our client on the reports... please suggest the possibility in GRC 10.0 for the below points mentioned.

1. A quarterly report of users with SAP_ALL / SAP_NEW access. and is there any way to send this report via workflow on quaterly basis.

2. If our assignment is out side of GRC.....then an Immediate alert to Risk Owners for all high risk SoD assignments.


3. An exception report for assignments made outside GRC (e.g. not automated via ARM)

3. A weekly report for any changes to access for users with SAP_ALL / SAP_NEW access and send via workflow

Please suggest asap.

Thanks,

Sriram

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
‎03-05-2014 1:00 PM
0 Kudos

Dear Sriram,

I try to give you some feedback and suggestions how to deal with such situations. I do not know a 100% solution for your cases but would  like to share my ideas.

1: For access review you can use the User Access Review workflow which is a standard workflow and can be used to review authorization.

2: What does that mean? If you want to monitor potential risks when they are executed you can use the Alter functionality.

3: I am not sure if you have the possibility to have this triggered by GRC. An idea is to use the risk analysis which can be scheduled on daily/weekly basis to check if you have new risks. Another idea to use the SOD Risk Review workflow also triggered on periodical basis.

4: Also here you can use the SOD Risk Review or User Access Review workflow. Define SAP_ALL as critical profile and run reports for critical profiles only.

Hope this gives you an overview of what can be used. Others might have better/other ideas.

Regards,

Alessandro

Show replies
Show replies
Former Member
‎03-05-2014 2:26 PM
0 Kudos

Hi Siram,

Basically the functionality that you require in point 3 is not really available in Access Control but is part of the Process Control module. It is pretty easy to set up a control that triggers a workflow in PC whenever SAP ALL is assigned or removed. Change Log reports is a very strong feature of PC.

look for GRC 10.0 Continuous Monitoring SoD Monitoring in SAP marketplace

Former Member
‎09-05-2014 9:39 AM
0 Kudos

Dear Alessandro,

how to realise what you are refering to in your answer to question 1?

In the UAR workflow I can select roles, but I havn't found a possibility to select profiles.

Thank you in advance for your feedback and best regards,.

Eva

Colleen
Advisor
Advisor
‎09-05-2014 10:02 AM
0 Kudos

Hi Eva

In GRC a non-generated profile (e.g. SAP_ALL) is still a role but the role type is profile. You would not see generated profiles in the list of selection.

Are you saying that you cannot see any of the standard profiles in the UAR?

Regards

Colleen

Former Member
‎09-05-2014 10:19 AM
0 Kudos

Hi Colleen,

when I shedule the job "Generates data for access request UAR review" I do have several fields to select as criteria. Among others the connector ID, user ID, etc. as well the role name, but not the profile name neither the role type. When I search in the role name for a role I find all our roles, but when I search for SAP_ALL I don't find anything.

My basic intention is a UAR only for critical roles and profiles.

Regards,

Eva

Former Member
‎08-25-2016 7:33 PM
0 Kudos 
4: Also here you can use the SOD Risk Review or User Access Review workflow. Define SAP_ALL as critical profile and run reports for critical profiles only.



Alessandro - I don't see an option that you can run SOD RiskReview on critical profiles. Could you please give more details on how you can do that.


Regards,

Raghu.

Answers (3)

Answers (3)

Former Member
‎08-28-2016 12:55 AM
0 Kudos

Hi Sriram

We did setup the critical Role/Profile functionality to monitor who has access to critical profiles like SAP_ALL in all the target systems connected to our GRC. The job is scheduled on a daily basis and the Compliance team would monitor the results as part of continuous monitoring.


Also like one of the other member already mentioned, a rule can be written in the PC to monitor it.

Regards

Sarada

Show replies
Show replies
Former Member
‎09-01-2016 4:24 PM
0 Kudos

Sarada - Does this job generates spool? Do the compliance team get notification email once results are ready for them to review? Can you give more details on how this is monitored.

Your response is much appreciated.

Regards,

Raghu.

Former Member
‎09-07-2016 1:31 AM
0 Kudos

Hi Raghu

Sorry for not replying earlier. What i have done is set the Critical Role/Profiles as per our business requirement and scheduled it as the job in GRC. The GRC Admin would review the results on a daily basis and right now i did not see the capability of Spool or to setup as an Alert when there is an assignment of these roles/profiles to a user.

Probably need to look at custom report to extract this information directly from the GRC tables

Regards
Sarada

plaban_sahoo6
Contributor
‎09-07-2016 4:58 AM
0 Kudos

Hi,

i went through all the above replies and your answers. the original question was to automate these reports.Presently, i do not have access to GRC. So, cannot confirm if UAR can give Profile SAP_ALL/NEW assignments.

But, PC(AM) can be set up, to find out the assignment of these profiles to users.

Similarly, for assignments made outside of GRC,PC(AM) can be used to filer the users.

Regards

Plaban

Former Member
‎03-06-2014 9:18 AM
0 Kudos

Hi Colleen,

Presently we are not having GRC..... Manually we are provisioning the users and roles.... After GRC implementation, if any provisioning happens out side of GRC  we need to have a security alert/report.

Even we are taking care not to have SU01 & PFCG role generation authorization to Security admins.

But Audit team are showing interest  to have this report.

Please suggest...

Thanks,

Sriram

Show replies
Show replies
Colleen
Advisor
Advisor
‎03-06-2014 11:15 PM
0 Kudos

Hi Sriram



After GRC implementation, if any provisioning happens out side of GRC  we need to have a security alert/report.

why not make your GRC implementation including locking SU01 assignments down to GRC CUP or EAM only.

For CUP, you could configure workflow notification or approval and deal with it before assigned. For EAM you would have a log report and send it to the FF Owner to review.

In both cases you could search requests/logs to identify the SAP_ALL and have evidence. Alessandro also made some good points.

Really going to come down to what you process and design is

Regards

Colleen

Colleen
Advisor
Advisor
‎03-05-2014 11:00 PM
0 Kudos

Hi Sriram

For questions 3 and 4, why are you provisioning access outside of GRC CUP? If absolutely necessary, why not manage via EAM? You would then have log review to justify why

Regards

Colleen

Show replies
Show replies
Ask a Question