on 03-05-2014 9:04 AM
Hi Experts,
There are several requirements from our client on the reports... please suggest the possibility in GRC 10.0 for the below points mentioned.
1. A quarterly report of users with SAP_ALL / SAP_NEW access. and is there any way to send this report via workflow on quaterly basis.
2. If our assignment is out side of GRC.....then an Immediate alert to Risk Owners for all high risk SoD assignments.
3. An exception report for assignments made outside GRC (e.g. not automated via ARM)
3. A weekly report for any changes to access for users with SAP_ALL / SAP_NEW access and send via workflow
Please suggest asap.
Thanks,
Sriram
Dear Sriram,
I try to give you some feedback and suggestions how to deal with such situations. I do not know a 100% solution for your cases but would like to share my ideas.
1: For access review you can use the User Access Review workflow which is a standard workflow and can be used to review authorization.
2: What does that mean? If you want to monitor potential risks when they are executed you can use the Alter functionality.
3: I am not sure if you have the possibility to have this triggered by GRC. An idea is to use the risk analysis which can be scheduled on daily/weekly basis to check if you have new risks. Another idea to use the SOD Risk Review workflow also triggered on periodical basis.
4: Also here you can use the SOD Risk Review or User Access Review workflow. Define SAP_ALL as critical profile and run reports for critical profiles only.
Hope this gives you an overview of what can be used. Others might have better/other ideas.
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Siram,
Basically the functionality that you require in point 3 is not really available in Access Control but is part of the Process Control module. It is pretty easy to set up a control that triggers a workflow in PC whenever SAP ALL is assigned or removed. Change Log reports is a very strong feature of PC.
look for GRC 10.0 Continuous Monitoring SoD Monitoring in SAP marketplace
Hi Colleen,
when I shedule the job "Generates data for access request UAR review" I do have several fields to select as criteria. Among others the connector ID, user ID, etc. as well the role name, but not the profile name neither the role type. When I search in the role name for a role I find all our roles, but when I search for SAP_ALL I don't find anything.
My basic intention is a UAR only for critical roles and profiles.
Regards,
Eva
4: Also here you can use the SOD Risk Review or User Access Review workflow. Define SAP_ALL as critical profile and run reports for critical profiles only.
Alessandro - I don't see an option that you can run SOD RiskReview on critical profiles. Could you please give more details on how you can do that.
Regards,
Raghu.
Hi Sriram
We did setup the critical Role/Profile functionality to monitor who has access to critical profiles like SAP_ALL in all the target systems connected to our GRC. The job is scheduled on a daily basis and the Compliance team would monitor the results as part of continuous monitoring.
Also like one of the other member already mentioned, a rule can be written in the PC to monitor it.
Regards
Sarada
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Raghu
Sorry for not replying earlier. What i have done is set the Critical Role/Profiles as per our business requirement and scheduled it as the job in GRC. The GRC Admin would review the results on a daily basis and right now i did not see the capability of Spool or to setup as an Alert when there is an assignment of these roles/profiles to a user.
Probably need to look at custom report to extract this information directly from the GRC tables
Regards
Sarada
Hi,
i went through all the above replies and your answers. the original question was to automate these reports.Presently, i do not have access to GRC. So, cannot confirm if UAR can give Profile SAP_ALL/NEW assignments.
But, PC(AM) can be set up, to find out the assignment of these profiles to users.
Similarly, for assignments made outside of GRC,PC(AM) can be used to filer the users.
Regards
Plaban
Hi Colleen,
Presently we are not having GRC..... Manually we are provisioning the users and roles.... After GRC implementation, if any provisioning happens out side of GRC we need to have a security alert/report.
Even we are taking care not to have SU01 & PFCG role generation authorization to Security admins.
But Audit team are showing interest to have this report.
Please suggest...
Thanks,
Sriram
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sriram
After GRC implementation, if any provisioning happens out side of GRC we need to have a security alert/report.
why not make your GRC implementation including locking SU01 assignments down to GRC CUP or EAM only.
For CUP, you could configure workflow notification or approval and deal with it before assigned. For EAM you would have a log report and send it to the FF Owner to review.
In both cases you could search requests/logs to identify the SAP_ALL and have evidence. Alessandro also made some good points.
Really going to come down to what you process and design is
Regards
Colleen
Hi Sriram
For questions 3 and 4, why are you provisioning access outside of GRC CUP? If absolutely necessary, why not manage via EAM? You would then have log review to justify why
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
16 | |
3 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.