Process Controls to Manage SoD Access controls
Segregation of Duties monitoring in SAP Access Control is one of the key features in GRC Process Controls Continuous Controls Monitoring (CCM). It enables the organization to monitor a specific SoD to address issues as they occur.Automated SoD Monitoring enables management to continually review business processes for adherence to—and deviations from—the appropriate level of checks and balances upon the activities of individuals with their intended levels of performance and effectiveness.Using Process Control functionality, we can perform SoD analysis automatically in some frequencies, such as weekly or monthly, to mitigate a risk identified as an exception. itelligence’s AutomatedAccessControls.it package delivers preconfigured set of controls designed for access risks that are available in Access Control.
SAP GRC Process controls design covers monitoring of all available risks (SoD) within the Access control. For each Risk, we can define a control in the Process control module, and monitor by specified frequency (weekly, monthly, etc..) With the help of Automated access controls in the Process control module, we can detect unauthorized access changes and the exceptions can be mitigated.
- Organizations can be shared between SAP GRC Process Control and SAP GRC Access Control.
- Some organization data may be shared, and other data may be specific to a single application.
- Controls may be shared between SAP GRC Process Control and SAP GRC Access Control.
- Application-specific information for SAP GRC Process Control and SAP GRC Access Control applications.
- Access to this data is controlled by the user’s authorizations.
Integration with the SAP GRC Access Controls (GRC AC) solution for definition and assignment of mitigating controls that will address SoD risks.
All or some of the business processes (Finance, PTP, MTD, OTC, MM etc.) can be part of this automated access controls.
Mandatory filters and filter values has to be defined in the Business Rule for SOD integration type in GRC Access Control and Process Control Integration. This is previously documented based on the customer’s requirements and updated before importing the XML file to the customers GRC system.
The required filters used while defining the SOD business rule are documented with their meaning and corresponding values:
Object Range table: Object means the User names/ Role names/ Profile names for running Risk Analysis.
Report Type table: The type of Report for running Risk Analysis.
Value 1 = Action Level RA
Value 2 = Permission Level
Value 3 = Critical Action Level
Value 4 = Critical Permission Level
System Range type: Means the Systems/Connector used for running Risk Analysis.
Object type: Means the Entity for which RA ca
Value 1 = Action Level RA
Value 2 = User Level RA
Value 3 = Profile Level RA
AutomatedAccessControls.it delivers continuous control monitoring for SoD analysis in desired frequencies like daily, weekly, monthly and etc. to mitigate a risk identified as an exception during assessment.
- AutomateAccessControls.it involves automating access controls Risk ID’s for the ruleset “GLOBAL” as provided by the latest Support Package in GRC 10.1 system.
- Job Scheduling in the GRC Process Controls system is based on the customer’s suggestion.
- Master Data for the Controls in AutomateAccessControls.it will be provided as part of the solution.
Milestone 1: Blueprinting
The Access Controls Risk Data is documented and updated in the business rules with information related to the data source and business rules for each of the Risk ID’s.
Milestone 2: Implementation
The XML file with the updated information during the Blueprinting session is then uploaded in the Customers system. The Controls Master Data is updated in the GRC system. The Business Rule is then appended to the Control before the job is scheduled based on the customer’s requirements.
Milestone 3: GRC Process Controls Continuous Controls Monitoring Solution Training
Includes 8 hours of Training in the Dev system which includes how to build data sources and business Rules in the GRC system.
Milestone 4:Documented Requirements
Includes a complete documentation of the entire project.
- SAP GRC Access Control 10.0 SoD has been configured
- AC 10.1 and PC 10.1 have been configured on same system
- SoD input parameters have been recorded
- Regulation(s) have been created and configured
- Corporation and organizational units have been maintained
- Central process / subprocess / controls have been maintained
- Corresponding regulation(s) have been assigned to the control
- Subprocess / controls have been assigned to either the corporation or organizational unit
- GRC Access Control and Process Control should be installed on the same system landscape.
- The SOD risks in GRC Access Control have been set up.
- The SOD input parameters are known.
- All the basic and required MASTER data have been created in the GRC Process Control and
- Data source has been defined for SOD integration.
- All published pricing is estimated. Actual pricing is determined during itelligence discovery and proposal process
- The solution requires a software maintenance contract, which includes Help Desk Support and product updates
- Implementation services are not included in software pricing