Homepage for SAP Professionals

Initiator:  Is the first step in the work flow process. The initiator starts the work flow process.  Sample initiators could be Creating a new request, changing an existing request, Terminate user account, Lock user account, reactivate user account etc.  There may be more initiator based on the industry or process

Stage:  It is the step in the workflow process where there will be an approval required.  When the request comes to this spot it will not go beyond without approval. The stage can also have action to be performed. If the stage requires the SOD check to be performed then you can force the SOD check to happen. Example of stages could be Role owner, SOD Approver, Role approver, Site Approver, etc

Path:  is the grouping of stages which follow specific stages to complete the approval process for a particular initiator.  For example the path for user unlocking will follow a different path than the path for creation of new user.

OneAccess-UserManager also helps you manage the complex documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate

1. Does the user currently get multiple singles / Composite roles or one Job based composite role ie is your current user provisioning individual is user based or job based
2. Current work flow process followed in the company. What are the exception processing
3. Different tasks which could start the work flow process ( initiators) New Request, Change of Role, Adding new role, removing role changing location, temporary access, locking users, etc
4. Different stages in the workflow process for getting approval. Example stages could be Site Supervisor, Role owner, Functional Lead, Training Co-coordinator , SOD approver etc
5. Details which you need to capture in the user request form. Some of the attributes could be Employee/ Contractor/ Intern, Site Location, Department, Title, etc.
6. Do you need to capture the end user login information manually entering the data or upload or SAP HR or LDAP
7. Approval of SOD check and mitigation or remediation.  Can the user be provisioned with SOD in the backend system?
8. Amount of time the request can wait with one approver before it can be escalated to the next approver
9. Can you create sample predefined template users who can be copied
10. Always keep it simple in the first round

OneAccess-UserManager also helps you manage the complex documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate

Problem:  Provisioning user access in SAP system takes lot of time and there are manual handoffs between approval and user provisioning in SAP system. Improper SAP User management could created following problems

1. Audit Failures documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409
2. Lost productivity and waste of resources.
3. Throwing money at the problem

Example:  The user joins the company as new employee and it takes to get access to various SAP systems

Tool Information:  Work flow based automation so the manual process can be eliminated and approvals can be tracked and verified

Implementation:   Can be organizational level or centrally managed

Implementation Strategies:

1. Approval of Access should be at the department or organizational location level
2. The approval should be periodically reviewed by audit group.
3. All approvals should be at local organizational level except for some high sensitive roles

Advantages:

1. Approvals can be properly managed and tracked
2. Audits will be passed with 100 % confidence
3. Resources can be work efficiently and save project cost

1. Quick access to systems for end users

Caution: The tool should not be used as substitute for poor job to role mapping

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate

Problem:  Capturing requirement for the transactions to roles and change management are not properly maintained

1. Audit Failures documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409
2. Lost productivity and waste of resources.
3. Throwing money at the problem

Example:  Transactions or roles added / removed without approval and testing

Tool Information:  Work flow based automation so the manual process can be eliminated and approvals can be tracked and verified

Implementation:   Changes initiated locally but approved globally

Implementation Strategies:

1. Local Site SAP Security power user should be trained so they can handle as first level of defense in situations where the user has questions if needs to have access to certain transaction or role
2. Role changes should be initiated at the organizational and approved at the global level as adding transactions will have global change
   1. The approval should be periodically reviewed by audit group

Advantages:

1. Lot of security errors can be reduced as user may not aware of the new business process
2. Audits will be passed with 100 % confidence as role designed will match what is in SAP
3. Resources can be work efficiently and save time & money

1. Changes will be processed and can assign responsibility to the appropriate group

Caution: The tool should not be used as substitute for poor job to role mapping

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate

Information GRC Tool:  SAP Process Controls 50000 foot view –

Problem:  Once the Mitigation controls are in place the auditors need to have tool to warn them about the violations of any controls

Tool Information:  GRC Process Control Tool lets you centralize control management by

embedding automated controls into your cross-enterprise business processes. You can

move away from manual control activities to address critical business

risks with automated controls Implementation

Advantages:

1. Centralize business process control to attain visibility
2. Automate control processes to improve efficiency and reduce costs
3. Validate the compliance of your operations to meet regulatory standards
4. Reduce the audit effort required to ensure compliance

Example: An auditor can track all the overpaid invoices from one location

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

http://www.linkedin.com/in/selvakumarm

Automate and Meditate

Problem:  Giving extra access to user for limited time.

Example: User want to open a period in production but only needs the access for one of the month . The user will call the help desk for additional access. Then the additional access is given but there is not insight on what the user actually did. There is also additional cost in manually assigning access to user

Tool Information:  The Fire fighter tool lets the user have additional access for limited amount of time and also logs the access.

Implementation: New roles are created with additional access and linked to the select group of user.  The user is added in fire fighter tool and assigned a supervisor.  This will enable the supervisor to get email when the user utilizes the additional access through fire fighter.  The user can be enabled access for limited time or longer time.

Implementation Strategies:

1. The enabling access to the fire fighter should be assigned to functional team so the decision making process can rest with knowledgeable people
2. The logs should be reviewed by functional leads and audit group so they can analyze how often the access is used. This analysis can reveal if the transaction should be added to the users current roles or remain in Fire Fighter role

Advantages:

1. Emergency access Can be properly managed and tracked
2. Additional access can be provided to certain users who are back up
3. Production support and pre go live trouble ticket calls can be reduced
4. Can be used as mitigation control

Caution: The tool should not be used as substitute for poor sap security role design.

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate

Organizational rule functionality can be used to eliminate false positives based on organizational

level restrictions. This functionality can only be used in situation where customer can clearly segregate the functionality of the user based on organizational levels

Customer may have Central Processing centers where they allow a team member to both process vendor invoices and create AP payments. Normally, this would be a high risk level conflict.

However, the Central processing Centers have specifically segregated their team members so that they cannot do these two functions for the same organizational levels.

For Example the Central processing Center has segregated so that the user who can enter vendor invoices for plants PL01 or LP02 cannot process payments for company code 1000 (since plants PL01 and PL02 are part of company code 1000). In this example, decision was made to deal with the conflict via segregating organizational level of access. So for this risk, organization level can remove false positive conflicts.

Word of Caution: This technique should be used very carefully as you are now relying specific objects values.  So when there are changes in roles and these changes could introduce objects which can remove these controls

OneAccess-UserManager also helps you manage the complex documenting, testing, process control, and sign-off requirements mandated by Sarbanes-Oxley sections 302, 404, and 409

Selva Kumar

Vice President- SAP Practice

OneAccess-UserManager for SAP

SAP Certified-Powered by Netweaver

http://www.softsquare.biz/oneaccess/

selva@softsquare.biz

Phone: 1 877 717 5487

Automate and Meditate