SAP Authorizations and

GRC

By:
Ravi B Hemanth

1 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Objectives

 Learn how a role is built up in SAP, what role-based access is

and why it is important.
 Understand why security and Segregation of Duties (SoD) is
important in SAP.
 Understand the business value and usage of the applications
in the SAP GRC Access Control Suite.

2 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Why is security important in SAP?

 Data theft and espionage is a growing crime - several

examples where millions have been lost in damages.
 Intruders target user profiles with extended authorizations.
 Long-term damages include financial damages, image loss
declined stock, law suits and compliance violations.

3 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Figures

U.S fraud cost were $52.6 billion in 2005

Intellectual property theft costs U.S.

companies between $200 billion and $250
billion a year in sales

4 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Famous scandals

 Worldcom
 Lost $127 billion in market value.

 24 000 people lost their jobs.

 Share value $62 to $0.20 in less than 3 years.

 Enron
 Lost $ 19 billion in market value.

 5500 people lost their jobs.

5 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Who are they?

Paul Sarbanes Michael Oxley

6 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Sarbanes-Oxley (SOX)

 In 2001/2002 large US companies like Enron or WorldCom

went bankrupt.
 Their management had hidden and changed financial data
and betrayed investors.
 In 2002 The Sarbanes-Oxley Act was made law to establish
better controlling and accounting transparency.
 The strongest focus is on Internal Controls.

7 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Why SOX?

 All companies that are registred on the NYSE/NASDAQ stock

market, must be compliant with SOX.
 Massive impact for large enterprises who had to take
measures to ensure internal control.
 SOX has generated thousands and thousands of hours of
consultant work!
 There will be a similar law within EU - "Euro SOX".

10 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Segregation of Duties

 Definition:
“Key duties and responsibilities in authorizing, processing,
recording and reviewing official business transactions must
be separated among individuals to reduce the risk of error or
fraud”.
 Applied on our client:
“One person should not control all stages of a process, a
situation in which error or irregularities could occur without
detection”.

11 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 SAP Security Concept for Roles and Authorizations

12 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 SAP example

Materials Finance and

Management Controlling
Production
Planning
Sales and
Distribution Mr. Smith

Human
Resources

As a Financial Accountant, Mr. Smith probably has job

duties that involve accessing components of the Finance and
Controlling module (FI/CO).

13 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Transactions

 A user performs tasks in SAP by entering transaction codes.

 A transaction code is a command that takes the user to a
certain program in the SAP system.
 The term ”transaction” is usually used to refer to the
program that is run when the corresponding transaction
code has been entered.
 For example, the user enters the transaction code FB02 to
run the transaction/program that is used to change
documents in the general ledger.

14 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Example: FB02

15 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 FB02

16 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 FB02

17 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 FB02

18 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 SAP Security model overview

Authorization Profiles

Composite Profile
User Master Record
or

Authorization Simple Profile

Authorization field
Authorization Object

19 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 User Master Record

Example of a User Master Record

User Name Initial User User Type Valid Dates Authorization

Password Group Profiles

21 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Profiles

Composite Profile

Simple Profile A

Allow Display access to documents

Simple Profile B

Allow Change access to documents

22 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Authorization Object

Authorization Object

23 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Authorization field

Data Dictionary
Data Element
Authorization field

Authorization Object

24 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Authorizations

Object Field Value

name

S_TCODE TCD FB02

S_TCODE
Authorization
TCD FB03 Authorization

Authorization fields

EXAMPLE: TCD
Authorization Object

EXAMPLE: S_TCODE
EXAMPLE: FB02 EXAMPLE: FB03

25 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Auth. Object check under transactions

Maintain
Transaction Activity Display
Object Company Code Company Code value

26 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 FB02

28 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Authorization check

ABAP/4 Code

AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'

ID 'BUKRS' FIELD s_bukrs
ID 'ACTVT' FIELD '02'. Authorization Object
IF sy-subrc <> 0.
MESSAGE E002(ZI) WITH text-200 s_bukrs
ENDIF.

29 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 ST01: Trace Display

30 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 SAP Access Role concept
 Historically, users were given SAP access by direct
assignment of Profiles, but to facilitate a more business
oriented access management, the role layer was added.
 Roles were added as an additional abstraction level, in order
to facilitate authorization design.
 Compare to object-oriented programming instead of
programming in machine language.

31 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access Hierarchy
F
A V
A
F
A V
C S
P
A F
P V
A
User S
PP A F
C V
A
MR. SMITH
S F
A
FINANCIAL ACCOUNTANT
V
U = User
GENERAL LEDGER JOURNALS MAINTAIN
FB02
C = Composite role
S = Single role F V
$TCD FB02
P = Profile $TCD FB03
$........... ……
A = Authorization object $........... ……

F = Field
$.........
$.......
$.........
A ……
……
……
$........ ……
V = Value

32 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
S_TCODE
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Profiles
 Single roles hold a 1:1 mapping towards Profiles.

User C S
P
P
S
MR. SMITH PP
C

FINANCIAL ACCOUNTANT S

GENERAL LEDGER JOURNALS MAINTAIN

33 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Single roles
 A Single Role corresponds to a Job task in the system, for
example General Ledger Journals Maintain.

User C S

S
MR. SMITH
C

FINANCIAL ACCOUNTANT S

GENERAL LEDGER JOURNALS MAINTAIN

34 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Composite roles

 A Composite Role corresponds to a Job role in reality, for example

Financial Accountant.
 All users in the SAP systems have at least one and usually several
Composite Roles assigned to them.
 A Composite Role is a predefined collection of Single Roles that have a
relation to each other, and that together give the necessary access for
the user to fulfill a certain job role.
Composite
User role

MR. SMITH
Composite
role

FINANCIAL ACCOUNTANT
(TECHNICAL NAME: RMUS_01_CCC01_FIN:0013)

35 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 PFCG: Role Maintenance

The technical name for Financial

Accountant.

36 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Single roles

37 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Display Authorization Data

38 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Display Authorization objects and values

39 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Summary
 User master records, profiles, transactions, objects etc. -
generic technical design in all SAP systems.
 Composite role/Single role concept - built-in possibilities in
SAP that is used as best practice.

 How can the role concept be used to perform Segregation of

duties?
 … to be SOX compliant?

40 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Sarbanes-Oxley (SOX) compliance and Segregation of Duties
(SoD)

41 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Sarbanes-Oxley and
Segregation of Duties
 The Sarbanes-Oxley act (SOX)
is intended to ensure the
correctness of US companies’
accounting Authori Custod Record Control
 One effect of SOX is referred zation y
to as the Segregation of
Duties (SoD) directive
 The SoD directive stipulates
that no person must control
several key steps in a
connected process
Approve Receive Enter Goods Clear
Purchase Order Goods Receipt Vendor

42 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 What is the impact of SOX and SoD on Roles and Authorizations
in SAP?

43 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access Control Systems

Mandatory Access Discretionary Access Role Based Access

Control (MAC) Control (DAC) Control (RBAC)
 Access objects and  Each user is able to  Access is granted by

users classified on a pass on the assigning each user

linear security scale permissions he or she one or more access
(E.g. Level 1, Level has to other users roles
2, ...)  A user is given access  Each user is given
 If the user’s security access to the objects
to an object if he or
permission ”level” she has been given that his or her roles
exceeds that of the access to it by specify
object’s the user is another user  A user may be given

granted access to  There is commonly access either by new

that object one user with roles or by changing a
irrevocable access to role that the user
all access objects already has
Low maintenance (E.g. root, High versatility
administrator, ...)
44 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Based Access

Role Architecture Role Provisioning

 A library of roles must be built  Provisioning is the process by

and maintained which users are given new

 Principles must be established roles
and followed for the role  Slow provisioning costs

library to remain consistent money in lost productivity

SOX directives

45 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Architecture

46 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Architecture

• No role must contain internal SoD risks

- Control over several steps in a process would mean that
no user could have this role

Permissions
Enter Goods Receipt

Access Role

Permissions
Clear Vendor

47 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Architecture

Role Based Access – Design Principles

 Each access role mapped to a job role
 Global template roles define action level security – ”what”
 Locally derived roles define data level security – ”where”

48 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access Roles vs. Job Roles

49 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Architecture

• An access role is a role defined in the system; a job

role is a real-world role
- An access role contains all permissions needed to
perform the tasks needed to complete the job role
- Permissions = Actions + Data Access
• Benefit: Access roles are free from internal SoD risks
(as long as job roles are)

User Access role Permissions

(e.g. a financial accountant) Financial Accountant e.g. change G/L document, post G/L document

User Access role Permissions

(e.g. a sales assistant) Sales Assistant e.g. create sales orders, change sales orders

50 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Architecture

Action level security?

Data level security?

51 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Architecture

• Action level security defines access to activities

- In SAP, actions level security can be thought of as
access to transactions
• Action level security is specified on a global level
- A financial accountant has the same access irrespectively
of in which country he or she works

Access role template Permissions

Financial Accountant TCODE: FB01

52 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Architecture

Data level security

53 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Architecture

• Data level security defines access to data

- Access to display/maintain certain company
codes, sales organizations, plants, etc.
• Locally derived roles define data access

Global Template Role

e.g. Financial Accountant_Template

TCODE: FB01
ACTVT: -
BUKRS: -

Local Role
Local Role e.g. Financial Accountant_China
e.g. Financial Accountant_Sweden
TCODE: FB01
TCODE: FB01 ACTVT: 01
ACTVT: 01 BUKRS: 6200
BUKRS: 4200

54 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Provisioning

55 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Provisioning

 No person must be given roles that give access to several

steps in a connected process

Segregation is possible by process or geography

Access role
Security Advisor Sweden Process
separation

Access role
Financial Accountant Sweden
OK Access role
Billing Administrator Sweden
SoD Risk

Mr. Smith Access role

OK
Billing Administrator Norway
Geographic
separation

56 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Role Provisioning

Traditional Role Based Access

 User admin team grants  Role provisioning flow
access based on line manager controlled entirely by
demands business
 Access applied for on an as-  Access applied for on a job

needed basis role basis

 User admin team responsible  Business is responsible for

for security while business is maintaining security and

trying to operate operational effectiveness

57 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Provisioning

Role provisioning process

58 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Provisioning

 Role provisioning flow controlled entirely by business

 Business is responsible for maintaining both security and

operational effectiveness
 Access applied for on a job role basis

Security
Application Business approval Assignment
approval

59 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Provisioning

Why is a business approval needed?

60 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Provisioning

 SOX requires that a valid business reason for the order must
exist

Verify that the requested role match actual personal
identity and job role

Verify that the end-user has a need to know of the
information that will be available via the role

Business approval

61 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Provisioning

Security approval

62 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Provisioning

 The security approval checks that no SoD risks appear for

the user
 Verify that no SoD risks appear for the user

 Verify that user is not given access to unnecessary critical

actions (create users, change roles, etc.)

 Verify that user is not given access to display sensitive

data (financial statements etc.)

Security
approval

63 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 SOX audits

64 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 SOX Audits

 What SoD risks do you have?

 Do you have proof that all access is properly authorized?
 How do you ensure the consistency of your roles?
 How are sensitive activities monitored?

65 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 SAP GRC Suite

66 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 VIRSA systems

 In April 2006, SAP bought VIRSA systems and started transforming the
VIRSA suite into SAP GRC
 VIRSA stands for “Versatile Innovative Risk and Security Administration”
 US company, founded in 1996
 Today more than one million end users are subject to compliance at
more than 170 customers worldwide
 Major references (Vodafone, IBM, Unilever, Panasonic, BASF, Boeing,
Burger King, Sony, Nortel, Siemens, Gillette)
 Virsa provides the only solutions that monitor and enforce business
controls in real time across enterprise systems
 Virsa is the global leader in cross-enterprise compliance solutions
 The company is privately funded with venture investment from SAP
Ventures, Kleiner Perkins Caufield & Byers, and Lightspeed Venture
Partners.

67 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 GRC Suite

68 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 SAP GRC Suite overview

connection is
Online ordering tool = possible

Access Enforcer Role Expert

Access in FireFighter

SAP
Compliance Calibrator

FireFighter logs

69 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 GRC Suite

Cross Enterprise Risk Management

Enterprise Portals Risk Manager

Provisioning Superuser Fail-safe risk Role

access control prevention management
Risk Terminator Firefighter Access Enforcer Role Expert

SoD analysis, critical transaction monitoring, & preventive simulation

SAP Compliance Calibrator by Virsa Systems

70 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Compliance Calibrator

71 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Compliance Calibrator

/VIRSA/ZVRAT

72 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Compliance Calibrator

 Part of the SAP GRC Suite

 Core application of the suite
 Uses the ERP Risk Framework (within ”Rule Architect” for
SoD risk analysis of users
 SAPgui based (4.0, current version)
 Web based NetWeaver (5.2, release Q3 2007)

73 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Compliance Calibrator

 Compliance Calibrator
 Source of ERP risk framework used for all SOD analysis

 Is used to monitor users, roles, risks and mitigation

controls
 Compliance Calibrator increases visibility regarding SoD

and assists in managing risks and users

74 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Compliance Calibrator

Risk Definition

75 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Compliance Calibrator
Rule Architect

76 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Compliance Calibrator

Selection Screen (Cockpit)

77 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Compliance Calibrator

User Analysis

Risk definition 1 Risk definition 2

Function A Function B Function C

Transaction Transaction Transaction

Transaction Transaction Transaction
. . .
. . .
Risk No
risk

User X User Y

78 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Compliance Calibrator
Risk Report

79 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access Enforcer

80 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access Enforcer:

Purpose
 Used primarily to perform segregation of duty (SoD)
analysis before roles are approved and allocated to users.
 Reduction of lead-times for roles allocation leads to
significant business improvements. The user administration
will be fully automated.
 The tool will enforce the role approval process, secure that
SoD checks are performed and that potential risks are
mitigated - all prior to role allocation.

81 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access Enforcer:

Business value
 Facilitate the SOX compliance from an SAP security
perspective.
 Increase the accuracy of SAP user authorizations and adhere
the GAC principles.
 Reduce maintenance costs for the SAP user administration.
 Reduce lead-times for roles allocation - leads to significant
business improvements.
 Reduce security audit costs for SAP environments.

82 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Access Enforcer:

User administration process

 The purpose of a User Administration Process is to

assign/remove roles from SAP user accounts.
 An online ordering tool and Access Enforcer ensure that the
proper approval for every request is done and that all
assigned roles are compliant to the security policy.

83 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access Enforcer:

Order process

All orders for access to IT applications are managed via

a tool for ordering online.

84 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access Enforcer:
Requests for approval
 The first approver in the workflow receives the requests that
was ordered in the online ordering tool.

85 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access
Roles Enforcer:
included in the order

86 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access Enforcer:
Risk Analysis

 When the approver clicks Risk Analysis, Access Enforcer runs

an analysis on the user's current roles in combination with
the new roles that were ordered.
 In fact, Access Enforcer makes a call to Compliance
Calibrator, where the SoD risk framework is stored.
 Compliance Calibrator runs the analysis and returns the
result.

87 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access Enforcer:
Risk Analysis result

The risks are listed with a

Risk ID, Risk Description
and Status.
88 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 SoD risk: FB01 and ME21

89 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access Enforcer:

Risk simulation

 Now we can uncheck Financial Accountant and Simulate the

risks without that role.

90 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Access Enforcer:
Risk Analysis result

91 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Expert:
First approval step finished

93 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 What is Role Expert?

 Tool for documenting roles and authorizations.

 Web based application.
 Automates creation and management of role definitions.
 RE enforces (sve. upprätthåller, genomdriver) best practice
to ensure that role definitions, development, testing and
maintenance is consistent through the implementation.

94 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Expert functionality

 Track progress during role implementation.

 Monitor the overall quality of the implementation.
 Perform risk analysis at role design time.
 Set up a workflow for role approval.
 Provide an audit trail for all role modifications.
 Maintain roles after they are generated to keep role
information current.

95 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Expert:
Search screen

Enter TMUS*. (Technical

name for single roles in
the system called MUS).

96 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Expert:
Search results

97 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Expert:
Role definition

98 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Expert:
Add transactions

99 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Role Expert:
Company mapping

100 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 FireFighter

101 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 FireFighter

102 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
 Summary
SAP uses a complex structure The Sarbanes-Oxley act (SOX)
to manage authorizations: imposes requirements on
 Fields companies’ management of
 Objects roles and authorizations:
 Profiles  Segregation of Duties (SoD)
 Roles  Business approvals
 Audit trails

Role Based Access (RBAC) is To manage compliance SAP

required to fulfil the roles offers the GRC Suite:
and authorization  Compliance Calibrator (SoD)

requirements of large  Access Enforcer (Role

organizations: provisioning)
 Globally governed role  FireFighter (Critical access)

architecture  Role Expert (Role

 Business controlled role architecture)
provisioning
103 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions Limited 2010. All rights reserved, also regarding
any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.