I recently moderated a web forum with James Roeske of Savera Systems on preventing SoD violations with scheduled and automated user access reviews. James took questions on timelines for implement automated user access reviews, the logging capabilities of SAP BusinessObjects Access Control, how automated user access reviews affect organizational dynamics, and other topics.
For the full Q&A, you can view the questions and James's responses in the Compliance Forum, or read excerpts from the transcript of the Q&A below.
Allison Martin (moderator): Welcome to today's forum on Access Control and User Access Reviews (UARs).
This is a great opportunity to ask James Roeske your questions on developing scheduled User Access Reviews to protect your SAP systems, based on his extensive experience with SAP BusinessObjects Access Control. James is a compliance expert, a featured speaker at our GRC conferences, and President at Savera Systems.
James, thank you
for joining us today!
James Roeske: Thank you Allison for the opportunity to answer questions on this very important compliance topic.
Marko Suswanto: Howdy, James,
I would like to know, could you share with us a brief strategy on how to perform scheduled and automated user access/SoD reviews using GRC10 with the following conditions:
1. Your client resides in multilocations and each location could have a different organization structure. CMIIW, can we use multiple rulesets for this?
2. Your client's IT environment still runs an old application which doesn't have the role management feature. Could it be possible to perform scheduled and automated user access/SoD reviews using GRC10?
Thank you and looking forward to hearing your opinion.
James Roeske: Hello Marko,
Thank you for the question. Unfortunately I have not had a customer implement UAR in GRC 10 up to this date. As a result I will be addressing the configuration details about 5.3 in this session and the general concept of performing User Access Reviews within Access Controls.
But, I'm in the process of updating my UAR presentation material to include detailed GRC 10 insight. I hope to be presenting on this topic and other GRC 10 related content at the GRC 2012 conference. Hope to see you there.
nancyrotfort: James –
Are automated user access reviews performed at the role level only?
Also - what modules of GRC do you need to have installed?
James Roeske: Hello Nancy, thanks for the questions!
Yes UAR's are preformed at the Role level which allows your approvers to decide if they should retain individual roles assigned to their user master record.
l if you are a GRC Access Control 5.3 customer you most likely have all 4 modules installed already even if you are not using them all. But for UAR to operate it requires RAR, ERM, and CUP to all work together for the User Access Review process. Most customers are not using ERM, but don't worry there is very minimal configuration required in ERM just to activate the User Access Review part.
Allison Martin (moderator): James, a question that came up during one of your recent presentations, was how long does it typically take to set up and implement an automated UAR? Can you provide some insight into this?
James Roeske: Allison, one of the benefits of utilizing UAR in Access Controls is that it can be setup relatively quickly so a customer can start getting some ROI faster.
The timing of how quickly the customer can get up and running does depend on a few factors:
1. Do they already utilize CUP and have some of the base workflow configuration knowledge and technical post-installation tasks already completed?
2. Are they already using ERM and have the base configuration such as landscape and connectors configured?
3. Do they already have a manual UAR process established that will be automated using GRC Access Controls......or are we starting from scratch to develop a brand new business process for access reviews which will need to be designed and approved within the company?
Bottom line is that the technical aspect to configure UAR is relatively easy especially if the foundation of configuration is already there and a customer is already using RAR and CUP (ERM has the smallest amount of configuration required). Most of the time on the project is spent on process design and testing to make sure everything is working the way you want before you start sending out 100's if not 1000's of emails and workflow items for a company wide User Access Review.
At our latest customer we were able to take them into production with UAR in a 4-week period which consisted of process design, configuration, testing and go live support for a company wide User Access Review.
Do you have any tips to perform UAR's at org level? Would this be something that makes sense to do?
We are also investigating setting up our mitigating controls at org level - is this activity very high maintenance ongoing?
Thanks in advance.
James Roeske: Hello,
"Org Level" topics seem to be a hot area of discussion with customers lately. Could you please expand on your current Org level structure and what you are thinking about doing? This will help me better understand your situation before I try to give any advice. I especially have a lot of passion around the topic of mitigations since many customers are not using them effectively, nor maintaining them properly long term.
MaryTesterman: Hello James,
What is the best way to approach user access reviews when you do not have GRC or any other software designed for this purpose?
Marko Suswanto: Hi, Mary,
Great question, I found many situations like this and I am trying to find out on how we perform user/role remediation without using GRC or any other software designed for this purpose.
James Roeske: Hello Mary,
Well back in the "Old Days" I used to do this process manually because automated tools didn't exist back then. Long story short, yes, it is very possible to do this manually BUT it involves a lot of time and effort to do it right. As a result a lot of companies find it too overwhe
lming and never really are able to do it in an effective way.
If you look at my Powerpoint presentation that is downloadable in this session you will see the steps I used to take to do this manually, which involved a lot of downloading from SUIM reports, ST03N for usage, and building some very elaborate spreadsheets to put it all together. Plus hundreds of emails I sent to managers and business owner to get there feedback. (See slide 5 of the ppt.)
Long story short, there are many pitfalls and weaknesses in trying to do it manually which Auditors are not willing to overlook anymore. As a result I strongly suggest you look into an automated mechanism like GRC UAR, it will save you a whole bunch of time, effort, and potential audit issues.
Marko Suswanto: Hi James,
Regarding the audit issues, when you conducted user access/role remediation, there must be numbers of role changes, authorization changes.
Auditors sometimes ask for logs of these changes. Can we have these change logs in GRC UAR (old and new value, date, created by or approved by)?
James Roeske: Hello Marko:
One thing to keep in mind is that the GRC UAR process only focuses on reviewing Role assignments to user accounts. This is not a mechanism for reviewing Role content such as Auth objects and Values.
As you know most Managers and Role owners are not security savvy enough to understand security auth objects. Rather they are providing insight into the question "are these the right roles for my staff to perform their jobs" or "James no longer works in HR, therefore why do they need the HR Admin role anymore".
Marko Suswanto: Hello, James,
So, are there any logs in GRC UAR for user assignment, changes, creation or deletion?
James Roeske: Hello Marko,
Yes there are significantly detailed logs that are generated during the UAR process. Not to mention the complete CUP "Informer" reports that are both Graphical and Analytical showing all approvals and provisioning activities. It will give you an insight and level of detail around report that is nearly impossible to achieve with a manual process and error prone spreadsheet and email processes.
Jeffery Wolf: Is there a technical limitation for performing UARs across a mixed landscape (ABAP vs. Java -- i.e., SRM portal, GTS ABAP, BPC)? And if not, where would we find documentation to perform a mixed landscape review?
James Roeske: Hello Jeffery,
The GRC UAR process is primarily able to access the standard ABAP User to Role security structure which unfortunately does not align with the Java world or org chart relationships that are being used in CRM for access purposes.
If this is a major requirement for you, I would suggest you speak with the SAP partner Greenlight -- they provide SAP with all "Non-SAP" connectors and may be able to also help bridge the UAR gap to Java systems as well.
Marko Suswanto: Hello James,
Just to make it clear, if we have Greenlight technology and GRC UAR integrated, we could perform scheduled and automated user access review, CMIIW.
James Roeske: Hello Marko,
To Clarify, Greenlight can help bridge the gap to utilize information from Non-SAP ABAP systems. If you are focused on performing UAR against (Example) your R/3 systems then GRC access Control is all you need.
SusanStapleton: Hi Marko,
Greenlight does support UAR and SOD reviews for non-SAP applications or non-ABAP SAP applications.
Dave Hannon: James,
Does automating UARs change the organizational dynamics of who performs the UARs or makes decisions based on the UARs?
James Roeske: Hello Dave,
This really depends on your current process, and who is currently your Access Review approvers. One of the great things about GRC UAR is that it leverages CUP (Compliant User Provisioning) as the workflow engine in version 5.3. As a result, you have a fair amount of flexibility in getting different groups of people involved for different stages of the approval process.
The 2 primary groups of people that GRC UAR is built around (as a first level approval) are Managers and Role Owners. In the config you need to determine which approach you will be following. If the Manager or Role Owner concepts differ from your current UAR approach then yes it might be time to access or augment your current processes to better align with the automated functionality of UAR.
Allison Martin (moderator): Thanks to all who posted questions and followed the discussion!
A full summary of all the questions will be available here in the Compliance Forum and the Compliance Group on Insider Learning Network. I encourage you to join these groups for ongoing information and additional resources, including a recent podcast with James on this topic. And of course, I invite you to our annual GRC 2012 conference. The US conference is already scheduled for Las Vegas, March 13-16, 2012.
And finally, thank you to James Roeske of Savera Systems for taking the time to respond to these questions.
James Roeske: Thank you Allison for the opportunity to participate! And a BIG thank you to everyone for your insightful questions.
If you have any additional questions around UAR functionality or are thinking this might be a right fit for your organization to start implementing I can be reached at the following:
James E. Roeske
President - Savera Systems
Toll Free: +1 877 260-5706
Canadian Office: +1 403 995-9204
International Mobile: +1 510 270-5557