20
7/21/2019 User's Manual RAR http://slidepdf.com/reader/full/users-manual-rar 1/20 User Manual Risk Analysis & Remediation It is one of the components in SAP GRC which takes care of risk analysis, detection, and remediation solution for access and authorization control. In the below screen shot you hae the home pa!e for SAP GRC RAR, where you are able to see " tabs for di#erent types of actiity to be performed. $sers hae associated work in %iti!ation and Informer tab. %a&or 'unctions (f RAR) RAR proides the ability to perform seeral ma&or functions) *etermine and report if there are any risks associated with a !roup of actions or permissions and a $ser, Role, or Pro+le. *etermine and report if any risks will be introduced by simulatin! the addition of actions, Roles, or Pro+les to a $ser I*. his powerful feature e#ectiely eliminates new risks bein! introduced to your production enironment. -asily create, maintain, and mana!e Risks used to !enerate Rules. Apply Controls to miti!ate any Risk associated with a $ser, Role, or Pro+le. Alert the appropriate monitor when conictin! or critical actions are used, or a control is assi!ned to miti!ate a risk. Alert the appropriate mana!er when actiity monitorin! is not performed.

User's Manual RAR

Embed Size (px)

DESCRIPTION

User's Manual RAR

Citation preview

Page 1: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 1/20

User Manual Risk Analysis & Remediation

It is one of the components in SAP GRC which takes care of risk analysis,detection, and remediation solution for access and authorization control.

In the below screen shot you hae the home pa!e for SAP GRC RAR, where youare able to see " tabs for di#erent types of actiity to be performed.

$sers hae associated work in %iti!ation and Informer tab.

%a&or 'unctions (f RAR)

RAR proides the ability to perform seeral ma&or functions)• *etermine and report if there are any risks associated with a !roup of actionsorpermissions and a $ser, Role, or Pro+le.• *etermine and report if any risks will be introduced by simulatin! the addition

of actions, Roles, or Pro+les to a $ser I*. his powerful feature e#ectiely eliminatesnew risks bein! introduced to your production enironment.• -asily create, maintain, and mana!e Risks used to !enerate Rules.• Apply Controls to miti!ate any Risk associated with a $ser, Role, or Pro+le.• Alert the appropriate monitor when conictin! or critical actions are used, or acontrol is assi!ned to miti!ate a risk.• Alert the appropriate mana!er when actiity monitorin! is not performed.

Page 2: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 2/20

SAP Security Check Sequence:

R/0 user lo!s into SAP

-1ecutes ransactions

SAP Pro!rams are called

Security routines identify authorization ob&ects and re2uired alues

3alues in SAP pro!ram are matched to the alues in security authorization

Access !ranted.

Risk Analysis:

A Risk is de+ned as two or more actions that, when aailable to a sin!le user,role, pro+le,or 4R (b&ect, creates the possibility of error or irre!ularity. here are thousandsof actioncombinations that can be cate!orized as Risks. Risks can also be de+ned bydi#erentcombinations of permissions associated with speci+c actions.

Purpose:5hen you run a Risk Analysis or a Simulation, you !enerate reports presentin!di#erenttypes of information. 6ou may !enerate reports presentin! risks or conicts or theuse of critical actions by the $ser, Role, Pro+le, or 4R (b&ect you included in theanalysis.7y !eneratin! these reports you can identify the Risk and either remoe it orapply aControl.

Mitigation:

Purpose(nce you hae run a Risk Analysis and hae identi+ed any Risks associated witha $ser,Role, you may want to limit or monitor the Risk rather than remoin! the cause.%iti!ation Controls !ie us the ability to associate controls with Risks, so they canbeapplied to $sers, Roles identi+ed to iolate S(*s durin! Risk Analysis. 6ou also

de+ne monitors and approers, and assi!n them to speci+c controls, and create7usiness $nits to help cate!orize our %iti!ation Controls.

 he %iti!ation tab allows us to miti!ate certain risk iolations that you wantaailable tospeci+c users or roles . his is done by creatin! and assi!nin! a %iti!ationControl.%iti!ation Control performs the followin! functions)

• Identi+es the Se!re!ation of *uties 8S(*9 as a known Risk.• -stablishes a period of time durin! which the Risk may e1ist 8is monitored9.

Page 3: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 3/20

• Associates a list of %onitors with the Control. (nly %onitors associated with aControl de+nition may be selected when miti!atin! a Risk.

Prerequisite to confgure Mitigationo Administrator

o 7usiness $nits

 he Administrator option allows us to create and maintain Approers, %onitorsand Risk (wners. $sers who need to perform these functions need to bemaintained in this Administrator screen in order to be aailable in subse2uent

screens.

Administrator I* FBD_M004

Full Name Supratip Narayan Roy

Email [email protected]

Role Monitor  

Page 4: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 4/20

Search Administrator)%enu Path) Go to %iti!ation ab  Administrator  Select the role you want to search 

Search .:ow you can iew and edit the created Administrator by selectin! and clickin! inthe chan!e button.

!usiness Unit)-stablishin! 7usiness $nits allows you to cate!orize your %iti!ation Controls.5hen youde+ne %iti!ation Controls, you will cate!orize them by assi!nin! each one aspeci+c 7usiness $nit. his enables us to limit the Controls aailable to the7usiness $nits speci+ed in a RAR Role de+nition.

Creation o" !usiness Unit:

Page 5: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 5/20

# he !usiness Units option e1pands to Create and Search. Click Create andthe$efne !usiness Unit pa!e appears.

% In the !usiness Unit $ +eld, enter a uni2ue alphanumeric identi+cation forthebusiness unit.' In the $escription +eld, enter a short description of the business unit.

( In the Appro)er tab, click the Plus icon to add a new Approer I* and theirfull

name.* In the Monitor tab, click the Plus icon to add a new %onitor I* and theirfullname.

:ote) Approers and %onitors must be set up usin! the Administrator panebefore they can be assi!ned to 7usiness $nits

+ Click Create.

After creation of the same you can search the business process and can do any

amendment if re2uired.

Page 6: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 6/20

Click on the search button you will be directed to the below mentioned pa!ewhere you hae the chan!e and delete option.

Mitigating Controls:5hen you de+ne a %iti!ation Control you create a %iti!ation Control I*. hisControl I*appears in arious Risk Analysis reports.

*e+nin! a %iti!ation Control includes associatin! the Risk I*s that are miti!atedby thecontrol. Roles are to be miti!ated correspondin! to the Risk I*s associated in theControl de+nition are miti!ated.Create ," Mitigating Control:# %enu Path)Go to %iti!ation ab  %iti!ation Controls  Create

Page 7: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 7/20

% In the Mitigating Control $ +eld, enter a uni2ue alphanumeric ma1imum of;< characternumber for the miti!atin! control I*.' In the $escription +eld, enter a short description of the miti!atin! control I*.( In the !usiness Unit drop down menu, select the desired business unit. hedropdownmenu displays the business units that you created usin! the !usiness Unitsoption.* In the Management Appro)er drop down menu, select the desired approer. hedrop down menu displays the approers that are associated with the 7usiness$nitentered in Step =.

+ In the Associated Risks tab, click the Plus icon to add risk I*s to themiti!atin!control risk id should be placed followed by > as shown in the below mentionedscreen shot. he Associated Risks tab is used to associate Risk I*s with the %iti!ationControl.(nly Risk I*s associated with a Control can be used to miti!ate a Risk.

Page 8: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 8/20

-. In the Monitors tab, click the Plus icon to add monitors to the miti!atin!control as shown in the aboe screen shot. he Monitors tab is used to associate %onitors with the %iti!ation Control.:ote) Approers and %onitors must be set up usin! the Administrator panebefore they can be assi!ned to 7usiness $nits.

?. Click Sa)e.

.o search a Mitigating Control:# he Mitigating Controls option e1pands to Create and Search. Click Searchand the Search Mitigating Controls pa!e appears.:ote) *urin! your search, use any of the +elds in the Search MitigatingControls pa!e as search criteria. After enterin! data in any +eld, click Search.% In the Mitigating Control $ +eld, click the Search icon to search for amiti!atin! control I*.' In the $escription +eld, enter a short description of the miti!atin! control.( In the !usiness Unit +eld, click the Search icon to search for a business unit.* In the Management Appro)er +eld, enter the approer@s user I* for the

miti!atin! control you want to search.+ In the User $ +eld, click the Search icon to search for a user I*.- In the Role +eld, click the Search icon to search for a role./ In the Monitor drop down menu, select the desired monitor.0 In the Risk $ +eld, click the Search icon to search for a risk I*.

Page 9: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 9/20

#1 In the 2alid 3rom and 2alid .o +elds, click the Calendar icon to de+ne aalid time ran!e durin! which the miti!ation control miti!ates a user/role.## In the Status drop down menu, select the desired status 8All, 4na5le,$isa5le9.#% Click Search.

Mitigation o" Roles:

Search the miti!ation control id under which the risk id e1ist for which you want

to miti!ate the speci+c roles then select the control id and click on chan!e buttonas shown in below mentioned pic.

Page 10: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 10/20

:ow you select the risk under which you want to put the miti!ation roles click themiti!ate roles button as shown in the below mentioned pic.

After clickin! the miti!ate role you will be directed to below mentioned pa!ewhere you will click on add button to add the roles which you want to miti!ate.

After clickin! the add button you will be directed to below mentioned pa!e whereyou search for the role as shown in the below mentioned screen

Page 11: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 11/20

 click on the Role name  select the system  paste the role name  click on

search button , you will hae the roll click select  put the risk id followed by

star  select the monitor id  sae the data.

So this speci+c role has been miti!ated now.

n"ormer:

Page 12: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 12/20

RAR proides detailed compliance analysis for enterprises. RAR software allowsenterprises to e1amine eery aspect of their comple1 -nterprise ResourcePlannin! 8-RP9 system and toimplement internal controls. he data !athered in each analysis is made aailableforimmediate iewin! in an e1ceptionally wide ran!e of predetermined and usermodi+edreports. hese reports are accessible throu!h the n"ormer tab.

n"ormer ta5 report types include)• %ana!ement 3iew• Risk Analysis• Audit Reports• Security Reports• 7ack!round ob 6ou can !enerate reports for $sers, $ser Groups, Roles, Pro+les, 4R (b&ects and(r!anizational Beels.

Management 2ie6

 he followin! reports are accessed from the Management 2ie6 menu)• Risk 3iolations• $sers Analysis• Role Analysis• Comparisons• Alerts• Rules Bibrary• Controls Bibrary

-ach item in the Management 2ie6 cate!ory includes at least one of thefollowin!

interactie, !raphical displays)

• Pie Chart• 7ar Chart

After selectin! report parameters for any Management 2ie6 report type, click7o to show the selected information in the !raphical display. *rill down furtherinto the information for each display by clickin! anywhere on the pie chart orclickin! the chart labels for the bar and line charts. *rillin! down further allowsyou to iew)• Risk I*s and descriptions for each seerity leel 8critical, hi!h, medium, low9.

• *etailed information for each Risk *escription.• Chan!e 4istory for each Risk.• Conictin! functions that are causin! the Risk.• *etailed information for each conictin! function.• Chan!e 4istory for each function.

Page 13: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 13/20

Risk 2iolation report under Management 2ie6:

In the aboe screen shot you able to see all the risk iolations by process as fore1ample IC (rder to cash, IC 'inancial Accountin!. In ri!ht side you can see thebar chart and clickin! on that you can iew the further report of risk iolationscorrespondin! to each Risk.

 o see indiidual risk iolation you hae to click on risk id and can see the detailrisk iolation as seen in the below screen shot.

Page 14: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 14/20

Role Analysis under Management )ie6:

Role Analysis features identify So* iolations amon! the roles and pro+les thathae been assi!ned to users. hese roles and pro+les include typicalresponsibilities such as payroll, accounts payable, and +nance.

%enu Path)Go oInformer%ana!ement iew  Role Analysis

;. 'rom the Cal. %onth/6ear drop down menu, select a date. his is the dateran!e setin SAP.. 'rom the System drop down menu, select the system for which you would liketocollect So* data.0. 'rom the Analysis ype drop down menu, select an analysis type.=. 'rom the 3iolation Count 7y +eld, select either Risk or Permission.D. Press Go.

8ote: %ost mana!ement reports will want to select counts at the Risk leelwhich will show the number of conicts at the hi!hest leel. If Risk is selected, auser will only be counted once a!ainst the risk re!ardless of how manyoccurrences the user has. If permission leel is selected, a user may count formultiple iolations within a risk because they hae seeral actions which allowthem to do a speci+c function.

Page 15: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 15/20

In the aboe screen shot we able to see thato number of roles with no iolations alon! with E.

o number of roles with iolations alon! with E.

In the down ri!ht side we can see the bar chart of Roles and users. 7y clickin! onRoles we can see the further report. 5here we can see the detail report ofprocess, Risk Beel , :o of iolations correspondin! to a risk, as shown in thebelow screen shot.

If you click to any of the risk, system will take us the below mentioned screenwhere you can iew the detail report includin! releant functions and otherre2uired parameters as show in the below mentioned screen shot.

Page 16: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 16/20

 6ou can see the chan!e history as well by clickin! on chan!e history button whichwill show the Risk chan!e history report as show in below mentioned screen shot.

Risk Analysis

Risk Analyses are run to see if any $ser, Role or (r!anization has access to twoor more conictin! actions. 5hen two or more actions are determined to beconictin!, the combination of those actions are de+ned as Risks. Risks de+neRules, also known as So*s.

5hen you run a Risk Analysis any e1istin! So*s are reported for each $ser, Roleor (r!anization included in the analysis.

%enu Path)

Page 17: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 17/20

Informer Risk Analysis  Role leel

As shown in the aboe screen shot while doin! the role leel risk analysis youhae to select some parameters.

System) Select the system for which you want to run the role leel risk analysisfor e1ample -CC Fuality systemRole) If you want to see a report speci+cally to a role then put the role name andrun the &ob.Risk by process) $nder seeral processes we de+ne the risk. So while doin! the

risk analysis we hae to choose a process for which we want to iew the role leelanalysis as for e1ample IC order to cash.Risk I*) If you want to see a report speci+cally to a role then put the role nameand run the &ob.Risk Beel) here are four types of Risk leel Critical/4i!h/%edium/Bow. 5hilede+nin! risk we choose these risk leel. So if it is re2uired to do a risk analysis forspeci+cally any risk leel then we hae to select that leel and run the riskanalysis.Rule Set) 5hile creatin! a risk one rule set is assi!ned. Amon! seeral rule setsselect the rule set for which you want to run the role leel risk analysis.Report ype

 here are si1 report types, each of which can be formatted in seeral ways.• Action Beel So* reports Generatin! this report type produces a list of So*s attheaction leel.• Permission Beel So* reports !eneratin! this report type produces a list of So*satthe permission leel.• Critical Actions reports !eneratin! this report type limits the list to Criticalactionsaailable. Critical actions are de+ned under the Rule Architect tab.• Critical Permissions reports

Page 18: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 18/20

• Critical Roles/Pro+les reports !eneratin! this report type lists only the CriticalRoles and Pro+les associated with the $ser, Role or (r!anization. his report doesnot list any risks.• Mitigation Control reports Generatin! this report type lists alid %iti!ationControls assi!ned to the $ser, Role or (r!anization included in the analysis. Choosin! a Report 'ormat) 6ou can choose one of four report formats for the si1 report types describedaboe) ;. Summary: his report format lists the combination of conictin! actions thatproduce the risk in one line item. . *etail)  his report format lists each Risk as a sin!le line item, displays theRisk seerity leel and proides a link to the Risk Resolution pa!e where optionsare aailable for resolin! the risk. *rill down further by clickin! the risk to iewmore detailed information, includin! conictin! functions.0.

 

%ana!ement Summary: his report format lists each Risk as a sin!le line item,displays the Risk seerity leel and proides a link to the Risk Resolution pa!ewhere options are aailable for resolin! the risk. *rill down further by clickin!the risk to iew more detailed information, includin! conictin! functions.

=. -1ecutie Summary: his report format lists each risk as a sin!le line item anddisplays the total number of conictin! actions producin! the Risk.

After selectin! all the re2uired parameter run a back!round &ob as shown in the

aboe screen shot Gie the 7ack!round ob a name.

 Select an Immediate start or schedule a *elayed start for the 7ack!round ob.

If you choose to schedule a delayed start, set the date and time for the &ob tobe!in.  If you would like to run the 7ack!round ob more than once, click the Schedule

periodically check bo1 and then set the schedule parameters.  Click Schedule. 6ou will see a messa!e at the bottom of the pa!e that includes

a ob

Page 19: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 19/20

I* number if the 7ack!round ob was scheduled successfully.

Search back !round &ob)%enu Path) Informer  7ack!round ob  Search  put the &ob id and click on

search button .

Search will take us to the below mentioned screen where we can see the detailsof the report

 select the &ob for which one you want to see the detail report use the buttons

below . he 7uttons are as follows.

Show ob 4istory) It will show the &ob history as shown in below mentioned screenshot.

Page 20: User's Manual RAR

7/21/2019 User's Manual RAR

http://slidepdf.com/reader/full/users-manual-rar 20/20

3iew Bo!) will show each step of the &ob. If any error occurs while e1ecution of the &ob that can be analyzed from this 3iew Bo!.