Thanks Sri. What is included in the ticket? Are certain mandatory information, like Sec.Manager approval prior to development, SOD scan results, impact analysis, etc? Are all details contained in the ticket?

I agree it is uphill battle here. Probably they will settle for bare minimum logging. But I need to advise them what is such a bare minimum. I wonder if others have worked in a place like this.

Yes, A few things that go in as attachments are as below.

1. SOD Results - To make sure the role itself is violations free.

2. Approval from Role Owners (If they exist) - Else Security Manager Approval for Change

3. Functional Consultant - Test Results and Subsequent Approval to move changes to PRD.

Apart from this initial while raising the ticket we make sure the SU53 screen shots and the procedure to replicate the issue are clearly mentioned in the ticket, This helps in resolution and makes it easier to decide if the issue is a Bug fix or a new change.

So Bugfixes follow Incident -Ticket route and New changes follow a Change Request Route.

~Sri

The ticket should contain the observation for the request, troubleshooting done so far & why the change was suggested needs to be documented ( including the SU53 and trace log if applicable ). The rest have been duly referred by Sri.

Regards,

Dipesh.

Thank you everyone.

I will certainly suggest they use a ticket for every change, and populate the free-form text with standard information like what was presented here. I'm still not sure how they are going handle projects.

@Julius: I think your idea about auditing roles for quality during build & maintenance is excellent... but practically, how have you seen this done? My client amazingly has a situation where transports are automatically imported into QAS after release, so it's not even possible to apply a check gate such as "approved for QAS by Security Manager". I am struggling to find a way to control the work of all the security developers (who are spread around the world) to provide this kind of useful oversight. Can you offer some suggestions based on your experience?

@Shrinivasan: I wish we could implement GRC10 or ERM.. But that would take months and $$$ and I want to help these people now... thanks for mentioning it though.

The problem is that lots of chickens make lots of $h!t and no one has time to go checking all roles all the time.

So together with a colleague of mine we built a ABAP tool which we use on our projects to keep an eye on the roles for all sorts of naughty things and optimization opportunities. It can also be run as a job and there is a BAdi in the CTS (Stms & Co.) from which you can run checks (such as this or code scans) when someone attempts to release a transport with a role(s) in it. This also helps to keep the sequence of the role transports correct when releasing them.

We are currently looking into making a public version of it freely available. You can see this at TechEd in Madrid next week already if you are there.

Cheers,

Julius

The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
> 
> Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management).
> 
> Workflow based, staged process with approvals.

The theory is nice

> PFCG transaction usage will be curtailed to minimum if implemented fully.

I will believe it when I see it.

> @all:
> a) do you guys use custom approval workflows for roles?
> b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role? 
> c) who is a friend of GRC here, raise your hand
> 
> Cheers Otto
> p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild

Hi Otto

a) I've not used this for a long time (I once worked on a project where a custom solution was used). I can see the benefits in some situations.

b) That really depends on the client. Some have lots (especially the FDA and SOX mandated clients), others have much leaner (but not necessarily less effective) processes. Much if it depends on the company culture, the support organisation and the ownership and approval model.

c) GRC has it's place & I am definitely a fan. However I make the big caveat that you can do good and effective security without the use of a toolset (it will just take longer to do some things).

One way of dealing with this is that the developers only release their tasks and the request itself is then only approved and released afterwards.

I will keep you posted. The TechEd presentations are normally made available on SDN (at least they were in the past).

Cheers,

Julius

One way of dealing with this is that the developers only release their tasks and the request itself is then only approved and released afterwards.

hmmm... that works for wricef developers, but security team could just modify their own role in dev or temporarily assign a role to themselves and bypass any restriction. unlike wricef team, they will have pfcg and su01. probably would never get detected in dev either.

There are change documents and timestamps and audit logs.

When confronted with a "you are not authorized" message, most people also "get it".

If folks such as security admins still hobble the security, then they either:

- have to deal with an emergency, or

- are intentionally breaking the rules (and the system probably as well).

In the first case they should document it. In the second case you eventually fire them...(hence auditors and tools to scan systems).

Cheers,

Julius