on 02-04-2016 8:32 AM
Hello guys,
Recently I've stumbled over following situation. SAP GRC presents an efficient way in order to automate and streamline administration task while keeping auditing efforts in a centralized state.
In the same time this “centralization” leads to a transfer and creation of new risks within the SAP GRC System.
Sure the standard security guide provided by SAP lists all authorization objects and roles existing in the SAP GRC System.
What I am missing though is some kind of complete documentation which is covering all risks resulting from GRC related transactions, authorization objects as well as SOD-conflicts, especially in the Access Control Module.
I appreciate any reference provided in order to handling this matter.
Regards, Andreas
Hi Andreas,
My Internal Audit team just categorized the GRC system as a SOX system because of Firefighter. This means that I need to report the sensitive access risks and SODs, just like with ECC, so I'm in the same situation.
First, GRC 10.X is the same ABAP platform as ECC. Therefore, you can scan for the same Basis/IT SOD and Sensitive Access risks that you look for in ECC. This is simple - just add the GRC system to the Logical Groups for Basis Ruleset, generate rules, and run the reports. However, this will only catch the pre-defined Basis risks.
Unfortunately there are no pre-defined GRC-related SOD/SA risks, so you would have to build them. I can help you get started with some personal observations:
So, I think the objects mentioned above should be included in new Sensitive Access risks (Critical Action). As far as SOD segregation, it's up to you to figure out which abilities should not be granted together for a single user. I would suggest that only have 1 person with #3, or place #3 ability in a Firefighter account only. I would also suggest that you prevent someone from having #2 and #1 together, because they could designate someone as a FF owner, another person as a FF controller, and then also make the FF assignments to users. Also prevent #5 from any user all together, and place sensitive Basis abilities within a Firefighter account for the GRC system itself.
Good Luck!
-Ken
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.