www.pwc.

be

SAP GRC Access Control

Emergency Access
Management
April 2016
PwC provides end-to-end SAP consulting services
Value through SAP strategy, design, implementation & QA

Governance
Human Risk &
Capital Compliance

PwC Enterprise
Finance &
SAP Assets
Treasury
Consulting

Value Technology
chain & Security

April 2016
PwC Slide 2
PwC’s SAP security & GRC services
Increase quality & profitability with PwC services & SAP technology

April 2016
PwC Slide 3
Agenda

SAP security: What & why?

SAP GRC Access Control overview
Emergency Access Management deep-dive
Live demo
Implementation good practices
Question & answer

April 2016
PwC Slide 4
SAP security: What & why?

April 2016
PwC Slide 5
SAP authorisations
PwC’s five guiding principles for an effective design

Task based
methodology

Smart
SoD free technical
Effective design
SAP
security

Quality Know your

technical build control points

April 2016
PwC Slide 6
PwC’s holistic view on SAP security
SAP GRC as an enabler for a sustainable authorisation model

“Get clean, stay clean”

Use the right tools and
processes to support your Org
Structure &
SAP authorisation concept Governance
Security &
Provisioning
Processes

SAP Role
Architecture

Effective SAP
M Security Design

April 2016
PwC Slide 7
SAP GRC Access Control overview

April 2016
PwC Slide 8
SAP GRC Access Control
Four modules which enable controlled SAP authorisations

2 Emergency Access
1 Access Risk Analysis
Management

GRC
Access
4 3 2 1 management
technology

3 Access Request 4 Business Role

Management Management

April 2016
PwC Slide 9
Emergency Access Management deep-dive

April 2016
PwC Slide 10
 How to handle those midnight emergency calls…
… without opening security gates permanently?

Your challenges
Access to sensitive transactions is not controlled
• Recent audits demonstrated that your SAP users in IT and Business had access to sensitive SAP
transactions or tables on a permanent basis whilst the access was not required to support the user’s
day-to-day job activities. This sensitive access was granted to these users to allow them to support the
business in case of incidents and/ or emergency requests, but resulted in an uncontrolled usage of
sensitive SAP access.

Your desired response

SAP GRC to meet IT, business and internal control
dddsd
requirements
You want to address above challenges by implementing appropriate controls on the usage of
sensitive SAP access in support of incidents and emergency requests, and by installing regular
risk-based SAP access reviews. SAP GRC Access Control technology has been identified as an
important enabler for these controls.

April 2016
PwC Slide 11
SAP GRC Emergency Access Management
An enabler for controlled management of elevated access!

Key Functionality
Pre-define emergency access for approved users
•
• Activity monitoring for all emergency users
Super user
• Enables compliance-focused emergency access for
SAP

SAP_ALL

Key Benefits New session New session New session New session
• Avoid business obstructions with faster emergency
response Firecall ID Firecall ID Firecall ID Firecall ID
• Reduce audit time SD MM FICO …
• Reduce time to perform
• Workflow based log Review
• Compliant Emergency access management process
Log Log Log Log

• Pre assigned firefighter IDs

• Access restrictions
• Validity dates and expiry
• Field-level changes tracked in audit log
• Workflow based Log review

April 2016
PwC Slide 12
SAP GRC EAM key terminology
To assist you in not getting lost in translation

Term Definition
Emergency Access Management, SAP’s tool for providing elevated security
EAM
authorisations through a controlled process ensuring usage is appropriate.
SPM / Virsa
Legacy names for EAM from GRC versions 5.3 and earlier.
FireFighter
A separate SAP user account typically assigned to a specific process area. When
needed, an end user logs into GRC and opens an emergency access session. At
that point, a new SAP session is opened and all actions performed are logged in
Firefighter ID
EAM.

EAM ID, SPM ID, FFID, FireFight ID

An end user who logs into EAM and checks out a Firefighter ID to perform
Firefighter
emergency actions.
Responsible for approving and periodically reviewing access granted to an
Owner individual Firefighter ID. Owners are also responsible for authorizing the security
authorizations assigned to the Firefighter ID.
Responsible for monitoring and assessing the appropriateness of activity
Controller
performed by a user using an individual Firefighter ID.
April 2016
PwC Slide 13
A typical SAP GRC EAM process flow
All actors need to take up responsibility to generate benefit!

April 2016
PwC Slide 14
Emergency Access Management live demo

April 2016
PwC Slide 15
Implementation good practices

April 2016
PwC Slide 16
Determine your SAP GRC AC business case
How to build a solid and compelling one?

Embed ownership of user

provisioning to business Reduce access risks and
process owners therefore avoid fraud and
errors

Improved harmony
between the goals of IT Simplify the access request
and the needs of business process for business users

Get rid of recurring audit Reduce time spent for user

and compliance remarks provisioning

Encourage consistent
execution of business
SAP’s GRC value calculator tool: processes
http://www.pulse-iq.com/SAP/AccessControlValueCalc/dashboard.html

April 2016
PwC Slide 17
GRC implementation roadmap
Working smart towards your goals

Continuous Compliant Access Management

Access Risk Analysis Integration

April 2016
PwC Slide 18
 EAM & ARA implementation trajectory
Keep your objectives in mind and involve the right stakeholders

Design Implement
• SAP GRC Technical
installation

• EAM: Define •Design “firefighter” • Build firefighter IDs, • Perform EAM unit, • Go-live of the tested
emergency access accounts & access assign their access integration and user EAM solution
management (EAM) and supporting acceptance testing
needs • Configure EAM in • Provide ad-hoc
governance structure SAP GRC back-end • Train EAM end- support to EAM
& processes users administrators and
• Set-up EAM
SAP GRC EAM reporting end-users

• ARA: Define access •Define access risks to • Construct ARA risk • Perform ARA unit, • Go-live of the tested
risk analysis (ARA) be monitored for in ruleset integration and user ARA
usage needs scope processes acceptance testing • Provide ad-hoc
• Configure ARA in
•Define ARA SAP GRC back-end • Train ARA end-users support to EAM
governance structure administrators and
& processes. • Set-up ARA end-users
reporting
SAP GRC ARA

Ongoing training & knowledge transfer

Construct Operate &

Assess
Review
April 2016
PwC Slide 19
Determine your EAM relevant usage
Involve the right stakeholders to identify this usage

Appropriate usage includes

• Emergency changes required in production
• Sensitive transactions not available via end user security roles
• SOx-sensitive, restricted transactions
• Infrequent, sensitive tasks (opening/closing posting period)
• Cutover tasks
Inappropriate usage includes
• Daily business tasks by support users (creating purchase orders, etc)
• Non-sensitive tasks available via security roles
• Using EAM as a crutch to support a bad security design

April 2016
PwC Slide 20
Make smart design decisions
These will drive actual & perceived value-add of your EAM

01 Design Firefighter users per

business process

Think of available
notifications and
02
workflow functionality

03 Centralised vs.
decentralised approach?

Pre-approved” Firefighter strategy vs.

“ad hoc” approval required 04

05 What about ID vs. role-

based firefighting?

April 2016
PwC Slide 21
SAP GRC governance structure
Even SAP GRC needs governance to ensure its sustainability!

Structure

Functional use GRC tool maintenance

GRC process flows

Roles & responsibilities
April 2016
PwC Slide 22
Conclusion

April 2016
PwC Slide 23
Key takeaways
For you to consider during our SAP GRC EAM journey!

• SAP GRC EAM delivers great return on investment for your organization from
an internal control and efficiency perspective, when implemented right
• Determine a clear and realistic scope, with all the right stakeholders involved;
don’t forget about your (external) auditor
• Smart design decisions are key: Garbage in = Garbage out
• Also your SAP GRC tool needs governance to deliver value

April 2016
PwC Slide 24
Question & answer
PwC’s upcoming SAP GRC & security events
http://www.pwc.be/en/events-courses.html

Date & time Webinar: SAP HANA security - Prepare for what’s next
28 April 2016 • Obtain a clear and detailed view on the security set-up in a SAP HANA
16:00h – 17:00h based environment
• Watch the theory come alive through a live SAP HANA security demo
• Gain first-hand insight on security good practices in a SAP HANA context
through experience sharing by PwC experts
• Learn about the security skills, processes & controls required to continue
safeguarding your sensitive data in a SAP HANA context

Date & time Increasing quality & profitability with SAP GRC Access Control
18 May 2016 • Live demo & good practice sharing
10:30h – 16:00h • Gain insights from an SAP GRC AC client use case
• Obtaining first-hand views on SAP GRC’s roadmap for the future
PwC Brussels • Explore how to generate value-add from your SAP GRC system by
quantifying potential risk violations using data analytics techniques using
PwC process mining expertise combined with SAP Access Violation
PwC Management technology
For more Wim Rymen
information on the Director
subject, please +32 473 269 227
wim.rymen@be.pwc.com
contact ...
Kris Wauters
Senior manager
+32 499 558 949
kris.wauters@be.pwc.com

Constance Vervalcke
Manager
+32 493 240 406
constance.vervalcke@be.pwc.com

© 2016 PricewaterhouseCoopers. All rights reserved.

“PricewaterhouseCoopers” refers to the network of member firms of
PricewaterhouseCoopers International Limited, each of which is a
separate and independent legal entity.