Optimizing User

Administration in SAP

ISACA Geek Week - Atlanta

August 13, 2014
Today's Presenters

Aric Quinones Managing Director

Protiviti ERP Solutions Practice

Chris Aramburu Senior Consultant

Protiviti ERP Solutions Practice

Connor Hammersmith Senior Consultant

Protiviti ERP Solutions Practice

© 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Who We Are
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance,
technology, operations, governance, risk and internal audit, and has served more than 35 percent of
FORTUNE 1000® and 40 percent of FORTUNE Global 500® companies. Protiviti and its independently
owned Member Firms serve clients through a network of more than 70 locations in over 20 countries.
The firm also works with smaller, growing companies, including those looking to go public, as well as
with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a
member of the S&P 500 index.

• 3,100
professionals
• 70+ offices

• Over 20
• Our
countries in
revenues: US
the Americas,
$ 528.3
Europe, the
million in
Middle East
2013
and Asia-
Pacific

© 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 The Risk Universe of SAP Security

GRC and ERM framework

* SAP Security Risks General IT Risks

Security Standards
Application Interface Controls
Segregation of Duties and Sensitive Access
IT Infrastructure Controls
Powerful Users Access Management
Change Management
User and Role Provisioning Process
Security Administration
Steering Committee
Backup and Recovery
Board of Directors

Compliance
(Regulatory Requirements)

External / Internal Other Project / Implementation Risks

* SAP Business Process and Audit
Transactional Data Risks
Project Cost Identification
Configurable Application Controls Transaction and Master Data Conversion
Detective / Monitoring Controls / Reports Go/No Go Decision Criteria
Procedural Business Process Controls Testing and Training Strategy
SOX Controls (compliance purposes) Post Go-Live Support Requirements

* Continuous Monitoring Applications and Processes

Control Documentation Update, Compliance and Risk Management Optimization and
GRC Software Configuration

© 2014 Protiviti Inc. An Equal Opportunity Employer.

4 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 What We’ll Cover

Common Issues with User Administration in SAP

Solutions to Common Issues with User Administration in SAP

Recap of Session Takeaways

Case Study

Wrap-up

© 2014 Protiviti Inc. An Equal Opportunity Employer.

5 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 A Few Questions

• How many people use one of the major ERP systems (SAP, Oracle or MS
Dynamics)?
• How many people actually use SAP?
• How many people use a GRC tool for Segregation of Duties (SoD) Analysis
– such as SAP GRC, Oracle GRC, or Fastpath?
• What is an SoD Analysis?
• How many people know what a t-code is?

© 2014 Protiviti Inc. An Equal Opportunity Employer.

6 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Common Issues with User Administration

Standardized Role Architecture

Change Management
Security
Related
Development of Custom Transactions, Objects, Programs, & Tables

Backend System Configurations

User Provisioning

GRC
Segregation of Duties (SoD)
Related
Management of Temporary / Emergency Access

© 2014 Protiviti Inc. An Equal Opportunity Employer.

7 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Standardized Role Architecture

Key Risks
• Role-level SoD issues
• Inappropriate organizational level restrictions
• Duplicative transaction assignments B. Smith, Finance Manager
• Assigned 114 active roles
• Powerful roles with unnecessary access
• Providing access to 6,636 unique
• Excessive number of transactions granting transactions (919 duplicate via
unintended access to end users multiple role assignment)

• Increased efforts of the Security Team for • Of the 6,636 transactions only
6,328 transactions are executable
role maintenance and user provisioning

Root-Causes Transactional History Analysis

• Inconsistent role standards • 115 executable transactions were

executed a total of 12,946 times
• Lack of role governance • The top 25 transactions accounted
• Roles not managed globally for 89% of the activity

• Unintuitive role naming convention

• Lack of role documentation
© 2014 Protiviti Inc. An Equal Opportunity Employer.
8 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Choosing the Appropriate Role Architecture

• Derived versus Enabler

• Job Based versus Task Based
• Ensuring the Architecture is
Scalable
• Aligns with SAP Resource
Skillset & Compliance Culture
• Standardized Role Naming
convention

© 2014 Protiviti Inc. An Equal Opportunity Employer.

9 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Change Management

The lack of Change Management can impact role maintenance which is critical to
maintaining a secure SAP environment and standardized role architecture.

Key Risk: Roles unaligned with the new and existing global business processes
© 2014 Protiviti Inc. An Equal Opportunity Employer.
10 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Development of Custom Transactions,
Objects, Programs & Tables
Key Risks
• Lack of functionality knowledge
• Circumventing security & gaining
unauthorized access to sensitive data
• Bypass organizational level security
restrictions
• Excessive privileges within the scope
of the specific transaction
• Unauthorized execution of programs
Root-Causes

• Absence of SAP customizing governance processes

• Poor design documentation and/or lack of communication
• Custom program coded to call powerful transactions (i.e. SE38, SA38, SM30, etc.)
• Authorization checks not coded in custom program
• Not assigning custom programs to custom transactions

© 2014 Protiviti Inc. An Equal Opportunity Employer.

11 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Backend System Configurations
There are several security related backend tables and configuration that are critical to
maintaining a controlled security environment that are often overlooked or maintained which
could become a significant security risk.
Company
Code 1000

Purchasing
Plant 100
Org 1900

Purchasing Purchasing Purchasing

Group 1 Group 2 Group 3

© 2014 Protiviti Inc. An Equal Opportunity Employer.

12 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Governance: Policies & Procedures

• A security governance policy contains

standards for the SAP ECC production
environments to ensure consistency and
minimize significant risk to the environment.
The should be designed to create standards
around the following key areas:
‒ User Access Management
‒ Custom Program and Table Security
Requirements
‒ Backend System Configurations
‒ Role Creation and Maintenance
Standards
‒ Password Management
‒ Security Parameters

© 2014 Protiviti Inc. An Equal Opportunity Employer.

13 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
SAP solutions for Governance, Risk, and Compliance

SAP Access SAP Process SAP Risk

Control Control Management

Manage access risk Ensure effective Preserve and

and prevent fraud controls and ongoing grow value
compliance

© 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
GRC Access Control Overview

Primary GRC Risks to be discussed today:

User Provisioning

SoD / Sensitive Access Monitoring

Management of Temporary / Emergency Access

User Provisioning

© 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 User Provisioning
Key Risks

• Assignment of excessive and/or

sensitive access
• Documenting appropriate approvals
for compliance purposes
• Delay in provisioning or deprovisioning
• Selection of correct roles
• User access reviews

Root-Causes

• The user does not know the appropriate role to select due to current naming convention
• User provisioning is a manual process
• Approvals are documented offline or via email
• Master data has not been maintained appropriately

© 2014 Protiviti Inc. An Equal Opportunity Employer.

16 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
User Provisioning

GRC automates the SAP access request and provisioning

process by providing customizable workflow options that
integrate seamlessly with the SoD Risk Analysis

Solution Enhancements Key Benefits

• User Provisioning: • Business workflow reduces
− Integrates with SAP to prevent manual tasks and streamlines
SoD Violations access request processing
− Customizable access request • Gain visibility of User Access
workflows Risks before entering a production
environment
− Template based access requests
• Faster and easier for users to
− Complete audit trail to satisfy
request the roles they need
compliance requirements
• Leverage existing resources for
− Eliminates manual provisioning
workflow administration and
to end users
configuration
• Workflows also available for:
• Utilize existing HR structure for
− User Access Reviews automated and compliant position
− FF Log Review based role assignment
− SoD Remediation • Improved security and richer
− Mitigating Control Assignment / request context
Review
• Standardized on SAP Business
Workflow Technology

© 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Segregation of Duties (SoD)

Key Risks

• A user with excessive or sensitive

access within the system has the
ability to perform fraudulent activity
• Internal controls may be circumvented
by excessive access

Root-Causes

• Over the course of time a user may switch job functions

• It may be necessary for the user to have the access within SAP to perform both business
functions during the transition period
• After the transition period is over the user may still retain this excessive access
• SoD violations can quickly spiral out of control because in some organizations users submit
access requests by replicating a user performing the same job function

© 2014 Protiviti Inc. An Equal Opportunity Employer.

18 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
SoD / Sensitive Access Monitoring

SoD / Sensitive Access Monitoring

• Products such as SAP Access Control can be used to monitor
SoD Violations, as well as Sensitive Access.
• A custom “rule set” containing function conflicts (e.g., Create
Vendor vs. Manual Payments), as well as sensitive
transactions/objects can be tailored to your specific risk
environment.
• Simulations and “what if” analyses can be run before actual
security changes are made.
• Can be integrated into the user provisioning and role creation
process.

© 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Customizing Your Ruleset
It is import to customize your own ruleset by reviewing with all of
the key stakeholders:

– Risk Relevance - Inactive vs. active

– Criticality Level - Low, medium, high, or critical

– Modify Rules – There are authorizations which need to be

adjusted to ensure accuracy for your organization and to
remove false positives

– Review Custom Transactions and Tables – All new custom

transactions and programs should be reviewed for inclusion in
the ruleset

Communicate
Ruleset Analysis Incorporate Update SoD Finalize SoD
Define SoD Proposed Ruleset
Against Leading Feedback from Ruleset with Ruleset
Ruleset to Business
Practices Internal Audit Feedback
Controllers

© 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
20
 Management of Temporary / Emergency Access

Key Risks

• Superuser or privileged access should

be approved and reviewed in a timely
manner
• A user can perform critical actions
either accidentally or maliciously to
interrupt system availability

Root-Causes

• Certain sensitive or critical transactions are necessary to keep the system running smoothly
• Restricting and monitoring sensitive access within the system is a top audit concern
• Log review is a very tedious and time consuming process
• Some users are assigned the profile SAP_ALL granting unrestricted access

© 2014 Protiviti Inc. An Equal Opportunity Employer.

21 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Management of Temporary / Emergency Access

Emergency Access Management

• SAP Access Control or Firefighter, can be used to effectively handle
temporary and elevated system access.
• All activity and the changes performed within Firefighter are logged for
review/signoff.
• Log review can be integrated into workflow to automatically route and
track Firefighter log approvals.
• Provisioning of Firefighter IDs can be integrated into Access Request
(ARQ).
• Centrally managed across all systems (end-user does not need an ID
in the target system, only the GRC system).

© 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
How Firefighter Works?
The workflow functionality within SAP GRC can provide an automated and auditable process for:
– Requesting elevated access
– Routing request for approval
– Automatically assigning approved access for the specified time period
– Logging and routing the activity logs to the Firefighter Controller for review.
• Reduces the effort required to grant and provision emergency access to multiple systems. Provides a structured,
documented process around emergency access
• Enables documented account of the controller’s review

Administered
Centrally on GRC
System

GRC

R3 CRM BI

© 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Control Optimization
• Sometimes we cannot avoid certain risks within the ERP systems we manage.
• Luckily, SAP has many configurable controls that can be enabled to help mitigate some of these risks.
• For example:
– Check for duplicate invoices
– 3-Way Match

Protiviti’s Control Library:

© 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 SAP Access Control – Sample Roadmap

Start Quick Wins Enhanced Functionality Optimization

Access Request
Solution
Access Risk Management
Design SAP PC/RM
Analysis
SoD Integration
Technical
Installation / Integration with
Emergency
Upgrade Non-SAP
Access
Applications
Business Role
Data Management
Migration

Ruleset Streamlined Automated Change

Risk End to end
Optimization super user SAP Mgmnt. for
Mitigation Provisioning
& Reporting process Provisioning users & roles

SAP Security Remediation

Upgrade
Solution Components
Process Improvement

25 © 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Recap of Session Takeaways

Common Issues with User Administration in SAP

Solutions to Common Issues with User Administration in SAP

Recap of Session Takeaways

Case Study

Wrap-up

© 2014 Protiviti Inc. An Equal Opportunity Employer.

26 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Key Points to Take Home

Remember:

1. A standardized role architecture

simplifies user administration in SAP
2. A strong change management policy is
vital when maintaining good SAP
Security practices
3. There are many tools available to
assess the security in your SAP
environment
4. Achieve buy-in & sponsorship across
organization
5. Strong Security & Governance policies
are crucial to maintaining a secure ERP
environment

27 © 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 What We’ll Cover

Common Issues with User Administration in SAP

Solutions to Common Issues with User Administration in SAP

Recap of Session Takeaways

Case Study

Wrap-up

© 2014 Protiviti Inc. An Equal Opportunity Employer.

28 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Results - Other Role Redesign Project Metrics

Before Security and GRC Redesign After Security and GRC Redesign % Reduction

New User to be provisioned 15 days New User to be provisioned 4 hours 98.889%

# of transactions per role 77 # of transactions per role 7.3 90.519%

Average transactions per user 2,281 Average transactions per user 371 83.735%

Number of detailed SoD

13,054,616 Number of detailed SoD violations 3,149 99.976%
violations
Intra Role SoD Conflicts 94,458 Intra Role SoD Conflicts 3 99.997%

© 2014 Protiviti Inc. An Equal Opportunity Employer.

29 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Questions?

© 2014 Protiviti Inc. An Equal Opportunity Employer.

30 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Thank You!

Aric Quinones
3343 Peachtree Road, NE
Suite 600
Atlanta, GA 30326

Direct: +1 404.240.8376

Aric.Quinones@protiviti.com

Powerful Insights. Proven Delivery.®

Chris Aramburu Connor Hammersmith

3343 Peachtree Road, NE 3343 Peachtree Road, NE
Suite 600 Suite 600
Atlanta, GA 30326 Atlanta, GA 30326

Direct: +1 404.443.8221 Direct: +1 404.926.4315

Chris.Aramburu@protiviti.com Connor.Hammersmith@protiviti.com

Powerful Insights. Proven Delivery.® Powerful Insights. Proven Delivery.®

© 2014 Protiviti Inc. An Equal Opportunity Employer.

31 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
 Confidentiality Statement and Restriction for Use

This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half International Inc.
("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be
used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be used in any
inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not be
distributed to third parties.

© 2014 Protiviti Inc. An Equal Opportunity Employer.

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.