GRC Nuggets – Episode 1 – Access Control’s Risk Analysis

“Risk comes from not knowing what you’re doing.”~ Warren Buffett

Never have truer words been spoken.

Imagine your IT service desk receives an SAP role provisioning ticket from a member of the employee base, who has recently moved from Sales to Finance. Maybe an odd move, but stranger things have happened.

What do you do next? Do you:

A. Consult the rather large Excel spreadsheet containing user roles and access assignment matrices?

B. Contact the employee’s line manager for written approval?

C. Contact the Finance pillar owner for approval?

D. Add requested access to their user account manually?

E. None of the above.

If you are in the fortunate position of having requests automatically assessed for risk violations against current and requested role access, then your processes are likely to be in excellent shape.

If any of options A to D ring true, or are fairly accurate based on today’s processes, then this is where the greatest likelihood of access risk, or Segregation of Duties (SOD) risks enter the system landscape. This is because you are likely to be only using Profile Generator (aka PFCG) to help with role creation and assignments.

Where an SOD risk is realised, it can often lead to fraud – especially insider fraud. PFCG is an excellent tool but it lacks context; it lacks the ability to inform users of potential access risks. This is where SAP Access Control takes over with the important function to assess all users and roles for any potential access risks and actual violations.

SAP Access Control 12.0 – Access Risk Analysis

SAP Access Control is split into four functional components. I’ll be discussing all four over the course of this month but today’s focus is on Access Risk Analysis or ARA for short.

ARA gives you the ability to comb through the SAP landscape (and wider non-SAP landscape if you have the connectors) to identify and understand where the access risks and violations are occurring. To strike back at Warren Buffett, once you know where the risks are coming from, you know what you are doing.

ARA is the de facto component of Access Control which is deployed almost exclusively across the 5,000+ organisations that have it installed across the globe. The same applies to all of our Winterhawk clients who have SAP Access Control. This is because ARA saves access governance teams countless hours from manually trying to find needles in a haystack, manual maintenance of Excel spreadsheet matrices and also improves accuracies in remediating access risks.

ARA not only helps identify the access risks and violations, but also enables the team to remediate risks by implementing new controls or defining re-certification processes if certain SOD risks are accepted.

Benefits Extend Beyond Compliance

Aside from helping with Financial Reporting compliance (e.g. Sarbanes Oxley), there are tangible benefits to implementing Access Control’s ARA component:

1) Leverage the Winterhawk Risk Ruleset library for all standard transactions across the SAP ERP and custom Z transactions that we frequently come across.

2) Scan through all user and role assignments across the SAP estate (and beyond), identifying and flagging up where access risks and violations reside.

3) Understand if any user has violated an SOD. These aren’t false positives either – they are actual violations and something to worry about.

4) Focus on the risks which are the highest priority.

5) Know the full context of conflicting transactions and authorisation objects.

6) Greater alignment with Internal/External Audit, who can leverage information from the same reporting suite.


SAP Access Control 12.0

A new major product release is due imminently for GRC – an upgrade from GRC 10.1 to 12.0. Right now, GRC 12.0 is in beta and we’re seeing teasers from SAP Labs. What I can tell you is this:

1) The new User Experience platform, Fiori, will be the new standard user interface

This is a benefit because Fiori is replacing the more traditional looking Netweaver Business Client interface and will enable SAP users access to many different systems from a single portal without having to log in and out of different SAP servers.

2) Pre-defined Fiori tiles for GRC

Replacing Netweaver Business Client, the new pre-defined Fiori tiles will reduce the amount of implementation time required to implement SAP Access Control’s user interface component. Prior to GRC 12.0, Fiori tiles had to be manually created by implementation consultants with no pre-defined functional tiles available. Net benefit means a reduced timeline to implement.

3) S/4HANA Connectors delivered

There is no surprise to this upgraded functionality, where connectors for S/4HANA cloud are now delivered as standard. S/4HANA remains the key growth driver for SAP and integration to this new platform has been expected for a while, especially the cloud version of S/4HANA.