Have you installed one of SAP GRC Systems? Here you are 10 helpful tips on how to improve the usage of the SAP Governance suite.
Different systems are covered by the SAP GRC area (Governance, Risk and Compliance). The main ones are:
10 focus points that you might want to apply!
Especially for systems as Access Control, Process Control e Risk Management In particolare per i sistemi Access Control, Process Control e Risk Management it is useful to start with a few business processes involved. Managing from the beginning to the end, in the case of Access Control, the definition of Access Risk (SoD Risks, Critical Actions or Critical Permission), risk analysis/remediation and particularly the mitigation and continuous compliance part.
In the case of Process Control, creates a PoC (Proof of concept) in order to understand whether it is applicable to your reality and what could be any limitations or problems.
Using this module of the SAP GRC Access Control (Emergency Access Management or Firefighter), allows management of emergency access by users; without then reviewing the effective use.
In what cases/scenarios could it be used?
Super-utilities can be requested through an approved workflow (using SAP GRC Access Control Access Request Management - ARQ module) or could be assigned or pre-assigned from an administrator for a certain period of time.
What are the focus points after activating the use of the super-utility in SAP?
The Access Risk Analysis module, part of the Access Control suite, allows to define a segregation matrix of duties (SoD) containing standard or custom functionality.
If you activate new processes, you should adjust the SoD matrix.
The matrix is not static, it must be constantly updated every time that a custom transaction or a new SoD relevant process is defined.
Through this tool some legacy systems (not SAP) may be included in the risk analysis. Owner or third-party systems.
You can define rules (using SAP data structures) that allow SAP GRC to analyze non-SAP systems.
If you have different systems, especially if a SoD process is divided in various systems, establish Cross System rules might be useful.
Imagine that the suppliers are defined in SAP SRM System (SAP Supplier Relationship Management) while the suppliers' payments are carried out in SAP ECC or S/4HANA.
In the above case a user analyzed on the single system may not represent a risk. By analyzing access to both systems, it could represent a risk.
Once you have defined the compensatory controls, these must be "tested". The testing phase of the controls (testing controls audit) allows the control to be effectively carried out. Procedures must be established to indicate who, how and when this phase is to be carried out.
The management of mitigation controls is an expensive phase, in terms of implementation time but especially during their execution.
If you have configured GRC Process Control, control the activation of the automated monitoring component (SAP GRC Process Control AM)
If you activate the Access Request Management system, you can automate the provisioning of SAP roles and utilities in the various systems involved.
Remember that this component has overlaps with identity management systems.
In most cases, where these systems are present, the GRC is used only for the verification of compliance SoD while IDM is used for provisioning in various SAP and non-SAP systems.
They are standard workflows within the SAP GRC Access Control that allow to validate again:
Have you migrated from SAP ECC to SAP S/4HANA?
Remember that, depending on how you use it, the used transactions or applications must be adapted. Consequently, the risk matrix also needs to be adapted.
Blog post originally translated from: https://www.aglea.com/blog/10-suggerimenti-dopo-aver-installato-sap-grc