In order to perform a risk analysis in SAP and even non-SAP systems, you can use the SAP GRC Access Control tool.
Through the Access Risk Analysis module.
How to manage the Segregation Of Duties process.
You can find our article describing all the steps for managing SOD here.
Summary watch these two videos:
Part 1 - Risk Identification and Risk Analysis
Part 2 - Remediation, Mitigation and Continuous Compliance
How to perform a risk analysis?
Risk analysis can be performed, in the web part of GRC Access Control (AC), via workcenter(the folders you find at the top are called workcenters) Access Management -> Access Risk Analysis.
The way the GRC Access Control is used is through:
- The SAP Netweaver Business Client. It can be a client to be installed (as if it were the SAP GUI) or
- A specific web link to run in the browser (so via NetWeaver Business Client via HTML) or
- Via SAP FIORI Launchpad (so again via browser but at a different link from the previous one) GRC can also be used for some applications via FIORI
- An additional way for administrators is via SAP GUI.
In the case below, the image shows the web part, so the option two above
Analysis can be performed at different levels:
- user level,
- role
- HR objects (Job, Position or organizational unit).
Without the checkmark on Offline Data (see next image), the analysis is performed in real-time. Otherwise, with "Offline Data," the analysis is performed on the data from the last history made (to be used if for some reason the target system is not active at that time)
Risk Analysis User Level
The screen consists of two parts:
- Analysis Criteria
- Report Options
Tip: Log on in English (Italian translations can be misleading in some cases)
In the analysis section we find several entries:
- System -> You can enter the system or systems being analyzed. Usually the production system
- User -> You can enter a user or multiple users.
- User Group -> If you want to limit the analysis only for a specific user group
- Custom Group -> Allows you to create "custom" user groupings that do not really exist in the system
- Risk Level -> Here you can decide the analysis to be done in terms of risk levels to be considered
- Rule Set - Here you can select the rule matrix to be used (Risk matrix, in GRC called Rule Set). Usually only one
If you pay attention in the middle column a selection item (is) is shown if you have to analyze more than one data, opening the drop down you can find (only for some items not for all) additional selections e.g. "start with" or "multiple selection" where you can, for example, enter at the same time more users to be analyzed
In the part under the one analysis is present the definition of the output and some other criteria for analysis.
Type of risk analysis:
- Action -> Performs an analysis without considering authorization objects. In this case, false positives may be present (if the matrix reasons at the level of authorization objects)
- Permission -> Represents the most complete type of analysis with fewer false positives (if the detail of the authorization objects searched for is present in the matrix, in addition to transactions - Action)
- Critical Action -> In the matrix it is possible to define critical "transactions", then Action in the GRC language . Not necessarily related to processes in conflict with each other. If there are such risks in the matrix it is important to enable this flag as well
- Critical Permission -> As above but for risks formed only by "critical" objects
- Critical Role/Profile -> In case the profile "SAP_ALL" or other roles considered critical have been excluded from the analyses (with this flag it is possible to make sure that they are considered)
GRC AC offers multiple views (Format) of Risk Analysis output. For example, by performing the risk analysis at the user level, the format:
- Summary: shows the risks detected for each user, with details of conflicting transactions and any mitigating control assigned
- Detail: is the most detailed and technical view among those present. It shows the risks detected for each user with detail of functions and actions (transactions/Apps) in conflict with each other, with related authorization objects. It also highlights any mitigating controls assigned for each risk and the roles in which the actions and authorization objects are contained. Very useful from a remediation perspective
- Management Summary: shows the details of the risks detected for each user, with any mitigating controls assigned
- Executive Summary: is the most high-level view of those present. It shows the risks detected with number of violations for each risk and any mitigation. It is not possible from this view, to mitigate the risk (as there is no user-risk link in the output)
The first two views, indicate (if Action Usage Synch is performed) whether the risk is actually exercised or not. This is if reading the usage statistics from the target systems (those being analyzed) is enabled.
For all formats above, the view can be:
- Technical view: generally used for more technical staff (e.g., ICT), where descriptions of objects (e.g., risk, function, user name, etc.) are not shown.
- Business view: generally used for Business, where descriptions are given for each field.
- Remediation view: not active by default. Allows you to view some additional details (e.g., if a Risk Analysis is performed on roles, it allows you to view all transactions and authorization objects contained within it), to assign a mitigating control, or to directly create an access request (e.g., if a Risk Analysis is performed on users, for the removal of a role)
Once the selection is complete, you can press run in foreground or background. In the first case you will have to wait until the processing is finished. In the second case a job will be created, which you can see later (use if the number of users is large or there are many violations).
To see the results of the risk analysis performed in the background you will have to go to the Background Job item in the Access Management work center.
Offline Risk Analysis
In order to perform a comprehensive risk analysis on all users/roles, GRC provides the ability to analyze all data by analyzing it via batch. This functionality in GRC is called Batch Risk Analysis or also Offline Risk Analysis.
What is the difference with online Risk Analysis, though?
- Reading time of results generated by Batch Risk Analysis is minor as it is not in real-time
- Batch Risk Analysis contains out-of-date data as it is not in real-time (depends on the date of execution)
- Batch Risk Analysis results can be viewed directly via the web (via the screen shot above with checkmark on Offline Data or in the Report & Analytics workcenter), or via GUI