SAP Roles and Authorizations

7/26/2019 SAP Roles and Authorizations

http://slidepdf.com/reader/full/sap-roles-and-authorizations 1/98

1 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

S") "uthori*ations and

+R,

B%- Ra#i B .emanth



2

becti#es

Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

earn ho' a role is built up in S")$ 'hat rolebased access isand 'h% it is important!

nderstand 'h% securit% and Segregation o( Duties 3SoD isimportant in S")!

nderstand the business #alue and usage o( the applicationsin the S") +R, "ccess ,ontrol Suite!




6h% is securit% important in S")7

Data the(t and espionage is a gro'ing crime se#erale&amples 'here millions ha#e been lost in damages!

ntruders target user pro9les 'ith e&tended authori*ations! ongterm damages include 9nancial damages$ image loss

declined stoc:$ la' suits and compliance #iolations!



4

;igures


U.S fraud cost were $52.6 billion in 2005

Intellectual property theft costs U.S.companies between $200 billion and $250billion a year in sales



<

;amous scandals


6orldcom ost =12> billion in mar:et #alue! 24 000 people lost their obs! Share #alue =?2 to =0!20 in less than 5 %ears!

Enron ost = 1@ billion in mar:et #alue! <<00 people lost their obs!



? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

6ho are the%7

Paul Sarbanes Michael !ley



>

Sarbanes&le% 3SA


n 2001/2002 large S companies li:e Enron or 6orld,om'ent ban:rupt!

heir management had hidden and changed 9nancial dataand betra%ed in#estors!

n 2002 he Sarbanes&le% "ct 'as made la' to establishbetter controlling and accounting transparenc%!

he strongest (ocus is on nternal ,ontrols!




6h% SA7

"ll companies that are registred on the CSE/C"SD" stoc:mar:et$ must be compliant 'ith SA!

Fassi#e impact (or large enterprises 'ho had to ta:emeasures to ensure internal control!

SA has generated thousands and thousands o( hours o(

consultant 'or:G here 'ill be a similar la' 'ithin E HEuro SAH!




Segregation o( Duties

De9nition-

IJe% duties and responsibilities in authori*ing$ processing$recording and re#ie'ing oKcial business transactions mustbe separated among indi#iduals to reduce the ris: o( error or(raudL!

"pplied on our client-

Ine person should not control all stages o( a process$ asituation in 'hich error or irregularities could occur 'ithoutdetectionL!


http://slidepdf.com/reader/full/sap-roles-and-authorizations 10/9812 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

S") Securit% ,oncept (or Roles and "uthori*ations



ProductionPlanning

MaterialsManagement

Finance andControlling

Sales andDistribution

HumanResources

As a Financial Accountant, Mr. Smith probably has jobduties that inole accessing components o! the Finance andControlling module "F#$C%&.

Mr. Smith

S") e&ample



ransactions

" user per(orms tas:s in S") b% entering transaction codes! " transaction code is a command that ta:es the user to a

certain program in the S") s%stem! he term LtransactionL is usuall% used to re(er to the

program that is run 'hen the corresponding transaction

code has been entered! ;or e&ample$ the user enters the transaction code ;B02 to

run the transaction/program that is used to changedocuments in the general ledger!


http://slidepdf.com/reader/full/sap-roles-and-authorizations 13/981< Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

E&ample- ;B02


http://slidepdf.com/reader/full/sap-roles-and-authorizations 14/981? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

;B02


http://slidepdf.com/reader/full/sap-roles-and-authorizations 15/981> Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

;B02



;B02

S") S i d l i


http://slidepdf.com/reader/full/sap-roles-and-authorizations 17/981@ Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

S") Securit% model o#er#ie'

or 'ser Master Record

Authori(ation

Authori(ation !ield

Authori(ation %bject

Simple Pro!ile

Composite Pro!ile

Authori(ation Pro!iles



ser Faster Record

'ser )ame #nitialPass*ord

'ser+roup

'ser ype -alid Dates Authori(ationPro!iles

/ample o! a 'ser Master Record

) 9l



)ro9les

Composite Pro!ile

Simple Pro!ile 0

Allo* Change access to documents

Allo* Display access to documents

Simple Pro!ile A

" th i ti b t



"uthori*ation bect


" th i ti 9 ld



"uthori*ation 9eld

Authori(ation !ield

Data Dictionary

Data lement


" th i ti


http://slidepdf.com/reader/full/sap-roles-and-authorizations 22/982< Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

"uthori*ations

Authori(ationAuthori(ation

Authori(ation !ields


1AMP23 S4C%D

1AMP23 CD

1AMP23 F056 1AMP23 F057

Object Field

name

Value

SM,DE ,D ;B02

SM,DE ,D ;B05

" th b t h : d t ti


http://slidepdf.com/reader/full/sap-roles-and-authorizations 23/982? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

"uth! bect chec: under transactions

Maintain

Display

Company Code alueransaction

%bject

Actiity

Company Code



;B02


http://slidepdf.com/reader/full/sap-roles-and-authorizations 25/982@ Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

"uthori*ation chec:

A0AP$8 Code

A'H%R#9:CHC; %0<C =F40;PF40';=

#D =0';RS= F#2D s4bu>rs #D =AC-= F#2D =56=.

#F sy:subrc ?@ 5. MSSA+ 556"#& B#H te/t:655 s4bu>rs )D#F.




S01- race Displa%


http://slidepdf.com/reader/full/sap-roles-and-authorizations 27/9851Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

S") "ccess Role concept .istoricall%$ users 'ere gi#en S") access b% direct

assignment o( )ro9les$ but to (acilitate a more businessoriented access management$ the role la%er 'as added!

Roles 'ere added as an additional abstraction le#el$ in orderto (acilitate authori*ation design!

,ompare to obectoriented programming instead o(

programming in machine language!



"ccess .ierarch%

CD F056CD F057

........... $........... ……

$......... ……

$....... ……

$......... ……

$........ ……

-A

A

A

A

A

A

A

A

F -

A

S4C%D

F056

-

-

-

-

P

P

P'ser

C S

C

S

S

P

' E 'ser

C E Composite role

S E Single role

P E Pro!ile

A E Authori(ation object

F E Field

- E -alue

MR. SM#H

F#)A)C#A2 ACC%')A)

+)RA2 2D+R <%'R)A2S MA#)A#)

F

F

F

F

F



)ro9les

Single roles hold a 1-1 mapping to'ards )ro9les!

P

P

P

'ser C S

MR. SM#H

C

S

SF#)A)C#A2 ACC%')A)

+)RA2 2D+R <%'R)A2S MA#)A#)

P



Single roles " Single Role corresponds to a Nob tas: in the s%stem$ (or

e&ample +eneral edger Nournals Faintain!

'ser C S

C

S

S

MR. SM#H

F#)A)C#A2 ACC%')A)

+)RA2 2D+R <%'R)A2S MA#)A#)


http://slidepdf.com/reader/full/sap-roles-and-authorizations 31/985<Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

,omposite roles

" ,omposite Role corresponds to a Nob role in realit%$ (or e&ample;inancial "ccountant!

"ll users in the S") s%stems ha#e at least one and usuall% se#eral,omposite Roles assigned to them!

" ,omposite Role is a prede9ned collection o( Single Roles that ha#e a

relation to each other$ and that together gi#e the necessar% access (orthe user to (ul9ll a certain ob role!

'ser Compositerole

Compositerole

MR. SM#H

F#)A)C#A2 ACC%')A)"CH)#CA2 )AM3 RM'S454CCC54F#)3557&


http://slidepdf.com/reader/full/sap-roles-and-authorizations 32/985?Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

);,+- Role Faintenance

he technical name !or FinancialAccountant.


http://slidepdf.com/reader/full/sap-roles-and-authorizations 33/985>


Single roles




Displa% "uthori*ation Data

Displa% "uthori*ation obects and #alues


http://slidepdf.com/reader/full/sap-roles-and-authorizations 35/985@


Displa% "uthori*ation obects and #alues




Summar% ser master records$ pro9les$ transactions$ obects etc!

generic technical design in all S") s%stems! ,omposite role/Single role concept builtin possibilities in

S") that is used as best practice!

.o' can the role concept be used to per(orm Segregation o(

duties7 O to be SA compliant7




Sarbanes&le% 3SA compliance and Segregation o( Duties

3SoD




Sarbanes&le% andSegregation o( Duties he Sarbanes&le% act 3SA

is intended to ensure thecorrectness o( S companiesPaccounting

ne eQect o( SA is re(erred

to as the Segregation o(Duties 3SoD directi#e

he SoD directi#e stipulatesthat no person must controlse#eral :e% steps in a

connected process "ppro#e

Purchase rder ecei#e%oods

&lear 'endor

(nter %oodseceipt

"uthori*ation

,ustod%

Record ,ontrol




6hat is the impact o( SA and SoD on Roles and "uthori*ations

in S")7

"ccess ,ontrol S%stems




"ccess ,ontrol S%stems

Fandator% "ccess,ontrol 3F",

Discretionar% "ccess,ontrol 3D",

Role Based "ccess,ontrol 3RB",

"ccess obects andusers classi9ed on alinear securit% scale3E!g! e#el 1$ e#el2$ !!!

( the userPs securit%permission Lle#elLe&ceeds that o( theobectPs the user isgranted access to

that obect

Each user is able topass on thepermissions he or shehas to other users

" user is gi#en access

to an obect i( he orshe has been gi#enaccess to it b%another user

here is commonl%

one user 'ithirre#ocable access toall access obects3E!g! root$administrator$ !!!

"ccess is granted b%assigning each userone or more accessroles

Each user is gi#en

access to the obectsthat his or her rolesspeci(%

" user ma% be gi#enaccess either b% ne'

roles or b% changing arole that the useralread% has

High ersatility2o* maintenance

Role Based "ccess



4<Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding

an% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

Role Based "ccess

Role "rchitecture " librar% o( roles must be built

and maintained )rinciples must be established

and (ollo'ed (or the role

librar% to remain consistent

Role )ro#isioning )ro#isioning is the process b%

'hich users are gi#en ne'roles

Slo' pro#isioning costs

mone% in lost producti#it%

SOX directives



4?Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


Role "rchitecture



4>Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


Role "rchitecture

PermissionsEnter Goods Receipt

Access Role

) *o role must contain internal So+ ris,s- &ontrol o#er se#eral steps in a process would mean that

no user could ha#e this role

PermissionsClear Vendor

Role "rchitecture



48Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


Role "rchitecture

Role Based "ccess Design )rinciples

Each access role mapped to a ob role+lobal template roles de9ne action le#el securit% L'hatL

ocall% deri#ed roles de9ne data le#el securit% L'hereL



4@Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


"ccess Roles #s! Nob Roles

Role "rchitecture



<0Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


Role "rchitecture

) "n access role is a role defined in the system a /ob

role is a real-world role- "n access role contains all permissions needed toperform the tas,s needed to complete the /ob role

- Permissions "ctions 1 +ata "ccess

) enefit3 "ccess roles are free from internal So+ ris,s4as lon as /ob roles are

User (e.g. a financial accountant)

Access roleSales Assistant

Permissionse.g. change G/ document! post G/ document

Access role"inancial Accountant

Permissionse.g. create sales orders! change sales ordersUser (e.g. a sales assistant)

Role "rchitecture





Role "rchitecture

"ction le#el securit%7

Data le#el securit%7

Role "rchitecture





Role "rchitecture

Permissions#C$%E& "'

Access role template"inancial Accountant

) "ction le#el security defines access to acti#ities

- In S"P7 actions le#el security can be thouht of asaccess to transactions

) "ction le#el security is specified on a lobal le#el- " financial accountant has the same access irrespecti#ely

of in which country he or she wor,s

Role "rchitecture





Role "rchitecture

Data le#el securit%

Role "rchitecture





Role "rchitecture

) +ata le#el security defines access to data-

"ccess to display8maintain certain companycodes7 sales orani9ations7 plants7 etc.

) :ocally deri#ed roles define data access

Glo*al #emplate Role

e.g. "inancial Accountant+#emplate

#C$%E& "'

AC#V#& ,

'U-RS& ,

ocal Role

e.g. "inancial Accountant+Seden

#C$%E& "'

AC#V#&

'U-RS& 0

ocal Role

e.g. "inancial Accountant+China

#C$%E& "'AC#V#&

'U-RS& 10



<<Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


Role )ro#isioning

Role )ro#isioning



<? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


Role )ro#isioning

Co person must be gi#en roles that gi#e access to se#eral

steps in a connected process Segregation is possible b% process or geograph%

Access role"inancial Accountant Seden

Mr. Smith

Access role'illing Administrator Seden

Access roleSecurit2 Ad3isor Seden

Access role

'illing Administrator 4ora2

%;

%;

Process

separation

+eographicseparation

SoD Ris>

Role )ro#isioning



<> Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


Role )ro#isioning

raditional Role Based "ccessser admin team grants

access based on line managerdemands

"ccess applied (or on an as

needed basisser admin team responsible

(or securit% 'hile business istr%ing to operate

Role pro#isioning o'controlled entirel% b%business

"ccess applied (or on a ob

role basisBusiness is responsible (or

maintaining securit% andoperational eQecti#eness

Role )ro#isioning



<8 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


o e o s o g

Role pro#isioning process

Role )ro#isioning



<@ Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


g

Role pro#isioning o' controlled entirel% b% business Business is responsible (or maintaining both securit% and

operational eQecti#eness "ccess applied (or on a ob role basis

"pplication usiness appro#al "ssinmentSecurityappro#al

Role )ro#isioning



?0 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


g

6h% is a business appro#al needed7

Role )ro#isioning





g

SA reTuires that a #alid business reason (or the order must

e&ist Ueri(% that the reTuested role match actual personal

identit% and ob role Ueri(% that the enduser has a need to :no' o( the

in(ormation that 'ill be a#ailable #ia the role

usiness appro#al

Role )ro#isioning





g

Securit% appro#al

Role )ro#isioning





g

he securit% appro#al chec:s that no SoD ris:s appear (orthe user Ueri(% that no SoD ris:s appear (or the user Ueri(% that user is not gi#en access to unnecessar% critical

actions 3create users$ change roles$ etc!

Ueri(% that user is not gi#en access to displa% sensiti#edata 39nancial statements etc!

Securityappro#al





SA audits

SA "udits



?< Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


6hat SoD ris:s do %ou ha#e7 Do %ou ha#e proo( that all access is properl% authori*ed7 .o' do %ou ensure the consistenc% o( %our roles7 .o' are sensiti#e acti#ities monitored7



?? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


S") +R, Suite

URS" s%stems



?> Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


%

n "pril 200?$ S") bought URS" s%stems and started trans(orming the

URS" suite into S") +R, URS" stands (or IUersatile nno#ati#e Ris: and Securit% "dministrationL S compan%$ (ounded in 1@@? oda% more than one million end users are subect to compliance at

more than 1>0 customers 'orld'ide Faor re(erences 3Uoda(one$ BF$ nile#er$ )anasonic$ B"S;$ Boeing$

Burger Jing$ Son%$ Cortel$ Siemens$ +illette Uirsa pro#ides the onl% solutions that monitor and en(orce businesscontrols in real time across enterprise s%stems

Uirsa is the global leader in crossenterprise compliance solutions he compan% is pri#atel% (unded 'ith #enture in#estment (rom S")

Uentures$ Jleiner )er:ins ,au9eld V B%ers$ and ightspeed Uenture

)artners!

+R, Suite




an% disposal e&ploitation reproduction editing distribution as 'ell as in the e#ent o( applications (or industrial propert% rights

S") +R, Suite o#er#ie'



?@ Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


"ccess (nforcer

S"PCompliance Calibrator

Access in FireFighter

FireFighter logs

ole (!pert

connection is

possible

nline orderin tool

+R, Suite



>0 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


;ail-safe ris,

pre#ention

Access Enforcer

So+ analysis7 critical transaction monitorin7 < pre#enti#e simulation

SAP Compliance Calibrator by Virsa Systems

ole

manaement

Role Expert

Superuser

access control

Firefighter

Pro#isionin

Risk Terminator

&ross (nterprise is, Manaement

Enterprise Portals Risk Manager





,ompliance ,alibrator






8'IS"8='">






)art o( the S") +R, Suite ,ore application o( the suite ses the ER) Ris: ;rame'or: 3'ithin LRule "rchitectL (or

SoD ris: anal%sis o( users S")gui based 34!0$ current #ersion 6eb based Cet6ea#er 3<!2$ release 5 200>






,ompliance ,alibrator Source o( ER) ris: (rame'or: used (or all SD anal%sis s used to monitor users$ roles$ ris:s and mitigation

controls

,ompliance ,alibrator increases #isibilit% regarding SoDand assists in managing ris:s and users






is, definition ? is, definition 2

;unction " ;unction ;unction &

>ransaction>ransaction

.

.


.

.


.

.

User @ User A

is, *oris,

'ser Analysis






)urpose

sed primaril% to per(orm segregation o( dut% 3SoDanal%sis be(ore roles are appro#ed and allocated to users!

Reduction o( leadtimes (or roles allocation leads tosigni9cant business impro#ements! he user administration'ill be (ull% automated!

he tool 'ill en(orce the role appro#al process$ secure thatSoD chec:s are per(ormed and that potential ris:s aremitigated all prior to role allocation!

"ccess En(orcer-





Business #alue

;acilitate the SA compliance (rom an S") securit%perspecti#e!

ncrease the accurac% o( S") user authori*ations and adherethe +", principles!

Reduce maintenance costs (or the S") user administration! Reduce leadtimes (or roles allocation leads to signi9cant

business impro#ements! Reduce securit% audit costs (or S") en#ironments!

"ccess En(orcer-





ser administration process

he purpose o( a ser "dministration )rocess is toassign/remo#e roles (rom S") user accounts!

"n online ordering tool and "ccess En(orcer ensure that theproper appro#al (or e#er% reTuest is done and that all

assigned roles are compliant to the securit% polic%!

"ccess En(orcer-





rder process

"ll orders for access to I> applications are manaed #iaa tool for orderin online.



8<

"ccess En(orcer-

Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


ReTuests (or appro#al

he 9rst appro#er in the 'or:o' recei#es the reTuests that'as ordered in the online ordering tool!

(



8> Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


Ris: "nal%sis

6hen the appro#er clic:s Ris: "nal%sis$ "ccess En(orcer runsan anal%sis on the userWs current roles in combination 'iththe ne' roles that 'ere ordered!

n (act$ "ccess En(orcer ma:es a call to ,ompliance,alibrator$ 'here the SoD ris: (rame'or: is stored!

,ompliance ,alibrator runs the anal%sis and returns theresult!

"ccess En(orcer-

"ccess En(orcer-Ris: "nal%sis result




di l l it ti d ti diti di t ib ti ll i th t ( li ti ( i d t i l t i ht

Ris: "nal%sis result

>he ris,s are listed with ais, I+7 is, +escriptionand Status.

SoD ris:- ;B01 and FE21



@0 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regarding


Ris: simulation

Co' 'e can unchec: ;inancial "ccountant and Simulate theris:s 'ithout that role!

"ccess En(orcer-



@1

"ccess En(orcer-


Ris: "nal%sis result

Role E&pert-



@5

Role E&pert-


;irst appro#al step 9nished

6hat is Role E&pert7



@4 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

ool (or documenting roles and authori*ations!

6eb based application! "utomates creation and management o( role de9nitions! RE en(orces 3s#e! upprXtthYller$ genomdri#er best practice

to ensure that role de9nitions$ de#elopment$ testing andmaintenance is consistent through the implementation!

Role E&pert (unctionalit%



@< Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

rac: progress during role implementation!

Fonitor the o#erall Tualit% o( the implementation! )er(orm ris: anal%sis at role design time! Set up a 'or:o' (or role appro#al! )ro#ide an audit trail (or all role modi9cations! Faintain roles a(ter the% are generated to :eep role

in(ormation current!

R l E t



@? Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

Role E&pert-Search screen

nter M'SG. "echnical

name !or single roles inthe system called M'S&.

R l E t



@> Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

Role E&pert-Search results

Role E&pert



@8 Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

Role E&pert-Role de9nition

Role E&pert-



@@ Department | 8/24/2010 | © Robert Bosch Engineering and Business Solutions imited 2010! "ll rights reser#ed$ also regardingan% disposal$ e&ploitation$ reproduction$ editing$ distribution$ as 'ell as in the e#ent o( applications (or industrial propert% rights!

Role E&pert-"dd transactions

Role E&pert-




Role E&pert-,ompan% mapping




;ire;ighter

;ire;ighter




Summar%



Summar%S") uses a comple& structure

to manage authori*ations-

;ieldsbects)ro9lesRoles

he Sarbanes&le% act 3SAimposes reTuirements on

companiesP management o(roles and authori*ations-

Segregation o( Duties 3SoDBusiness appro#als"udit trails

Role Based "ccess 3RB", isreTuired to (ul9l the rolesand authori*ationreTuirements o( largeorgani*ations-

+loball% go#erned rolearchitecture

Business controlled role

o manage compliance S")oQers the +R, Suite-

,ompliance ,alibrator 3SoD"ccess En(orcer 3Role

pro#isioning

;ire;ighter 3,ritical accessRole E&pert 3Role

architecture

SAP Roles and Authorizations

Documents

Transcript of SAP Roles and Authorizations