Segregation of Duties Review (SOD Review) Description and Workflow Configuration
-
Upload
douglas-cruz -
Category
Documents
-
view
63 -
download
6
description
Transcript of Segregation of Duties Review (SOD Review) Description and Workflow Configuration
-
GettingStarted Newsletters Store
SearchtheCommunity
Welcome,Guest Login Register
Products Services&Support AboutSCN Downloads
Industries Training&Education Partnership DeveloperCenter
LinesofBusiness UniversityAlliances Events&Webinars Innovation
AddedbyShailyKulshreshtha,lasteditedbyShailyKulshreshthaonNov28,2014
Governance,RiskandCompliance / / AccessRequest(ARQ)
SegregationofDutiesReview(SODReview)DescriptionandWorkflowConfiguration
SegregationofDutiesReview(SODReview)SegregationofDutiesReviewisaprocesswherethesystemchecksperiodicallyforanyriskandviolationsassociatedwithauserorfunctions.ThisfunctionalitycanbeusedduringtheinitialcleanupofriskviolationsaswellasalongtermstrategytoreviewandaffirmpreviousMitigationassignments.
WhenSODreviewisperformed,itgeneratesrequestsautomatically,basedonorganizationsinternalpolicy.SODreviewprovidesWorkflowBasedreviewandapprovalprocess.
PurposeThisdocumentwillexplaincompetefunctionalityofSODreview.
SODReviewOverviewKeyfeatureofSOSReview:
DecentralizedreviewofSegregationofDutiesviolation.WorkflowrequestforAccessReviewandapprovalReaffirmationofMitigationControlassignmentAudittrailandReportforAudits
-
SODReviewProcessThereisabackgroundjobwhichgeneratesSODReviewrequest.ThesystemsendsSODreviewnotificationtoreviewers.Thereviewerreviewtherequestandperformthefollowingoption.
RejectRequestItemsMitigateRiskbyassigningMitigationControl.RemoveAccessforitemsthatarecreatingviolations.ThereisonemoreoptionalstepwherewecaninvolveAdminforAdminreviewbeforesendingrequesttoreviewers
SODReviewProcessExplanationAdminReview.
ThereisanoptionforAdminReviewwhichprovidesadministratortovalidaterequestdataafterrequestaregenerated(bySODreviewjob)butbeforegeneratingWorkflowtask(butpriorSODReviewupdateWorkflowjob).IfanyreviewerinformationismissionorneedtobemodifythenAdmincandosobeforegeneratingworkflow,orcanalsodeleterequestsifrequired
ReviewStageWecanspecifywhetherReviewerstageisaddressedbyusersManagerorRoleOwner.
SecurityStage:WecanalsoincludeSecuritystageifrequired.
WorkflowStageConfigurationsAfterdecidingwhichstagetoincludeintheSODreviewworkflow,weneedtodeterminethespecificbehaviorforeachstagetoreflectthereviewprocess.Like
EmailNotificationFirstofallweneedtodeterminethecontentoftheemailnotificationtobesendtoapproverofeachstage.Recipientalsoneedstobedetermined.
ReminderWecanalsosetEmailreminderinthiscase.Wecanspecifytheintervalofremindernotification.
EscalationYoucanspecifyEscalationoneachstagebasedontimespentinaparticularstage.IfaReviewerdoesnotcompletehisreviewwithinthetimespecifiedinthedateparameterdefinedinconfiguration,thentherequestwillbeescalated.TheAuditlogwillshowthisescalation.Wecanalsospecifywhetherescalationautomaticallyremovestheaccessthatisnotapprovedbyacertaindate.
RolesinSODReviewThefollowingrolecanappearinSODReviewRequest
-
AdministratorAdministratorsperformSoDReviewspecificadministrativetaskssuchasperforminganAdminReviewbeforegeneratingaworkflowfortherequest
ReviewerReviewersareapproversattheReviewerstage.AReviewercanbeaUsersManagerortheRiskOwner
UsersManagerUsersManageristhedirectmanagerofaparticularuser,asdefinedintheUserDetailsDataSource.
RiskOwnerRiskOwneristheownerspecifiedinyourRiskAnalysisandRemediation(RAR)masterdata.
CoordinatorCoordinatorsareusersassignedtooneormoreReviewers.CoordinatorsmonitortheSoDReviewprocessandcoordinateactivitiestoensurethattheprocessiscompletedinatimelymanner
Prerequisites
ThefollowingjobsshouldbeexecutedinthebelowsequencebeforerunningSODreviewJobs.
RepositorysyncforUser,Role,Profile(SPRO>GRC>AccessControl>SynchronizationJobs>RepositorySync)BatchRiskAnalysisJob(SPRO>GRC>AccessControl>AccessRiskAnalysis>BatchRiskanalysis>ExecuteBatchRiskAnalysis)ActionUsageReport(SPRO>GRC>AccessControl>SynchronizationJobs>ActionUsageSync)RoleUsageSync(SPRO>GRC>AccessControl>SynchronizationJobs>RoleUsageSync)AlsomakesurethatRiskOwnersaremaintained.
ConfigurationSettingsThissectionwillexplainsyouSODReviewConfigurationsettings
IMGConfigurationBeforerunningSODreviewjobtherearesomeIMSsettingsthatneedstobedone
GotoIMG>GRC>AccessControl.>MaintainConfigurationSettings>
1. ForPARAMRiskAnalysis:SetParameter1027EnableOfflineRiskAnalysistoYES2. ForPARAMSODReview:SetthebelowParameters
-
a. 2016RequestTypeforSOD:ChooseDefaultRequesttypeforSODb. 2017DefaultPriorityforSOD:ChooseDefaultPriorityforSODc. 2018WhoAreReviewers:ChooseRoleOwner/Managersd. 2019AdminReviewrequiredbeforesendingtasktoReviewer:ChooseYES/Noe. 2020NumberofuniquelineitemsperSODrequest:Maximumvalueofthisparametercanbe9999.Beyond9999,therequestwillgetsplitandallitemswillbemovedtoanewrequest.
ThisparameterisintroducedinGRC10.0SP17(SAPNote#1994429)f. 2021Isactualremovalofroleallowed:ChooseYes/No
ManagingCoordinatorsGoToNWBC>AccessManagement>ComplianceCertificationReview>ManageCoordinators
-
Screenwillopen.Nowselectanylineitemtochangeorcreateanewone.
SpecifyingEscalationsGoToSPRO>GRC>AccessControl>UserProvisioning>MaintainServiceLevelAgreement
-
HereyoucancreateSLAforSODreviewprocess.YoucanspecifythisviatypeFixedbyDateorFixedbynumberofdaysandFormula.
GeneratingdataforRequest
ForgeneratingdataforSODreviewyouneedtoscheduleajobfromNWBC>AccessManagement>Scheduling>BackgroundScheduler
-
YoucangiveJobNameandselectGeneratedataforAccessRequestSODReviewandclickonnext.
AfterclickingonNextscreenyoucangivetheparametersforwhichyouwanttorunthisjob.
-
Now,onclickingNextandthenFinishthejobwillbescheduled
YoucancheckthisjobunderNWBC>AccessManagement>Scheduling>BackgroundJobs
-
RequestReviewThisstepisonlyrequiredifyouhaveenabledAdminReviewoption.
TheadministratorreviewstherequeststoensurecompletenessandaccuracyoftherequestinformationpriortosendingtoReviewers.
GotoAccessManagement>ComplianceCertificationReview>RequestReview
OntheRequestReviewscreen,searchfortheSoDReviewrequestsbyselectingtheSoDRiskReviewWorkflowandthenreviewthedatatoconfirmtheReviewerandCoordinatorinformationisaccurate.
-
Onthisscreenyoucanenterinformationaboutthereviewertotherequestsifnotavailable.
AnAdministratorcanalsocanceltherequestifSoDReviewsarenotrequiredorifthereisincorrectdata.
UpdateWorkflowJobThisstepisonlyrequiredifyouhaveenabledAdminReviewandtheAdminReviewhasbeencompleted.
ExecutetheSoDReviewUpdateWorkflowJobtopushtheworkflowtaskstotheReviewers.
GotoAccessManagement>Scheduling>BackgroundScheduler.ClickBackgroundscheduler.TheScheduleAccessManagementScreenwillappear.ChooseCreatetocreateanewrequestforUpdateWorkflow.TheCreateSchedulescreenwillappear.EnterScheduleName.SelectScheduleActivityfromthedropdownlist.ForSoDRequests,selectUpdateWorkflowforSoDRequest.
-
ChooseFinish.GotoRequestReview,andcheckthestatusoftherequestifithasbeencompleted.Aftercompletingalloftheabovementionedsteps,therequestswillnowcometotheReviewersWorkInboxtoworkonit.
NowyoucanviewthatrequestintheWorkinbox.Onopeningtherequestitwilllookasbelow.
-
SinceYESwasselectedforActualremovalofRolesduringtheconfigurationprocess,theACTUALREMOVALpushbuttonappearsonthescreen.IfNOwasselected,thenthePROPOSEREMOVALpushbuttonappearsinstead.
ByselectingRiskandthenchoosingtheActualRemovalpushbutton,youcanremovetheactualroleassociatedwiththisRisk.BychoosingtheProposeRemovalpushbuttonyoucanonlyproposetheremoval,noactualremovalisdoneonanyroles.ChooseSubmittocompletetheReviewprocess.
-
WorkflowConfigurationToprocessSODreview,youneedtosettheworkflowsettingsfromMSMP.
ProcessID:SAP_GRAC_SOD_RISK_REVIEW
YoucanmaintainRuleatthe2ndstep.YoucanconfigureFunctionModulerules,BRFplusrules,ABAPclassbasedrules,andBRFplusflatrules.
-
Therulescanbeoneofthefollowingtypes:
InitiatorRule:TocheckwhichpathyourrequestwilltakeRoutingRule:TodirectyourrequesttotakeadetourAgentRule:Tocheckforagents(Reviewers)fortherequestinaparticularstageNotificationRule:Usedfornotificationpurposesonly
Atthe3rdstepyoucandefineAgent
Thepossibleagenttypesare:
DirectlyMappedUsersAgroupofuserscreatedwithintheworkflowconfigurationPFCGRolesAlluserswhohavespecifiedPFCGroleassignmentsPFCGUserGroupAlluserswhoarepartofthespecifiedPFCGgroupGRCAPIRulesAllusersreturnedbytheconfiguredruleforagents
-
Oncetheagentsaremaintained,choosetheNEXTpushbuttontomaintaintheVARIABLESANDTEMPLATES.
Inthisscreen,youcanmaintaincustomnotificationtemplatesaswellastheirvariablesandreminders.
-
Nextstepistomaintainpaths
-
SelectapathandchoosetheADDorMODIFYpushbuttonstodefinethepathstages.
IntheMaintainStagestable,choosetheMODIFYTASKSETTINGSbuttontochangethestagesettings.
IntheApprovalTypecolumn,selectAllApproversorAnyOneApproverfromthedropdownlist.Thisdeterminesifallapproversoranyoneapproverisrequiredtoapprovethestage.
IfyouchooseYesforEscalation,specifytheescalationsettingbyenteringtheidletimeinminutes.Idletimeistheamountoftimebywhich,ifthestageisnotapprovedorrejected,thetaskiseithersenttothespecifiedagentortheworkflowmovestothenextstage.
-
ChoosetheNEXTpushbuttontogototheMaintainRouteMapppingscreen.Inthisstepyoucanmaintainroutemappingsbetweentheinitiatorrulesresultandtheactualpathfortheresult.
-
NowGenerateMSMPversion
CheckingSODReviewRequestsAfterarequestisgenerated,itissenttothereviewersWorkInboxandcanbeaccessedbyperformingthefollowingsteps:
-
YoucanalsosearchthisrequestunderSearchRequest>SelectProcessIDasSODRiskReviewWorkflow
-
ManagingRejectionThelineitemsthatarerejectedbyanapprovercanbeaccessedandreworkedfromtheManagingRejectionsscreen.
GoToAccessManagement>ComplianceCertificationReviews>ManageRejections.
-
SelecttheProcessTypeandclickonSearch
-
Youcanfindtherejectionsonthisscreen.
RelatedDocuments
TherearemanymajorSODreviewfixesafterSP14GRC10.0
BelowaretheimportantSAPNoteregardingthis.
-
1994429UAM:RunningBatchRiskAnalysisismandatoryforSODReviewRequestcreation
2057848UAM:IncorrectvalueisdisplayedfortheVariableREQUESTER_NAMEintheSODNotifications
2058766Removalofreviewernotpossiblefromrequestreviewer
1888260UAM:IssueswithSODReviewrequest
1973155ProvidingtablesortingoptioninSODReviewrequestandmitigationsnotsavedonsavingSODrequest
Nolabels
FollowSCNContactUs SAPHelpPortalPrivacy TermsofUse LegalDisclosure Copyright