S_TABU_NAM sapnote_0000986996
Click here to load reader
Transcript of S_TABU_NAM sapnote_0000986996
07.02.2011 Page 1 of 3
SAP Note 986996 - GRC Access Control- Best Practice forRules and Risks
Note Language: English Version: 10 Validity: Valid Since 03.05.2010
Summary
Symptom
Explanation of delivered Risk Analysis and Remediation rules.
Other terms
SAP Compliance Calibrator, Risk Analysis and Remediation, rules, functions,risks, ruleset
Reason and Prerequisites
How was the decision made to build the rules and risks that are found inthe rule set delivered with SAP CC?
Solution
Best practices for controls state that the company's environment is theprimary consideration for establishing controls. This is the same forSegregation of Duty rules.
We provide a set of rules that we have found hit the majority of globalrequirements for the basic processes: Finance, Procure to Pay, Order toCash, etc. Special rules have been provided for other specialty areas byworking with partners and customers for CRM, HR, and ECC, etc. The wholepurpose is to provide our customers a solid starter set rather thanbuilding rules from scratch. The delivered ruleset is meant to cover themajor risk areas present in the majority of customers. Not every SAPapplication is included in the delivered ruleset and at this point, thereare no plans to further develop additional industry specific component oradd-on product rules.
The time the company spends is to make sure the risks are appropriate fortheir implementation of SAP and adding custom related transactions, ratherthan starting from scratch.
A zip file presentation has been attached that explains the ruleset updateprocess as well as a summary of the number of rules delivered and whatareas are covered.
The rules were created on a 4.6c system, with the exception of transactionsthat only exist in higher versions. The underlying assumption is that wewant to ensure the rules do not have any false negatives. This means thatwe purposely activate the fewest authorization objects required in order toexecute the transaction.
If new or different auth object settings come into play in the higherreleases (4.7, 640 and 700) and you feel this results in false positives(conflicts that show that don't really exist), then you can adjust therules to add these authorization objects to the rules.
07.02.2011 Page 2 of 3
SAP Note 986996 - GRC Access Control- Best Practice forRules and Risks
Again, our assumption is that the delivered ruleset should err on the sideof showing too many conflicts which can be further filtered by thecustomer, versus excluding users that should be reported.
The data contained in the default ruleset is the same regardless of theversion of Risk Analysis and Remediation (Compliance Calibrator)implemented (4.0, 5.1, 5.2 or 5.3). The main difference is just in theformat. In 4.0, it is not possible to create single function risks. Forthat reason, Critical Action risks are delivered as part of the CriticalTransaction table and not as individual Functions and Risks. In 5.X, theCritical Actions are delivered as individual Functions and Risks that areincorporated into the normal ruleset. However, please understand theactual Critical Transactions are the same in 4.0 and 5.X.
Header Data
Release Status: Released for CustomerReleased on: 04.05.2010 17:48:49Master Language: EnglishPriority: Recommendations/additional infoCategory: ConsultingPrimary Component: GRC-SAC-SCC Risk Analysis & Remediation(formerly Compliance Calibrator)
The Note is release-independent
Related Notes
Number Short Text
1552985 F110S rule incorrect - lists F_REGUL_KO should be F_REGU_KOA
1541577 Impact of S_TABU_NAM in Risk Analysis and Remediation
1535330 Compliance Calibrator 4.0 - Full Rule Deletion
1519557 Rules by Process under Rule Library do not show numbers
1446680 Risk Analysis and Remediation Rule Update Q2 2010
1349969 Function AR04 - incorrect permission activated
1326497 Risk Analysis and Remediation Rule Update Q2 2009
1238023 New authorizations not updating in rule set
1173980 Risk Analysis and Remediation Rule Update Q2 2008
1133589 CC 5.x - How to build rules for "all" or "any" values
1083611 Compliance Calibrator Rule Update Q3 2007
1061380 Compliance Calibrator Rule Update Q2 2006
1050832 ME23N in Compliance Calibrator (RAR) Default rules
07.02.2011 Page 3 of 3
SAP Note 986996 - GRC Access Control- Best Practice forRules and Risks
Number Short Text
1035070 Compliance Calibrator Rule Update Q1 2007
1033326 Risk Analysis and Remediation Rule Upload guidance
Attachments
FileType
File Name Language Size
ZIP RAR_Rule_Updates.zip E 143 KB