Skip to Content
avatar image
Former Member

GRC Report for SAP_ALL

Hi Experts,

There are several requirements from our client on the reports... please suggest the possibility in GRC 10.0 for the below points mentioned.

1. A quarterly report of users with SAP_ALL / SAP_NEW access. and is there any way to send this report via workflow on quaterly basis.

2. If our assignment is out side of GRC.....then an Immediate alert to Risk Owners for all high risk SoD assignments.


3. An exception report for assignments made outside GRC (e.g. not automated via ARM)

3. A weekly report for any changes to access for users with SAP_ALL / SAP_NEW access and send via workflow

Please suggest asap.

Thanks,

Sriram

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    Mar 05, 2014 at 01:00 PM

    Dear Sriram,

    I try to give you some feedback and suggestions how to deal with such situations. I do not know a 100% solution for your cases but would  like to share my ideas.

    1: For access review you can use the User Access Review workflow which is a standard workflow and can be used to review authorization.

    2: What does that mean? If you want to monitor potential risks when they are executed you can use the Alter functionality.

    3: I am not sure if you have the possibility to have this triggered by GRC. An idea is to use the risk analysis which can be scheduled on daily/weekly basis to check if you have new risks. Another idea to use the SOD Risk Review workflow also triggered on periodical basis.

    4: Also here you can use the SOD Risk Review or User Access Review workflow. Define SAP_ALL as critical profile and run reports for critical profiles only.

    Hope this gives you an overview of what can be used. Others might have better/other ideas.

    Regards,

    Alessandro

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member
      4: Also here you can use the SOD Risk Review or User Access Review workflow. Define SAP_ALL as critical profile and run reports for critical profiles only.



      Alessandro - I don't see an option that you can run SOD RiskReview on critical profiles. Could you please give more details on how you can do that.


      Regards,

      Raghu.

  • avatar image
    Former Member
    Mar 06, 2014 at 09:18 AM

    Hi Colleen,

    Presently we are not having GRC..... Manually we are provisioning the users and roles.... After GRC implementation, if any provisioning happens out side of GRC  we need to have a security alert/report.

    Even we are taking care not to have SU01 & PFCG role generation authorization to Security admins.

    But Audit team are showing interest  to have this report.

    Please suggest...

    Thanks,

    Sriram

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Sriram

      After GRC implementation, if any provisioning happens out side of GRC  we need to have a security alert/report.

      why not make your GRC implementation including locking SU01 assignments down to GRC CUP or EAM only.

      For CUP, you could configure workflow notification or approval and deal with it before assigned. For EAM you would have a log report and send it to the FF Owner to review.

      In both cases you could search requests/logs to identify the SAP_ALL and have evidence. Alessandro also made some good points.

      Really going to come down to what you process and design is

      Regards

      Colleen

  • Mar 05, 2014 at 11:00 PM

    Hi Sriram

    For questions 3 and 4, why are you provisioning access outside of GRC CUP? If absolutely necessary, why not manage via EAM? You would then have log review to justify why

    Regards

    Colleen

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 27, 2016 at 11:55 PM

    Hi Sriram

    We did setup the critical Role/Profile functionality to monitor who has access to critical profiles like SAP_ALL in all the target systems connected to our GRC. The job is scheduled on a daily basis and the Compliance team would monitor the results as part of continuous monitoring.


    Also like one of the other member already mentioned, a rule can be written in the PC to monitor it.

    Regards

    Sarada

    Add comment
    10|10000 characters needed characters exceeded

    • Hi,

      i went through all the above replies and your answers. the original question was to automate these reports.Presently, i do not have access to GRC. So, cannot confirm if UAR can give Profile SAP_ALL/NEW assignments.

      But, PC(AM) can be set up, to find out the assignment of these profiles to users.

      Similarly, for assignments made outside of GRC,PC(AM) can be used to filer the users.

      Regards

      Plaban