3 Scenarios for Simulating Risk Analysis Processes with Risk Terminator

  • by Kehinde Eseyin, Security Architect, Turnkey Consulting Ltd.
  • April 18, 2012
Follow three scenarios that simulate risk analysis for role maintenance and user role provisioning with Risk Terminator in SAP BusinessObjects Access Control 10.0.
Key Concept
An access risk violation occurs when defined access control policies and procedures designed to enforce control of a user’s capability to perform specific activities in the system are compromised. In a typical business environment, controlling what a user can or cannot do without a robust access and risk control management system can be challenging. The Risk Terminator functionality provides the basic infrastructure needed to address this business concern, especially when user and role maintenance occur directly in the plug-in system.

The Risk Terminator functionality can be applied to different business cases revolving around user maintenance (creation and modification) and role maintenance (creation and modification). To simulate how risk analysis works for role maintenance and user role provisioning, I use three business scenarios. They are based on the configuration settings defined in the GRC system and the Plug-in system, which I described in my article titled “Combat Access Risk Violations in Your SAP ABAP Back-End System with Risk Terminator.”

Here are summaries of my three Risk Terminator scenarios.

Scenario 1: Create a role via transaction PFCG:  

  • Create a role with the name Z_RISK_TERMINATOR
  • Assign the transaction codes XK01 and ME21N with full authorization
  • Respond to the risk terminator prompts accordingly

Scenario 2: Create user and assign role via transaction SU01:

  • Create a user with the user ID, User_RT1
  • Assign the user the role Z_RISK_TERMINATOR
  • Respond to the Risk Terminator prompts accordingly

Scenario 3: Perform mass maintenance of users’ roles via transaction SU10:

  • I assume I have two users with user IDs (User_RT2 and User_RT3) created without any role assigned.
  • Assign the role Z_RISK_TERMINATOR to the users using transaction SU10
  • Respond to the Risk Terminator prompts accordingly
Note
The respective scenario activities should be performed in the plug-in system.

Kehinde Eseyin

Kehinde Eseyin is a security architect at Turnkey Consulting. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.
 

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.