Automate Your SoD Review with SAP BusinessObjects Access Control 5.3

  • by Frank Rambo, PhD, Director, Customer Solution Adoption (CSA), EMEA
  • January 5, 2010
The Segregation of Duties (SoD) Review feature in SAP BusinessObjects Access Control 5.3 allows for an automated and decentralized SoD review by business managers or risk owners. The SoD Review takes the SoD violations detected during a batch risk analysis and organizes their resolution in a request-based approval workflow. Reviewers can assign mitigation controls for users with SoD violations or request removal of detected violations from the security administrators in the same workflow.
Key Concept
The SoD Review feature was first introduced in SAP BusinessObjects Access Control 5.3 and enhanced in some aspects with Support Package 6. Similar to the User Access Review (UAR) feature, the SoD Review is a feature of the product capability Compliant User Provisioning (CUP), where diverse options are configured and the approval workflow for SoD resolution is set up. However, detection of SoD violations and risk mitigation require the Risk Analysis and Remediation (RAR) capability to be invoked via Web service calls out of CUP. RAR also holds all master data related to risks and mitigation controls.

Companies looking to be Sarbanes-Oxley compliant usually undergo an initial cleaning phase in which remediation and mitigation of violations of user access and authorization-related risks take place. After the initial cleaning phase is completed, companies need to monitor and manage segregation of duties (SoD) violations on a regular basis. As a trend, such review processes are becoming decentralized to business managers. The SoD Review feature enables companies to conduct a streamlined review process on a periodic basis that includes collaboration among line managers, risk owners, internal control, and information security teams. It provides companies with an efficient workflow-based tool, which allows for real-time SoD management by exception and improves overall information security. The key features of the SoD Review in SAP BusinessObjects Access Control 5.3 are:

  • Resolution of SoD violations through an automated workflow-based process for review and approval
  • Support of multiple target systems for SoD analysis
  • Assignment of mitigation controls integrated in the workflow
  • A decentralized SoD review conducted by responsible line managers or risk owners
  • Ability for line managers or risk owners to request SoD remediation from the security administrators in the same workflow
  • Transaction usage information to facilitate decision making for the reviewers
  • History reports to assist in monitoring the review progress
  • Audit trail and reports to support internal and external audits
  • Support for back-end systems integrated with SAP BusinessObjects Access Control through Real Time Agents (RTAs) as well as legacy systems

Whereas the approval workflow for the SoD Review runs in Compliant User Provisioning’s (CUP’s) workflow engine, detection and mitigation of SoD violations are executed via Web service calls to Risk Analysis and Remediation (RAR). In the Rule Architect, RAR keeps all risk master data, including risk owners. In the Control Library, it keeps all the mitigation control master data and mitigation assignment information. An SoD risk is defined in the Rule Architect as a combination of two or more functions. Functions are defined by a number of transactions in your business systems representing one business function (e.g., vendor master maintenance).

Note
SAP BusinessObjects Access Control is comprised of four main product capabilities:

  • Compliant User Provisioning (CUP)
  • Risk Analysis and Remediation (RAR)
  • Enterprise Role Management (ERM)
  • Superuser Privilege Management (SPM)

For a detailed introduction into each one of these capabilities refer to my previous articles published in the GRC Expert knowledgebase posted in Volume 2, Updates 1, 2, 3, and 5.

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.