Combat Access Risk Violations in Your SAP ABAP Back-End System with Risk Terminator

  • by Kehinde Eseyin, Security Architect
  • March 8, 2012
Risk Terminator provides the framework that ensures that role provisioning to users and role maintenance (including creation) activities are subjected to proper risk analysis in a scenario in which such activities are performed directly in the plug-in system. Follow this comprehensive step-by-step procedure to learn how to configure and use Risk Terminator productively and efficiently in your SAP BusinessObjects Access Control 10.0-based system landscape.
Key Concept
The Risk Terminator is a service that runs in the SAP ABAP back-end system and generates exceptions when defined segregation of duties (SoD) access risks are violated.

SAP BusinessObjects Access Control 10.0 comes bundled with functionalities that are capable of meeting all user access control, risk analysis, role management, emergency access assignment, and periodic review challenges in an enterprise. Although it is a best practice to adopt all these functionalities to provide an integrated risk-free and strictly controlled business environment, it is not impossible to have circumstances when only the risk analysis feature is implemented for a specific reason, such as budget constraints, resource availability, or project prioritization.

The capability to analyze and manage risk is one feature of SAP BusinessObjects Access Control 10.0. Risk Terminator is a functionality that is tightly integrated with the access risk analysis capability of SAP Access Control 10.0. As a matter of fact, the risk analysis feature provides the framework for the implementation of the Risk Terminator tool. The tool seeks to enforce access control when profile maintenance or user role assignment is performed directly in the plug-in system. Risk analysis and reporting are performed when a role is maintained via transaction PFCG (Profile Generator) and user roles are assigned or maintained via transaction SU01 (User Maintenance) or SU10 (Mass User Maintenance) directly in the back-end system.

For the purpose of understanding this step-by-step guide, I first distinguish between two system types; namely:

  • GRC system: This system runs the SAP Access Control 10.0 system.
  • Plug-in system: This system is the satellite system on which the plug-in (formerly Real Time Agents [RTAs]) is installed. It can also be referred to as the back-end system.
Note
To learn how to use Risk Terminator with SAP Access Control 5.3, see Jayne Gibbon’s article titled “How to ‘Stay Clean’ (For Now) with Risk Terminator.”

Configuration

The risk analysis functionality is the bedrock on which the Risk Terminator works. The risk analysis functionality must be properly configured to leverage this functionality. Therefore, I discuss the following activities that support the effective delivery of the Risk Terminator service:

  • Maintain Rule Set
  • Maintain Function
  • Maintain Access Rule
  • Generate Access Rule
  • Maintain Configuration Settings in the GRC System
  • Maintain Configuration Settings in the Plug-in System

Maintain Rule Set

Generally, a rule set defines the category (or group) of access risk that is used when performing access risk analysis. The defined access risk forms the source of information for the analysis report displayed when using Risk Terminator.

To define a rule set, log on to the front-end tool (SAP NetWeaver Business Client or portal) and follow menu path Setup > Access Rule Maintenance (Figure 1).

 

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.
 

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.