How to “Stay Clean” (for Now) with Risk Terminator

  • by Jayne Gibbon, Director of Customer Care, SAP
  • June 6, 2011
To realize all the business benefits of SAP BusinessObjects Access Control, it is important that you implement compliant user provisioning and enterprise role management (formerly Access Enforcer and Role Expert). However, if you are not ready to do that, Risk Terminator provides a very good interim solution. You can follow these step-by-step instructions for configuring Risk Terminator.
Key Concept
Risk Terminator is part of risk analysis and remediation. Risk Terminator provides the ability to “stay clean” without having to fully implement compliant user provisioning and enterprise role management. Risk Terminator actually resides on the ABAP back-end systems. It is then connected to the risk analysis and remediation front end. Based on the configuration of Risk Terminator you can prevent, or merely warn, if segregation of duties (SoD) issues occur when trying to change a user or a role.

The SAP BusinessObjects Access Control mantra is “get clean, stay clean.” To achieve this, SAP has created four separate components of SAP BusinessObjects Access Control:

  • Risk analysis and remediation – The core product of SAP BusinessObjects Access Control that allows companies to analyze users, roles, and profiles for possible segregation of duties (SoD) problems as well as critical access levels. It allows a user to get clean.
  • Compliant user provisioning (CUP) – This is part of the stay clean mantra. This component allows a company to automate provisioning of user access to identify possible SoD issues before the access is actually assigned.
  • Enterprise role management (ERM) – This is the second part of the stay clean mantra. This component allows you to review security role changes for possible SoD concerns before the role is actually created or changed in the SAP system.
  • Superuser privilege management (SPM) – This is the final piece of the stay clean mantra. The application allows companies to control and review business and IT teams’ use of emergency level access.

A best practice is to implement all four of these components to truly facilitate the get clean, stay clean mentality. However, in today’s economy, sometimes it’s not feasible to implement all four components at once. Implementing CUP and ERM especially take a lot of time, resources, and change control planning to truly realize their benefits.

So what is a company to do if it wants to implement risk analysis and remediation, but is not ready to implement CUP and ERM?  The concern is that the company would spend all the time getting clean, but not have the tools to stay clean. A viable option in this situation would be to leverage Risk Terminator.

Jayne Gibbon

Jayne Gibbon, CPA, has been implementing SAP applications since 1996 and is currently a director in the Chief Customer Office at SAP. Jayne’s focus is making customers successful with their SAP HANA deployments. She has helped more than 100 customers drive business value with SAP HANA. Prior to joining SAP in 2007, Jayne worked for two multinational manufacturing companies based in Wisconsin. While an SAP customer, Jayne led the very first implementation of Virsa’s Compliance Calibrator, which is now part of SAP Access Control. Jayne’s experience includes internal audit; computer security; governance, risk, and compliance; SAP HANA; and SAP analytics.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.