“Achieving continuous compliance with SAP BusinessObjects Enterprise Role Management (ERM) 5.3 – Role Expert”
This blog outlines some of the salient features of SAP BusinessObjects GRC Access Controls Suite’s component Enterprise Role Management (ERM) and touch upon various functional scenarios and business requirements that are fulfilled by the solution. Various topics like solution integration based on Netweaver’s classic Service Oriented Architecture, role management strategy and challenges faced by companies are briefly described. ERM reports and Best Practices are also elaborated. As a bonus, some common questions and answers are also given in the concluding section of the blog.
Introduction: Enterprise Role Management (ERM) is a web based application that automates the creation and management of Role Definitions. ERM enforces best practices to ensure that the Role development, testing and maintenance is consistent across the entire implementation, resulting in lower ongoing maintenance and painless knowledge transfer. ERM provides Role Owners and Security Administrators with the means to create and maintain Role definitions, identify potential Audit and Segregation of Duties issues. ERM empowers SAP security administrators and Role Owners to document important role information that can be of great value for better role management such as:
- Tracking progress during role implementation.
- Monitoring the overall quality of the implementation
- Performing risk analysis at role design time.
- Setting up a workflow for role approval.
- Providing an audit trail for all role modifications
- Maintaining roles after they are generated to keep role information current.
ERM can be integrated with Risk Analysis & Remediation component which provides means to quantify the risks associated with Roles and suggests possible remediation and mitigation control procedure. ERM can also be integrates with the Compliant User Provisioning component to support role creation and maintenance for R/3, Portal and UME. One key element of provisioning in ERM is the identification and mitigation of risk at early stage, even before the creation of the roles. Risk can be identified as a conflict within a single role, composite role, derived role and templates respectively. In most organizations the roles Receiving, Inventory, and Accounts Payable are mutually exclusive. To prevent the risk of fraud, a person responsible for cataloguing deliveries cannot also have the ability to catalogue inventory, nor can they have the power to authorize payment for a delivery. If such conflict action is found in a role, ERM proactively alerts the security team about the considered risk and hence a corrective measure can be established.
SAP ERM integrates well with Risk analysis and remediation module to perform:
- Risk Simulation (Analysis)
- Risk Mitigation
- Authorization Function Search
- Transaction Usage
It is a unified role management application that automates the creation and management of the role definitions and enforces enterprise wide adherence of role based policies. The tool enforces best practices to ensure that role definition, development and testing is consistent across the implementation, resulting in lower on-going maintenance and easier knowledge transfer. If roles are built to agreed best practices costs are minimized. ERM: centralizes and standardizes enterprise wide role management, eliminating manual errors, providing an audit trail for changes, and enforcing user access best practices. Using the application, business process managers can define functional roles, and IT managers can define the associated technical permissions.
Classic Naming Conventions are obligatorily followed for the creation of roles and profiles minimizing human error. As you select an appropriate Landscape and Role Type, it automatically determines the attributes available for you to assign to a Naming Convention. The attributes available to select for the System Landscape SAPERP with the Role Type Single are different from the attributes available if you select the Role Type Derived or Composite.
Enterprise Role Management facilitates Custom fields which allow you to add attributes to a role that are specific to your company or organization. For instance, if you have a Role that needs to be distinguished by region, adding this custom attribute allows you to assign a specific region when you create the role.
Value Mapping is the hierarchical structuring of organizational values which facilitates the automatic import of multiple organizational values based on the root organization. Organization values are pulled from the SAP backend and then put into the ERM database for a lookup during a scheduled background job. The organizational hierarchy is used for derived roles only. When you create a Derived Organization Level, ERM picks up the child organization levels that you specify and define/assigns the role/s already assigned to the mapped, or child, organization level to the derived organization level.
- Enterprise Role Management allows Create/Change a role in multiple systems.
- Supports multiple landscapes – cross enterprise / cross platform.
- Multiple Role comparison
- Mass Role Generate
- Mass Role Update
- Mass Risk Analysis
Key Stakeholders: Enterprise Role Management focuses majorly on the following four user groups
Role Design Team – Business Process and Role Owners define what access a given type of user requires to do his or her job
Role Approvers – Business Process Owners are able to validate and approve a new or modified role
Administrators – Further defines and generates the approved roles based on pre-defined authorizations synch from SAP ERP.
Auditors – Detailed reports and audit trail simplify the verification of corporate governance.
The Enterprise Role Management integrates closely with Risk Analysis & Remediation (Risk Analysis, Risk Mitigation, Transaction Usage, and Authorization Function Search) and Compliant User Provisioning (role approval workflows).
You can have multiple Condition Groups in one process, but you cannot have multiple processes associated to one Condition Group. Enterprise Role Management can be configured for the following options:
- Conduct Risk Analysis before role generation.
- Allow Role generation with violation.
A Role Creation Methodology consists of predefined actions and the steps associated with those actions. The steps, in turn, are used to create a Methodology Process, which is used to guide you, step by step, through the process of defining, generating, and testing a role during role creation. Methodology Steps are the steps used to create a role during the role creation process and it doesn’t allow creating and generating roles before appropriate approvals.
Possible challenges that Organization may face: The given are my personal observations only.
- Import of mass role from SAP backend to ERM database. Need to import single roles, composite roles, derived roles separately.
- Categorize all the roles with respective role attribute such as Business process, Sub process, Functional area, Project/Release Id.
- Define a proper naming convention for creation of roles. ERM will only enforce user defined naming convention.
ERM Reports: SAP ERM has a rich set of reports to facilitate the overall role quality management and provide valuable information to achieve precise role definitions and lower ongoing role maintenance. ERM provides reports, which make the identification of risks surrounding the segregation of duties a painless process, and ensures that you get the most out of the SAP security system.
The Role Library is simply a dashboard of all the roles in Enterprise Role Management. The Role Library displays an interactive graphical interface of the number of roles broken down by system landscape, role owner, or business process. It also shows the number of roles with violations and roles belonging to different role types.
Transaction Usage: Transaction usage for roles allows you to see if, or how much, a transaction is being used, when it was last used, and who used it.
Change History: Role Change History provides you with an audit trail for all the changes made to roles within ERM or your SAP system. A change history shows you:
- The date and time of the change.
- A ticket number, if any.
- The action performed.
- The object on which the action was performed
System log: System Logs are a history of Enterprise Role Management actions and are used by administrators or developers for troubleshooting purposes.
ERM Best Practices:
- Design a good role naming convention.
- Well thought out integration of Enterprise Role Management into ongoing role development, testing and change management processes.
- Identify Users (e.g., Role Owners, Security Administrators, and User Administrators) and how they will use and customize ERM accordingly.
- Define goals (e.g., role optimization or consolidation, user access optimization, reducing risk, reducing the role change requests by x %.)
- Identify custom reports and attach them to Enterprise Role management.
New features in ERM 5.3: Enterprise Role Management 5.3 has been released with many new enhancements and functionalities. Some of the vital features are as follows.
- Enhanced Role derivation (Org Value maps)
- Enhanced Risk analysis and simulation
- Ability to generate roles for multiple systems at one time.
- Ability to copy a role
- Integration with SAP ERP Profile Generator (PFCG)
- New Analytical reports like: Master to derived role relationship, Role by date generations, Count Authorization in roles and user to role relationship etc.
ERM FAQ’s:
Q-1 Does ERM allows single, composite and derived roles creation? Yes, ERM allows single, composite and derived type of role creations.
Q-2 Does Enterprise Role Management support for Mass Maintenance? Yes, ERM support Mass Maintenance like Maas Role Update, Mass generation of Roles, Mass Risk Analysis.
Q-3 Does ERM integrates with other Access Control suite product? ERM integrates with Risk analysis and Remediation for risk analysis, Compliant User Provisioning for role approver criteria.
Q-4 Does Enterprise Role Management enforces Role Naming convention? We have a choice for Naming convention enforced. We can make Naming convention enforced enable or disable. If we set Naming convention enforced option disable then it can suggest Naming Convention only.
Q-5 does Role creation process is complex using ERM over Profile Maintenance Tool (PFCG)? No, Role creation process is simple and systematic in ERM. ERM facilitate attributes to Role such as Business process, Sub process, Functional area. ERM allows creating custom field as attribute to role.
Q-6 Is it possible to enter a range of transaction codes in role defining process such as FB01 – FB03? No, transaction ranges or the usage of wildcards in S_TCODE is not entered in role designing process. Transaction codes can be added one by one.
Q-7 Can enterprise role management works as a standalone? Yes, it works as standalone installation. However, without integration to other Access Control product like risk analysis and remediation or compliant user provisioning, it will not be able to perform certain functionalities, such as risk analysis, mitigation and approval workflow.
Q-8 Is it possible to configure “Actions”? No, you can only configure steps within the Process.
Q-9 Can we import roles existing in SAP Back end? Yes, you can import roles with all authorization data by downloading the roles via a provided transaction code, create role information file, and import roles.
Q-10 In Role designing process by adding transaction code, where does the auth. object come from? All authorization objects directly come from USOBT_C table in the connected SAP ERP target system.
Q-11 The authorization data button is some time disabling in this case how do you add transaction to a single role? The Role definition is the first and mandatory step in the process. In order to utilize the authorization data function it is required for definition step together with the authorization data step. It is suggested that you include this step when you configure the process in configuration tab even when you use for docu
Recent Comments