SAP BusinessObjects Compliant User Provisioning (CUP) is an automated user request, approval, and provisioning solution that is web-based and workflow configurable with proactive SoD compliance checking. This blog outlines some of the unique features of Compliant User Provisioning 5.3 and the ways to leverage your current methods of enterprise wide access provisioning with various advantages inherited by the solution.
My only objective is to highlight some of the critical business requirement and providing guidance on how CUP facilitates to strategically solve these issues. Some of the vital functionalities of CUP including possible functional scenarios, challenges faced by the organizations, quick implementation strategy are briefly described. I have also covered little bit of automation possibilities for the organization like: Creation of request, approving a request and closing a request and how CUP works as central workflow engine for the whole of Access Control suite. In the end some frequently asked questions are provided for quick reference.
The Business Need
In an enterprise, provisioning access to users in the traditional manner involves the user completing paper forms that request access to SAP backend systems or business applications. These forms are submitted to the first-line manager who reviews, approves, and forward them for a second-line approver. Usually, during the approval process, the managers who review access requests are supposed to research and identify any potential conflicts of interest between roles that the requestor currently has and any new roles including permissions being requested. However, access requests that are under-research and are expedited for approval can cause significant problems where legal, regulatory, security, and financial risks can potentially harm the corporate objectives.
Many researchers have revealed that most SoD violations and financial frauds occur due to the non-continuous access management and access controls deficiencies, just google it and you will easily find case-studies how ex-employees or present employees with excessive access have committed crimes worth in billions. SAP BusinessObjects Compliant User Provisioning 5.3 is fully equipped to streamline user access provisioning to address this space. CUP allows managers to perform SoD risk analysis before approving requests which saves enormous time and overall cost involved.
One of the major benefits of having an enterprise wide compliant access provisioning process is that the continuous monitoring cycles are very short. You’re dealing in days/weeks/months and not in quarters/years/lifetimes. What this means is that when bad things start to happen, you’ll notice it sooner.
It’s like driving a fast car, Good breaks allows you to go faster (because you know you can slow down if conditions require). You can better see what’s happening around you, and what’s coming. The net result is that the risk of going faster is mitigated.
Overview
SAP Compliant User Provisioning (CUP) is a workflow driven tool, which automates all tasks related to user provisioning and strategically prevents new SoD violations from being introduced in the system (SAP and Non-SAP). CUP enables full adherence of compliance throughout the employee life cycle ‘Hire to Retire’. CUP not only allows the users to request additional access but also routes the request to a suitable approver manager. Once the workflow gets approved the account is automatically updated in the corresponding system. Businesses can automate provisioning, quality assurance for SoD issues, streamline approvals, and reduce the workload for IT staff.
Compliant user provisioning automates the access provisioning approval process by combining roles and permissions with workflows. When a user (Requestor) makes an access request to resources for which they do not have permission, CUP automatically forwards the access request to designated managers and approvers within a pre-defined workflow. This workflow is customized to reflect your company policy. Roles and permissions are automatically applied to the enterprise directories when the access requests are approved. The application can also be used to automate the roles and user provisioning process within the identity management environment. It ensures corporate accountability and compliance with Sarbanes-Oxley along with other data protection laws and regulations.
End to end automation means that sequences can be automatically triggered based on events such as new employee hire or a job change, then processed through dynamic workflow, and finally, provisioned directly into multiple systems. I personally think the conventional CUA environment is now outdated and has been replaced with enormous advantages leveraged by Access Controls Suite integration with SAP Identity Management solution. The best thing is all access provisioning related processes can be performed by business users without any involvement of IT or application security personnel.
Compliant user provisioning focuses on the following three user groups:
Requestor- The one who request access to systems or roles, create request for own and others.
Approver- For role approval, compliance monitoring, business process owners, mitigation, delegate and alternate approvers etc.
Administrator - Configures workflow, HR triggers, user defaults, load master data, manage approver permissions, password self-service configuration etc.
The configuration of the CUP would mainly depend upon:
1. Identifying different kinds of requests that are to be addressed.
The major kinds of requests that can be addressed can be of the sorts like User create/update, updating Role assignments etc. Furthermore, a single request can address the access for various users or heterogeneous systems – which can be SAP or non-SAP both. Based on the kinds of requests, different approval paths are created for each of them, you can also consider custom approver mechanism for that matter. The configuration for Password self service can be enabled to help the user to reset his/her password and synchronize the same across various system landscapes in a matter of minutes. From the HR perspective, changes in fields like position, name etc. can be configured to undergo a pre defined approval path.
2. Identifying the entities involved and the approval procedure to be followed for each of the defined requests. As the approval needs for each of the defined requests can be dissimilar, the definition of approvers for the requests will obviously vary. For some requests, there might be only one set of approvals required and others may follow a multi level approval path. Thus mapping of each kind of request defined in stage one is done in the system and further validated. This may also include implementation and testing of features like Delegation, putting the request on HOLD etc.
Why Compliant User Provisioning?
1- Manual user provisioning is lengthy and cumbersome process, businesses need to automate user provisioning activities as well as adherence of compliance regulations is must. This process can be automated by CUP as it provides the Requestor an Access Request page where certain attributes can be pre-populated with default values based on the request type. The Access Request page can be set to specific or multiple data sources to complete the access request process and hence automates all user access requests.
2- Organizations need to maintain records of entire employee life cycle to prove later that all access was documented and properly authorized. Compliant user provisioning ensures that throughout the entire employee lifecycle all access was granted, changed, or revoked through proper approval workflows and considered formalities. Automated risk analysis and audit logs are kept in the form of reports to address various audit requirements.
3- The “HR Triggers” option in CUP allows you to create dedicated rules and associated actions in the SAP HR system. When an event takes place in the SAP HR System, such as the hiring of a new employee, employee leaving or a new position is assigned to the user, then the rules are applied along with its corresponding HR Triggers. CUP then performs an “action” in the form of an automated request.
4- The Security team is always overwhelmed with password reset requests and the process involves extra time and cost to manage such requests. However this process can very well be automated with CUP’s Password Self Service. The Password Self Service option allows the ability for the end-user to reset their password in the SAP backend system without having the SAP Help Desk or the SAP Security group involved. This tool saves the Security group’s time and the password reset process for the end-users.
5- Flexibility of taking user master data from multiple systems like LDAP, SAP, UME etc with the help of User Data Source. User data source includes two fields: Data Source group and User Details Data Source group. CUP uses the Search Data Source group to extract data from the data source to return user-related search queries. The User Details Data Source group is used to fetch additional information of the user.
6- If you are out-of-the-office for a period of time, you can delegate your approval authority in single magical touch to the designated proxy in your team. This is an important part of any organizations Business Continuity Framework. CUP enables you to address this requirement by assigning delegated approvers with respect to the approver ids. This feature allows a delegated user to take action on the behalf of the original approver when he/she is unavailable. As per the business continuity requirement the work should never halt, it also involves various approval processes and that’s the core objective achieved with this feature.
Compliant User Provisioning 5.X Challenges
1- Complicate to configure user authentication and mapping of manager info from LDAP, SAP HR etc
2- Difficult to configure HR Trigger and Password self service according to business process scenarios in multiple SAP System landscape.
3- CUP – ERM and CUP – RAR integration challenges.
4- Need advanced knowledge and experience GRC consultants to configure UAR (User Access Review) and SoD (Segregation of Duties) workflows and escalation, escape routes and detour Paths for request approval.
5- Standardization of user ID naming convention and creation, configuration of custom fields for SAP tables are little bit tricky.
6- Not easy to take decision, if any of the assigned approvers fail to respond to the request within a specified period of time. This task needs to be carefully configured within the application.
Workflow Automation with Compliant User Provisioning
Without CUP you can provision users manually to backend system and communicate through Emails. This is a non-compliant and cumbersome manual process. Following example shows how “end to end user provisioning” looks like in a non-compliant approach and then how CUP automates the same process.
Workflow before implementing CUP
Workflow after implementing CUP
In contrast, the CUP provides fully automated compliant access management through dynamic workflows.
Dynamic Workflow Provides End-to-End Automation
- Automated user provisioning and de-provisioning to multiple SAP and Non SAP applications.
- Requests automatically filled with user identity information from LDAP directory or HR database.
- Complete SAP provisioning including, R/3, mySAP ERP, CUA, and Portal etc.
- Role filtering or modeling facilitates simple assignment.
- Approvals and Rejections directly from e-mail.
- Configurable initiators, paths-Single, parallel, detours, escape route and escalation capabilities.
Proactive Compliance Lowers Risk and Saves Money
- Integrated, real-time risk analysis before access is granted.
- Assign pre-approved mitigating controls as required.
Business Friendly Reporting Increases Visibility
- Ticket process for detailed tracking
- Customizable reporting and process efficiency statistics
Helpful User Administration Services save Money
- Self-service password re-set saves timeError! No index entries found.
- Simple Access Re-affirm meets regulatory requirements
CUP FAQs
Q1-What does Number Range means?
A1-The requests in CUP are uniquely identified through a system of distinct numbers. Number ranges option is used to define a range of unique request numbers. Make sure that individual ranges do not overlap. For example, do not have a number range with 50–500 and another range with 300– 1000.
Q2-What happens if any of the assigned approvers fail to respond to the request within a specified period of time?
A2-To expedite the provisioning process, you can set a limit to how long an approver has to approve or deny a request. You must also decide what should happen to the request if an approver does not act within the specified period.
Q3- Whether or not partial approval is acceptable for the request?
A3-If a request includes more than one user role, it’s possible that one role in the request could be approved, and another denied. You need to define how the process should behave in that situation.
Q4-How we can use RAR (Compliance Calibrator) for risk analysis in CUP?
A4-CUP Communicates with CC through web service (http://host:port/VirsaCCRiskAnalysisService/Config1?wsdl&style=document). There are two selectable versions of Compliance Calibrator. If you select 5.0 Web Service, three additional fields appear (URI, User Name, and Password). For the URI field, you need to navigate to the SAP NetWeaver Web Application Server Home page > Web Services Navigator > CCRiskAnalysisService > WSDLs > Standard link of Document, where you will see a list of all web services in the server. Select the desired URI address. If you select Compliance Calibrator 4.0, there is no need to connect to a URI address
Q5-What does Red, Green and Yellow flag intimate in Risk violation tab during request creation?
A5-The red flag in the Risk Violations tab indicates that there is risk violations associated with the request. A green flag indicates that there are no risk violations. A yellow flag indicates the there are violations with associated mitigation controls.
Q6-Can we create Multi user request in CUP?
A6- Yes, the Copy Request option allows you to create a multi user request. In Source Request ID field, enter the request ID you want to copy, and select the information attributes you want to copy to your new multi user request, and at the Click on multi user button.
Q7- What happens if any of the assigned approvers chooses to deny the request.
A7- You need to determine what action CUP should take if a designated approver denies the request. This can include steps to provision only the approved portion of the request, or to abort the provisioning process entirely.
Recent Comments