Scribd Logo
Upload

Welcome to Scribd!

  • 703 views

    GRC Ara - Rule Sets

    Uploaded by

    raamaaswetha
    This document outlines seven processes for analyzing access risks using SAP's Network and Workbench Configuration (NWBC) tool. The processes identify critical actions, permission level violations, users associated with risks, functions in a rule set, and risk IDs. The basics of an SAP rule set are also covered, including how risk IDs and function IDs are mapped to business processes and transactions.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd

    GRC Ara - Rule Sets

    Uploaded by

    raamaaswetha
    703 views10 pages
    This document outlines seven processes for analyzing access risks using SAP's Network and Workbench Configuration (NWBC) tool. The processes identify critical actions, permission level violations, users associated with risks, functions in a rule set, and risk IDs. The basics of an SAP rule set are also covered, including how risk IDs and function IDs are mapped to business processes and transactions.

    Original Description:

    Grc Ara- Rule Sets

    Original Title

    Grc Ara- Rule Sets

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document outlines seven processes for analyzing access risks using SAP's Network and Workbench Configuration (NWBC) tool. The processes identify critical actions, permission level violations, users associated with risks, functions in a rule set, and risk IDs. The basics of an SAP rule set are also covered, including how risk IDs and function IDs are mapped to business processes and transactions.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Download as doc, pdf, or txt
    703 views10 pages

    GRC Ara - Rule Sets

    Uploaded by

    raamaaswetha
    This document outlines seven processes for analyzing access risks using SAP's Network and Workbench Configuration (NWBC) tool. The processes identify critical actions, permission level violations, users associated with risks, functions in a rule set, and risk IDs. The basics of an SAP rule set are also covered, including how risk IDs and function IDs are mapped to business processes and transactions.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Download as doc, pdf, or txt
    of 10
    At a glance
    Powered by AI
    The document discusses the different processes for performing access risk analysis in SAP using the NWBC tool. It covers identifying critical actions and permission level violations for roles as well as finding users associated with specific risks.

    The document discusses 6 different processes for access risk analysis: 1) Identifying critical actions and functions, 2) Identifying critical actions for a role, 3) Identifying permission level violations for a role, 4) Finding users associated with a specific risk, 5) Finding users associated with a business process, 6) Identifying functions in a rule set.

    The document mentions that access risk analysis can be performed in both a technical view and business view. The technical view provides more simplified results while the business view provides more detailed analysis.

    SAP Security Governance Risk and

    Compliance- Basics of Access Risk


    Analysis Rule Sets

    a Security CoE Initiative

    Gautam Shetti
    26 June 2015

    1 | Page
    Process 1: identify which Risk IDs and Function IDs are mapped as SODs/
    Critical Actions
    On the NWBC screen, click on Setup and under Access Rule Maintenance hit
    on Access Risks

    If you filter on Risk Type, we can identify the SOD / Critical Actions and their
    associated Risk IDs and Function IDs.
    You can further click on these Function IDs to identify the transactions that
    are mapped to it.

    2 | Page
    Process 2: Identify if a role has Critical Actions:
    Under Access Management in NWBC, go to Role Level and you find the
    below screen popping:

    Enter the system that is required: ECPCLNT200 (always in CAPS)


    Role type always remain Technical Role
    Enter the role for which you need to identify the Critical Actions.
    We can select Risk by Process as this will give you the associated Risk ID if
    there are any Critical Actions found.
    Risk Level input is based on the person as which risk level he/she is
    interested to see.
    Rule set is always GLOBAL for Atwood.
    Format selected here is Technical. This can also be run in Business View
    which gives even more detailed analysis.
    (Note: There are option available for boxes marked in blue.)

    3 | Page
    Here we have taken as example for role: ZS_FI_ACCOUNTANT_P1: (Technical
    View)

    Once executed in Foreground, the result is shown as below:

    4 | Page
    The above shows the Crtical Actions present in the role:
    ZS_FI_ACCOUNTANT_P1 in ECP-200 system and its associated Risk IDs and
    Risk Level.

    The below snapshot gives the Business View:

    Process 3: identify if role has Permission Level violations:


    Follow the same steps above and instead of Critical Action, please select
    Permission Level as shown:

    This will give violations if any found on this role at the Permission Level.
    This can also be performed in BOTH Technical and Business View.

    5 | Page
    Process 4: Identify Users with a particular Risk ID:
    Go to Access Management in the NWBC screen and click on User Level for
    below screen:

    Here after entering the System, user type, Rule set and risk level, take the
    drop down option in the boxes to select: Access Risk ID

    6 | Page
    Do see that this result is being executed in the BACKGROUND as there shall
    be MANY users and the foreground execution can much longer time and can
    even hang up!
    How to check BACKGROUND JOBS:
    In Access Management screen, scroll down to see the Scheduling heading
    as shown:

    Click on background jobs and you will see all jobs scheduled/ completed in
    background:

    7 | Page
    The status Active indicates that the JOB is still running. You can refresh the
    screen at the link provided in the page to check until the status moves to
    Finished.
    You can now click on the job and analyze the results.

    Process 5: Similarly under User Level, you can identify users associated to
    a Business Process

    Process 6: Identify Functions in the Rule Set:


    Go to Setup in the NWBC screen and hit on FUNCTIONS under the Access
    Rule Maintenance:

    Here you find all the Function in the Rule set and its associated Business
    Process.

    8 | Page
    To search for a specific Function ID, click on Filter in the screen and type in
    the Function ID to search:
    Here we are searching for Function ID: BS15, so type in BS15 once you click
    on Filter. The result will show you only the Function ID BS15 as seen:

    Process 7: Identify Risk IDs in the Rule Set:


    Under setup on the NWBC screen, click on Access Risks which will give the
    result of all Risk IDs setup in the rule set:

    9 | Page
    The above shows the Risk IDs and its associated Business Process, Function
    IDs and Risk Level defined.

    ******************************************************************************
    **********
    Basics of a Rule Set:
    - Rule set comprises of: Risk ID and Function IDs all mapped to a
    Business Process
    - Risk IDs consists of Function IDs
    - Risk IDs are defined as SOD or Critical Action
    - Function IDs consists of Transactions and its associated permissions
    - If Risk ID is defined as SOD, it should have two function IDs minimum
    - If Risk ID is defined as Critical Action, it can have ONLY ONE function ID
    - Risk Level can be low, medium or HIGH
    - The details of Risk IDs and Function IDs is something which Business
    has to define or finalize

    10 | P a g e

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy