GRC class tools and a dedicated SAP tool - Access Control
For several years we have been observing the very dynamic development of companies and corporations, which is translated into a noticeable recovery in the economy. Each increase, however, is accompanied by increased vigilance to risk, both external and internal, which the organization can influence. However, any increase is a risk, both external and internal, over which the organization should watch and have a real impact on it. Intra-organizational threats are largely caused by the development of the internal structure and the growing responsibilities of some employees. This risk remains hidden, but when it materializes, it can have a very large impact on the operation of the organization and affect the company's finances.
To gain control over the process of identifying and resolving conflicts, as well as to comply with e.g. the Sarbanes-Oxley Act (SOx), managements decide to implement the appropriate GRC class tool. One of such solutions is a dedicated SAP Access Control.
SAP GRC Access Control - current situation
For some time, information about the new version of SAP GRC, available to users - SAP Access Control 12.0. appeared in widely available publications. According to the information contained in the SAP Product Availability Matrix (PAM), it has been available since March 2018. The end of support for this new version is scheduled for December 31, 2014.
This is very important information, because with the release of the new version, i.e. SAP GRC Access Control 12.0, the old version of SAP GRC Access Control 10.1 will cease to be developed. SAP via SAP Product Availability Matrix (PAM) announced the end of support for the old version on December 31, 2020.
After the support period, the application will of course work, but there will be a significant reduction in the availability of new service packs, SAP Notes, and the service itself may be severely limited.
SAP Access Control 12.0 - what's new?
The SAP Access Control 12.0 application debuted on the market, offering completely new functionalities, and the functionality of some functions has been improved. The most important changes are described below1:
New look, based on the Fiori interface - thanks to the new interface it is possible to access the SAP GRC AC 12.0 function using Launchpad Fiori, which increases the package's availability for users throughout the organization. Of course, the existing interface is available without the Fiori application
Refreshed interface for NWBC transactions - the standard look available from the NWBC transaction level has also been adapted to the latest changes in appearance by offering the new SAP Belize theme
A new set of rules for SAP S4 / HANA - S4 / HANA changes the current authorization model, so the new set of rules effectively addresses this change
Extension of the EAM module with support for the HANA database
Simplified mechanisms for managing controllers and FF ID owners
Optimization of synchronization tasks - the new version optimizes the operation of some demanding synchronization tasks, which take up a lot of time due to the amount of data processed. Improved incl. synchronization of repository objects, dedicated tasks associated with generating applications for periodic review (UAR module - User Access Review) or LDAP synchronization
Integration with cloud applications thanks to the SAP Cloud Identity Access Governance (IAG) / Emergency Access Management for WebApps component
Integration with SAP Identity Management
Integration with SAP Success Factors (also available in version 10.1)
Development of SAP GRC Access Control 12.0 applications
The fact is that this year the support period for version 10.1 of SAP Access Control 10.1 expires. With the beginning of 2021, support and development for this system will only cover version 12.0. In the latest version there have been a lot of improvements grouped in Support Packages (the latest one is SP062). Below is a summary of changes in the application that were implemented along with the release of individual updates.
12.0 Support Package 013 Key changes and new functionalities:
Ability to generate roles for SAP S / 4HANA and other external systems using the menu hierarchy in PFCG
12.0 Support Package 034 Key changes and new functionalities:
Improvement of HANA / SAML
Improvement of logs operation on access requests - when forwarding requests to another user, only the approval ID was visible in the logs. It is currently your full name
The application automatically initiates a risk analysis after each step in the workflow approval requests for access. This eliminates the need for the approver to manually run the risk analysis
Ability to add requestor to a copy of the message (CC)
12.0 Support Package 045 Key changes and new functionalities:
Implementation of the function to view permissions for specific users on requests during the periodic review of permissions (UAR module) - the so-called generating an application for a specific user. New configuration parameter
The ability to synchronize and map users in the SAP SuccessFactors system, even if the user ID is different from the user ID in the SAP system. For this purpose, a new configuration parameter 1055 has been introduced
Configuration parameter 1051 has been updated (regarding the maximum number of objects analyzed during SoD analyzes for users, roles and profiles)
Improving the operation of the risk analysis process. Automatic analysis has been implemented, running in the background during the approval of the request
Improvement of logs operation on UAR requests (periodic access review). Currently, after submitting the request for approval, data has been entered with the full name and surname of the approver. Previously only his ID was available. This increases the accuracy and subject of approvers in UAR requests
Expansion of the EAM module - in older versions, the use of FFID accounts was limited to ABAP systems. Now the possibilities of using FFID accounts have also been extended to web applications, under certain conditions
12.0 Support Package 056 Key changes and new functionalities:
Role integration between SAP Identity Management and SAP Access Control - no mechanism for integrating business roles between SAP Identity Management and SAP Access Control was available before. SAP Access Control now provides a business role concept that allows exporting technical role definitions from SAP Identity Management to SAP Access Control and importing simplified business role definitions from SAP Access Control to SAP Identity Management
Improved operation of the Action Usage report
Improvements in access request logs - information on submitting the request for assigning mitigation control has been added. In addition, the numbers of access requests (in the form of a link) are also visible on requests for mitigation checks. Thanks to this information, it was easier to gain control over the process of requesting access and assigning mitigation
12.0 Support Package 067 Key changes and new functionalities:
Improvement in the EAM module: a connection has been introduced between access request created to access to the FFID account and the request with the FF logs. Currently, the FF log view will display information about the associated request for access to the FFID account
Ability to perform asynchronous risk analysis when approving requests
Action Usage synchronization allows registering of running Web-Dynpro components and BSP applications
Access to reports checking the status of the HANA plug-in implementation and allowing to solve basic installation problems
The visibility of indirect assignments on access requests has been limited (e.g. single roles as part of an aggregate role), and thus the approver cannot make decisions for them
The ability to use FFID accounts for the HANA plugin and log into the WebIDE interface with a time limit. This allows you to configure the time after which logging will be terminated
Universal BAdi interfaces to configure the order of synchronization tasks. These changes can be made for the following synchronization tasks: EAM Master Data Sync, Firefighter Log Sync, Role Usage Sync, Authorization Sync and Action Usage Sync and Repository Object Sync
Role Usage synchronization can be run in both full and incremental modes
The ability to assign profiles to business roles and manage their assignment through access requests
Update 2063 configuration parameter - depending on the setting, approved or rejected items will be visible from the level of logs for requests for periodic review
The SAP company is constantly working on the development of Access Control 12.0 applications. This is reflected by the patches described above and the fact that work is currently underway on 12.0 Support Package 07, as reported by SAP Note 2833153.
Key news from the perspective of business users
The new version has brought many improvements, both technical and functional, also for business users. The first change that is visible immediately after starting the application is the new interface appearance. Access Control version 12.0 is available through the browser in a new theme, called Belize. The application has gained a more modern look, the interface itself is responsive, and its use has become more intuitive.
When it comes to functional issues, big changes are taking place in the EAM module. First of all, the possibility of using Firefighter accounts has been extended, also on web applications. In the old version, only registration of work on ABAP systems was allowed, while from version 12.0, actions that are performed on FFID accounts as part of the WebGUI application (e.g. Fiori, NWBC) will be registered and stored in logs.
Firefighter logs have also been improved by one new feature - information has been added with which request access was given to this emergency account. Currently, the controller, having access to the search request functionality, while viewing logs can check the details of the request for access to the FireFighter account, including who was the applicant and when the request was approved.
Further news can be seen primarily on requests for access. Logs have been supplemented with information on submitting the request for the assignment of mitigation control. Imagine this situation: the user has the risk of segregation of duties (SoD) on the request. The approver wants to check if action has been taken to assign the mitigation control. Instead of looking for the right request yourself and wasting valuable time, all you have to do is open a log for the access request. This log contains information about the request for assigning mitigation control. From the search request level, it is possible to obtain information on whether the request for assignment of controls has already been approved or which user is awaiting approval. This link is also evident in the requests for mitigation control.
A novelty regarding access requests is limiting the visibility of indirect assignments on the request. At present, the approver cannot see such items and, as a result, cannot make decisions for them. This is important because in the older version there could be a situation where the approver accepted the role that resulted from the assignment of the bulk role to be removed, which could generate problems.
The last important novelty from the users' perspective is the improved operation of logs on UAR requests, i.e. the periodic review of users. In the older version of the application, information was only visible about the user's login. We currently have full name and surname information when submitting UAR requests. This facilitates the audit and provides additional information on persons who approve UAR (Periodic Review) requests.
What to choose?
Since the debut of the latest version of the application, many corrections and updates have been released, which will certainly have a significant impact on the choice of SAP Access Control version. By far the most-grounded choice is version 12.0, because the support period for the previous version 10.1 expires at the end of this year. Migration of companies working on version 10.1 to version 12.0 is also inevitable. It is worth doing in advance to avoid problems with lack of support. If you have any questions, please contact us!
______________________________________________ 1SAP Note 2638578 - What's new in GRC Access Control 12.0 2https://help.sap.com/viewer/product/SAP_ACCESS_CONTROL/12.0.06/en-US 3SAP Note 2622112 - Access Control 12.0 Support Package 01 - Master Note 4SAP Note 2697630 - Access Control 12.0 Support Package 03 - Master Note 5SAP Note 2737402 - Access Control 12.0 Support Package 04 - Master Note 6SAP Note 2767065 - Access Control 12.0 Support Package 05 - Master Note 7SAP Note 2832258 - SAP Access Control 12.0 SP06 Release Information Note
About the author
Mateusz Janik Consultant in the Advisory Services Department, GRC Advisory A GRC consultant who has participated in implementations of the SAP Access Control system for diverse companies, from medium-sized ones, to enterprises employing over 2,000 users