SAP GRC (Basic),

Biju (jays)
http://sapsecurity.info
Date : 16-Apr-2011 Date : 16-Apr-2011
1
GRC Basic
Time Section Topics
Introduction Welcome
SAP Security Overview
SOX Overview
Access Control Solution Overview
Compliance Calibrator Overview
Rules Architect
Risk analysis & Informer
Contents:
Risk analysis & Informer
Mitigation Controls
Alerts
Compliance Configuration
Firefighter Overview
Access Enforcer Overview
Module Breakdown
Process Walkthrough
Role Expert Overview
Module Breakdown
2
GRC Basic
Process
Sub-Process
Sub-Process
Activity
Activity
Role:
performs
one or more
transactions
Position:
performs
one or
more roles
Employee
Business Processes
Role
Job:
General category
For jobs
Org Unit:
Division
Role Mapping
Composite
Role
Role
Security Design
Example R/3 Role Design model
Activity
Activity
Workstep
Workstep
Workstep
Transaction:
SAP worksteps
transactions
3
GRC Basic
SAP Security The major elements of the SAP authorization concept
Users
Composite Profiles
Simple profiles
Authorization Objects
Authorizations
Fields
Values (Activities, Organizational elements)
Transactions
User Profile
User Profile
Composite
Profile
Composite
Profile
Composite
Profile
Composite
Profile
Users
SAP Security
To address this complexity and flexibility,
SAP has developed a solution called SAP GRC-
Access Controls Suite.
We will guide through how CC addresses some
of these issues.
Simple
Profile
Simple
Profile
Simple
Profile
Simple
Profile
Authorization
Authorization
Roles
Object Access
and
Restrictions
Authorization
Authorization
Objects Objects
Authorization
Transactions
Authorization
Transactions
4
GRC Basic
Securing Financial Applications Systems for SOX Compliance
SOX.
The Sarbanes-Oxley Act of 2002 also called as Public Company Accounting Reform and
Investor Protection Act of 2002 and commonly called SOX or Sarbox in response to major
corporate scandals like Enron..
Enron Corporation was an American energy company based in Houston, Texas.
Enron figures in late 2001
Enron employed around 22,000 people (McLean & Elkind, 2003)
Claimed revenues of $111 billion in 2000
Fortune named Enron "America's Most Innovative Company" for six consecutive years
At the end of 2001
It was revealed that its reported financial condition was sustained substantially by
institutionalized, systematic, and creatively planned accounting fraud
Enron filed for bankruptcy protection in the Southern District of New York
5
GRC Basic
Some interesting facts
6
GRC Basic
Present access and authorizations approach
ITdoesnotowntheresponsibilityforpropersegregationofduties.Theycantunderstandhurdleson
businessside,astheylackthecollaborationtoolsandlanguagetoefficientlycollaboratewiththebusiness
owners.
LinesofthebusinessmanagersareresponsibleforSoD,buttheylackthetechnicaldepthtomanageuser
access,sotheyrelyonIT
InternalauditorsaretryingdesperatelytostayontopoftheSoDissue.Howeverwithmanuallymaintained
spreadsheetslistingtheaccessandauthorizationsofallemployees,contractors,andpartnersandsoon,
theycanonlyperformaverylimitedauditataveryhighcost.
7
GRC Basic
Sarbanes Oxley and SAP - Top 7 Control Deficiencies in SAP
1. Segregation of Duties - segregation of duties as the most important point of control focus or
deficiency.
2. Inconsistent Business Process Procedures - Business procedures not matching the actual process is
another problem area in many SAP implementations.
3. Unsecured Customized Programs - Many customized 'Z' transactions or 'Y' transactions built in to
suit the business process.
4.Unauthorized Access to SAP BASIS - Many companies make the mistake of giving access to
sensitive BASIS transactions like SE13, SE38, SM49, SU10, SU12, SM13, SC38, SM59, KE54 etc
to users in production. to users in production.
Such unrestricted access can lead to a potential control deficiency under Sarbanes Oxley.
5. Unrestricted Posting Periods - Allowing unrestricted access to open Posting periods in SAP can
result in unauthorized entires in previous open periods. This can become a severe control deficiency
under SOX
6. SAP Access to Terminated Employees - SAP access had not been revoked for employees who had
been terminated. This can potentially lead to control deficiency
7. Database and OS Hardening - The data in SAP sits on databases like Oracle etc and SAP Portal as
such runs on an operating system. If databases and operating systems are not hardened, the whole
SAP environment is put at risk.
8
GRC Basic
GRC Governance Risk Compliance
SAP Compliance Calibrator
Business Challenges
- Identifying risks arising through user access privileges.
- Knowing when users have executed transactions that constitute a risk
- Developing solutions for risk management and control.
- Stopping risk from being introduced into the production system through change updates.
IT / Security Challenges
- Stopping risk from being introduced into the production system through change updates.
- Prohibiting and controlling access to critical basis, developer and sensitive business
transaction.
- Stopping risk from being introduced into the production system through change updates.
- Prohibiting and controlling access to critical basis, developer and sensitive business
transaction.
- Ensuring that mitigating controls exists for user access risks and are executed.
9
GRC Basic
Segregation of duties in applications SOD
The basic premise of segregation of duties is that users should not be in a position to initiate and
authorize their own transactions.
Modern IT applications ERPs like SAP, Oracle Apps, J D Edwards, Peoplesoft can be configured based
on roles. .
Access to specific transactions in the system can be restricted based on user roles and profiles.
Segregation of duties in applications can act as a major antifraud controls and lead to better SOX
compliance.
Sensitive Access Controls SAT
IT Based Antifraud Controls - SOD & SAT
Sensitive Access Controls SAT
SATs coupled with SODs can act as the foundation for IT based antifraud controls.
The other important antifraud control is restricting user access to sensitive transaction in the system.
From an IT perspective users have access to a lot of information such as payroll data, balance sheet,
profit and loss account etc.
This sensitive information can be misused. It is therefore important to restrict users access to this
sensitive information in applications.
10
GRC Basic
MM SoD Conflicts Sample data
SoD Controls (Functions that should be segragated) Risks
RISK LEVEL
Post Goods Receipt and Post Payments
A user could post or change a fictitious or incorrect goods receipt
and set up a fraudulent automatic payment or create a fraudulent
check. H
Post Goods Receipt and Process Outgoing Payments
A user could post or change a fictitious or incorrect goods receipt
and post a fraudulent payment or clear the invoice to hide the
deception. H
A user could post or change a fictitious or incorrect goods receipt
Post Goods Receipt and Process Inventory
A user could post or change a fictitious or incorrect goods receipt
and create/change an inventory document/count to hide the
deception or clear the inventory count to hide the deception. H
Post Goods Receipt and Process Inventory Documents
A user could post or change a fictitious or incorrect goods receipt
and create/change an inventory document/count to hide the
deception or clear the inventory count to hide the deception. H
Post Goods Receipt and Goods Issue
A user could post or change a fictitious or incorrect goods receipt
and then use a goods issue to hide the deception. The vendor
would be paid for the excess recorded receipt. H
Post Goods Receipt and Process Materials
A user could create or change a fictitious receipt and create/change
a material document to hide the deception. H
11
Compliance Calibrator Key Terms
Business Process Used to classify risks, rules and rule sets by business function e.g. Order to
Cash, Purchase to Pay, Record to Report are all types of Business Processes. All risks and functions
are assigned to business functions.
Function - Identifies the tasks an employee performs to accomplish a specific portion of their job
responsibilities. This can be analogous to a role, but more often a role comprises multiple functions.
Action- Known as Transactions in SAP. To perform a function, more than one action may be required
to be performed.
Permission Object in SAP, which form as part of Actions.
Risks Identify potential problems your enterprise may encounter, which could cause error or
irregularities within the system.
Rule Sets Ccategorize and aggregate the rules generated from a risk. when you define a risk, you
attribute one or more rule sets to that risk. Similar to business process.
SoD Segregation of Duties, are primary internal controls intended to prevent, or decrease the risk of
errors or regulatory irregularities, identify problems, and ensure corrective action is taken. This is
achieved by assuring no single individual has control over separate phases of a business transaction.
.
12
GRC Basic
Definitions Function, Business Process, Action,
Permissions & Activities
3
2
1
5
1. Function
2. Business process
3. Action
4. Permissions
5. Activities
4
13
GRC Basic
Role
Maintenance
(preventative)
Request Role
change
Analyse &
Approve Role
change
Build
Change
Risk
Analysis
Approve
Change
Deploy
Change
SAP CC is used to identify SOD conflicts before the change enters production. This allows control leads to reject the
introduction of risk or assign / implement a mitigating control before risk is apparent.
Note: Rules have to be pre-defined before Risk Analysis is performed.
SAP Compliance Calibrator
Process Overview
User
Provisioning
(preventative)
Request
Access
Identify
Risks
Business
Approval
Update
user
Execute
Controls
.
Security
Controls
(detective)
Analyse
SOD
conflicts
Analyse
Critical
Transactions
..
..
Alert
SOD
violations
Alert
CT
usage
..
Deeper understanding of risks inherent in the security design allows business approvers to make a proactive choice as
to whether they allow a user to have an SOD risk or critical transaction.
SAP CC is used to execute security controls for period review and approval for SOD conflict and critical transaction
risks. The alert monitoring can also be used to identify business or control leads when a SOD violation occurs or a
critical transaction is used.
14
GRC Basic
Rules Architect SOD risk
SAP Compliance Calibrator
Rules are created in compliance calibrator based on the risks you define.
Rules are logical constructions composed of a circumstance or condition, and the appropriate response to that
condition. This is commonly represented as an If-Then statement.
IF
Employee X can Create a Vendor &
Employee X can Authorize Pay vendor
Then
Employee X has been granted High Risk Conflicting Roles
This is an example of a SOD risk.
Risks
Compliance
Calibrator
Rules
15
GRC Basic
Rules Architect The Rules Library
The core engine of SAP CC contains a rules library that maintains the risks for SOD conflicts. This library will contain conflicting
transactions, grouped into functions, including the object and activity settings and runs to 1000s of records.
For each identified risk the rules need to be configured so that the risk is properly recorded, in essence this means the removal of false
positives. False positives are identified when at the object level potential risk is not realized e.g. the action is to read only.
Building rule sets
1. Set up functions (groups of activities
that users perform to carry out their
role) by mapping transaction activities.
SAP Compliance Calibrator
role) by mapping transaction activities.
2. Map two or more functions together
to define a risk
3. SAP CC creates rules based on the
risks which are used for risk analysis
reporting and alert monitoring.
4. Business process can also be
defined and mapped to risks for ease
of reporting e.g. Finance Accounting.
5. Multiple rule sets can also be set up
to act as reporting filters, version
control and other uses.
16
GRC Basic
Rules Architect- Key Drivers
Building rule sets can be complex and time consuming. Typically three distinct roles and
skills are involved.
Internal Controls Expert
Provides information on SOD risks, criticality and represents business (process) owners in decisions to mitigate or
remove risks.
SAP Compliance Calibrator
Internal
Control
SAP Functional Expert
Provides expertise on the business
process configuration in SAP , knowledge
Control
Expert
SAP
Functional
Expert
SAP
CC
Expert
process configuration in SAP , knowledge
on objects and activity values. Helps to set
the configuration data for the rule set
library. Helps identify false positives.
SAP CC Expert
Provides knowledge on rules
setting in SAP CC performing mass
upload changes and risk analysis.
Rules
Generation
17
GRC Basic
Risk Analysis
Once the rule set has been defined and implemented risk analysis can be performed to identify the SOD
conflict and critical transaction risks in the staging and production system.
Risk analysis can be performed at the user or role level. Risk Analysis and remediation is most efficient when
a structured authorizations concept is implemented that maps roles to job and people. In these
circumstance remedial efforts correct risks for large groups of users.
Risk Analysis can be performed:
SAP Compliance Calibrator
Risk Analysis can be performed:
1. During the project lifecycle before users are
allowed in the production system.
2. Before each change request for role
maintenance is deployed to production.
3. Before provisioning exceptional roles to
individual users
4. To execute periodic security controls.
18
GRC Basic
Risk Analysis Types of risks
Segregation of Duties (SoD) risk
A combination of two or more actions or permissions that, when assigned to a single employee, create a vulnerability. That is to say, in the case
of two conflicting actions an employee may have permission to perform one of these actions, but not both.
Critical Action risk
Certain actions are, by their nature, inherently risky. Any employee who has permission to perform one of these actions automatically poses a
risk. Defining a critical action risk ensures that any employee assigned this permission is identified by the risk analysis process. risk. Defining a critical action risk ensures that any employee assigned this permission is identified by the risk analysis process.
Critical Permission risk
Just as some individual actions can be critical, the same is true for some permissions. Defining a critical permission risk ensures that risk analysis
identifies any employee who has been assigned an action that includes a potentially risky permission.
The severity of a risk can be categorized as either:
Low
Medium
High
Critical
You use the Risk Level to categorize risksand the rules they generateby severity. What determines, for example, a critical risk is according
to your company policies.
19
GRC Basic
Informer
Informer allows a appropriate user to access specific reports. In addition to the default report formats, there are specific user-selected
focus areas available on many of the reports.
Informer tab report types include:
Management View- Can view reports in the following types: Risk Violations, Users Analysis, Role Analysis, Comparisons,
Alerts, Rules Library, Controls Library
Risk Analysis- Performed to see if any User, Role, HR Object or Organization has access to two or more conflicting actions.
Audit Reports- Provides report headings covering different aspects of the enterprise. Each Audit report menu item contains links
to reports that may be user modified to fit needs requested.
Security Reports - Provides an access point for reports on every aspect of product and enterprise security compliance issue.
Background Job - Allows SoD conflicts to be analyzed for a large number of Users, Roles, HR Objects or Organizations.
20
GRC Basic
Informer
Compliance Calibrator provides Interactive visual analysis in the form of Bar charts, Pie Charts and Line Charts
By clicking upon
a certain chart a certain chart
area, detailed
statistics are
accessed
21
GRC Basic
SAP Compliance Calibrator
You can generate reports for Users, User Groups, Roles, Profiles, HR Objects and Organizational Levels
Informer
22
GRC Basic
Mitigation Control
Mitigation Controls- Rather than remove the cause of the risk, you may want to control certain risk violations that you want available to specific users, roles,
or profiles.
Monitor ID - The ID of the User who is assigned as a Monitor, who is assigned the specific Controls.
Where risks are accepted in the system, a mitigating control should be implemented and executed. An example is a supervisory review and sign off.
SAP CC gives you the functionality to document the mitigating controls for each risk. Once documented and assigned to a Monitor the tool can be used to track
execution of the control or non compliance.
Many clients will have separate cross-enterprise process controls software and we suggest three options for implementation:
1) Simplest option, identify risk as controlled. Risk is removed from risk reporting.
2) Associate the risk with a mitigating control in an alternate repository e.g. process control software.
3) Fully document the mitigating control within the SAP Compliance Calibrator. 3) Fully document the mitigating control within the SAP Compliance Calibrator.
A choice also exists on who to give responsibility for maintaining data in the SAP CC tool. This can be centralized in IT or Controls or fully distributed to the
business.
Controls Library option lists all the existing
Mitigation Controls (active/inactive). The
Controls Library displays the Controls by Risk
level and are sorted by:
Risk
Risk Level (Low, Medium, High)
Business Unit
Monitor
User, Role, Profiles, or HR Object
23
GRC Basic
Alerts Monitor
Compliance Calibrator includes functionality which can alert business and controls leads by email when a critical or
conflicting action is executed.
Alerts are available within the following risk areas:
Conflicting and Critical Actions When a user performs both transactions in an SOD rule or uses a critical
transaction.
Mitigation monitoring If a Monitor does not execute a control to a specified frequency then an alert will be Mitigation monitoring If a Monitor does not execute a control to a specified frequency then an alert will be
generated which is sent to the Monitor and visible to the control leads.
Cleared alerts- When an alert message has been delivered and cleared. Alerts remain as an archived record and can still
be tracked and monitored.
24
GRC Basic
SAP Compliance Configuration
The configuration Tab is the main starting point for post installation setup.
NOTE: Only an User with Administrative authority can access and use this aspect of Compliance calibrator.
The Java Connector (JCO) acts as the integration point between the Java application and the SAP system to be monitored / analyzed.
The User Management Engine provides for out-of the box J2EE Administrator profiles to be defined or activated .
The Rule set upload function is used to load the standard rules or customized rule set e.g. critical transaction codes, critical objects etcetera. These
characteristics are the foundations of the SoD rules.
The Workflow component is used to trigger email alerts to named Process Owners within the User Provisioning. It is an integrated part of the Access The Workflow component is used to trigger email alerts to named Process Owners within the User Provisioning. It is an integrated part of the Access
Enforcer solution.
Background Job Scheduling is used for activating Monitoring e.g.. frequency of SoD analysis, Risk Violations.
25
GRC Basic
STANDARD GRC RULESET
SAP Compliance Configuration
SCHEDULING RISK ANALYSIS
26
GRC Basic
Major Activities Walkthrough
Activity
SAP Compliance Calibrator
Install and set up SAP CC Technical installation Core ECC, RFC connections to Modules, Assembly Test.
Agree security design principles and
dependencies with SAP CC
Establish design concepts and principles for mapping roles to jobs and users e.g. 1
Composite role to each user
Confirm Project governance and high
level processes
Agree business owners, Business Approvers, Control Approvers, Role
Maintenance and UP processes. Define Security controls.
Master data and functional set up. Test
functionality
Agree master data definitions; Organization; Business Process; Risk Descriptions;
Monitors and Control Approvers.
Define risks and configure risk rule set Agree SODs conflicts and critical transactions. Categorise risk (H/M/L). Update Define risks and configure risk rule set Agree SODs conflicts and critical transactions. Categorise risk (H/M/L). Update
risks rule set. Test risks.
Run Risk analysis Run risk analysis in staging environment. Run Risk Analysis in production
environment. Export reports and update Risk Logs.
Remedial actions Identify and remove false positives. Agree whether to accept or reject risks. Plan
authorization changes, update security design templates and raise change request
to security maintenance. Re-run risk analysis.
Mitigate Accepted Risks Agree mitigating controls for each risk. Agree control owners and business
approvers (execution). Update mitigating controls in tool.
Update procedures and security controls. Update procedures to introduce SAP CC as a preventative control and reflect
governance for business ownership.
Transition to live Train and enable operations staff, business approvers, control owners. Deploy new
procedures. Stabilization support
27
GRC Basic
28
GRC Basic
F i r e - f i g h t e r
The Firefighter application allows a user to take responsibility for tasks outside their normal job function, in a
emergency situation.
Enables users to perform duties not included in the roles or profiles assigned to their user IDs.
Provides this extended capability to users while creating an auditing layer to monitor and record Firefighter usage,
providing the capability to review activities used during an emergency situation.
Role 1
Before users can access Firefighter, they must be assigned a Firefighter ID. For each Firefighter ID you define the
following roles.
Owner Owners can assign Firefighter IDs to Firefighters
Controllers Receives email notification and reviews the Firefighter Log report.
In addition the Administrator perform the creation of Firefighter ID and assign authorization roles.
Role 2 Firefighter ID 1 User 1
Role 3
29
GRC Basic
Process Overview
Request
access to
production
Request access
to Production.
Approve
Request
Assign
Firefighter
account
Update
Production
Review
Control
Log
Firefighter enables users to perform duties not included in the roles or profiles assigned to their
userIDs. Firefighter provides this extended capability to users while creating an auditing layer to
monitor and record Firefighter usage.
Through automated emergency access administration, Firefighter tracks, monitors, and logs all
emergency access activities
SAP Firefighter
emergency access activities
Example
If the employee who normally works with vendor accounting, but is on vacation or sick leave, another
employee who usually verifies invoices may be assigned a Firefighter ID to perform this task
temporarily.
Benefits of Firefighter are:
Avoid business obstructions with faster emergency response
Reduce audit time
Reduce time to perform critical tasks
30
GRC Basic
Firefighter dashboard
Firefighter Log Report
F i r e - f i g h t e r
31
GRC Basic
32
GRC Basic
Access Enforcer is a web-based application within J2EE and NetWeaver environments. It is connected to
multiple data sources such as an LDAP and SAP backend system.
Access Enforcer automates the end-to-end access provisioning approval process by combining roles and
permissions with workflow.
When a user requests access to resources for which they do not have permission, Access Enforcer automatically
forwards the access request to designated managers and approvers within a pre-defined workflow. This
workflow is customized to reflect your company policy.
Access - Enforcer
workflow is customized to reflect your company policy.
Roles and permissions are automatically applied to the enterprise directories when the access request are
approved.
Access Enforcer automates the role provisioning process within the identity management environment. It
ensures corporate accountability and compliance with Sarbanes-Oxley along with other laws and regulations.
33
GRC Basic
Access Enforcer
Access Enforcer has four task modules for specific usage. They include:
Requestors The Requestors module is for end-users who are requesting access to SAP and non-SAP backend
systems.
Approvers The Approvers module is for approvers who approve access requests. Approvers can also request
access for other end-users. Approvers include line managers and IT security.
Informer The Informer module is a reporting tool that provides graphical and analytical reports for managers.
Configuration The Configuration module is for Access Enforcer Administrators who define defaults, workflow,
and other attributes that are based on their corporate business processes and policies.
34
GRC Basic
Access Enforcer Module Breakdown
Approver Requestor Informer
Access Enforcer provides three standard Approver
types. Depending on your organizational hierarchy
and process, there may be other Approver types
that can be added to Access Enforcer. The standard
Approver types are:
Manager Approver is usually the requestors
manager. Manager can review and approve their
workflow stage during the approval process.
As a Requestor, you use the
Requestor module to create
various access requests for an
SAP backend system, non-SAP
system, or other application
(server). There are three types of
Requestors:
Department Member Creates
Access Enforcer provides the
ability to generate various reports
for the purpose of viewing and
analyzing request approval
activities. Reports are divided into
two categories:
Analytical lets you drill down to
individual role change and access workflow stage during the approval process.
Role Owner Approver has the authority to approve
or reject a request. The Approver can put a request
on hold and add additional roles to the request, if
necessary. An Approver can only approve or reject
requests that they own and cannot approve
requests for other approvers unless they are
assigned as a alternate approver.
Security Approver is usually the last approver in a
typical workflow. The Security Approver can
provision access to the target system that has been
requested.
Department Member Creates
requests for access permissions or
roles, for themselves or for their
team members
Managers Creates requests for
roles for their subordinates
Approvers Other managers can
also create requests
individual role change and access
permission requests.
Chart generates a graphical view
of the request approval
information, which can be used to
analyze various activities.
35
GRC Basic
Access Enforcer Screenshots
Request for Approval List- displays pending requests
assigned to you.
Request Approver Page for a request submitted.
36
GRC Basic
Access Enforcer Walkthrough
1 Makes access Request for specific application,
for which they do not have the necessary roles
Requestor
S
A
P
Access
Enforcer
2. Provides Access Request page, which can be set to specific
or multiple data sources (e.g. SAP HR system or non-SAP systems)
to complete the request process
3. Submits completed Access request page. This triggers a Workflow process, which 3. Submits completed Access request page. This triggers a Workflow process, which
is made up of several pre-defined approval stages and is customized to reflect
the business and security policies and procedures.
Approver
4. Receives email notification of access request at each approval stage.
Performs Risk analysis and SOD assessments.
When conflict arises, approver can mitigate the problem or reject the Request.
5. Upon approval, access request is routed to next stage, which could involve
the IT security team for entry to the SAP backend system or application server.
Automatic provisioning to the target system could take place.
37
GRC Basic
Access Enforcer - Benefits
38
GRC Basic
39
GRC Basic
Role Expert
Role Expert is a solution for compliant enterprise role management, allowing role owners to define,
document, and manage roles across multiple enterprise applications ad enforces best practices, resulting in
lower ongoing maintenance and effortless knowledge transfer
Automatically analyzes roles for potential security risks (audit and SoD issues), tracks changes, and facilitates
approval workflow, eliminating the inefficient back-and-forth exchanges between business managers and IT.
Role Expert provides a complete audit trail, covering role definition, detailed change history, and control test
results and allows SAP security administrators and Role Owners to document important role information that
can be of great value for better role management such as:
Tracking progress during role implementation Tracking progress during role implementation
Monitoring the overall quality of the implementation
Performing risk analysis at role design time
Setting up a workflow for role approval
Providing an audit trail for all role modifications
Maintaining roles after they are generated to keep role information current
40
GRC Basic
Role Expert
Role Library- Dashboard of all the roles in Role Expert. Displays an interactive graphical interface of the roles
broken down by system landscape, role owner, or business process. It also shows the number of roles with
violations and roles belonging to different role types.
Role designer- Provides you with a step-by-step guide for designing roles across your enterprise. Role Designer
allows you to define:
Role Building Methodology
Naming Conventions
Role Attributes
Org. Value Mapping
Approval Criteria
Org Level- Maps the hierarchical Org Level- Maps the hierarchical
structuring of organization,
enabling to manage roles
effectively.
Change history provides you with
an audit trail for all the changes
made to roles within Role Expert
or your SAP system
Mass Maintenance- Allows you to
synchronize the SAP Back-end
systems with Role Expert by
importing roles that already exist
in the SAP system.
41
GRC Basic
Please let me know if any concerns.
Thanks
Biju
42
GRC Basic