"Key enhancements in SAP GRC Access Control 10.0"

As we zoom past our initial hiccups during the configuration of the SAP GRC Access Control 10.0 we come to notice major enhancements that SAP is trying to do in the SAP GRC Access Control version 10.0

Seems to me that a lot of feedback is being incorporated by SAP improve to the day in a life of SAP GRC Consultant working on Access Control 5.2 or 5.3 versions.

No doubt the console of the new SAP GRC Access Control 10.0 is sleek and brand new. It gives a good feeling and a sense of fear as well since there are new things out there that we need to master and leverage now. Below is a glimpse of some of the key changes we noticed that are coming our way in the SAP GRC Access Control version 10.0

1.Robust RAR – Often customers used to ask us when we used to show to them an access risk analysis report, “Is that all?”The challenge was that since the report used to be so bulky that one needs to spend considerable amount of time reading and analyzing it to find out where we need to act first for remediation/mitigation. Looks like we can have some relief around this problem since SAP has come up with a new framework for RAR which helps us narrow down our risk analysis to a very specific level as well as quickly sort our risk analysis data in a way where in we can reach to our critical mass of the users or roles faster. RAR in SAP GRC Access Control 10.0 is giving us an option to add conditions based on system, user groups or even risk level to do an analysis. Earlier it was just restricted to User and Roles primarily. Another important new feature in SAP GRC Access Control RAR 10.0 is that it supports multiple rule sets during the analysis.

2. Bulk data handling – It happens. Huge organizations at times grow out big and never get time to do the cleaning in the authorizations assigned to profiles and users. Cases are known where the number of violations reported after an analysis has shot more than 1million. It used to become very difficult to download this amount of bulk data to an excel sheet due to sheer limitation of rows and columns in an excel sheet. This particular issue is now resolved in the new version SAP GRC Access Control 10.0 where reports can be split into different files and downloaded.

3. Personalization in Reporting- Reporting was mundane before in SAP GRC Access Control 5.3 as there were stringent limitations in the way one can modify the report as per ones needs. SAP GRC Access Control 10.0 gives us a lot of flexibility to shape up a report in fact the view of the report in the system as well to fit our requirements or the viewer’s profile. One can sort, filter or simply remove rows and columns which are not so important for us and print our report as a PDF or a Crystal Report. The best part is we do not need Crystal Report license to do all we need is the Crystal Report adapter to be installed.

4. Drill Down on Reports – This particular feature was present in SAP GRC Access Control 5.3 but in the new version SAP GRC Access Control 10.0 it has been significantly enhanced. Doing a drill down to identify and troubleshoot the violation and under the risks associated with it is made better. One can do a drill down based on the risk id, user id , functions and every other security entity which can help us understand it better and plan a mitigation for it.

5. Mitigation made easy – Setting up a mitigation control to remediate each violation/risk was a time taking task in SAP GRC Access Control 5.3, we now have new features that have been introduced by SAP to help us save time and plan mass mitigation approaches. We can now assign a single mitigation control for a set of violations /risks, now this means that business users can define a lesser but more effective mitigation controls for all their business risks. Also the IT teams can set up mitigation controls specific to systems which is also a new feature introduced. The mitigation controls also have the tenure (time period for which mitigation will be valid) that can be tied to a mitigation control.

6. Audit‘s delight- Well good news for hardworking auditors have also come in the SAP GRC Access Control 10.0. Auditors will now have a better view of all changes made in the GRC system. One could never track from SAP GRC Access Control 5.3 when was the last time this transaction was used by a particular user or how many times has it been used in the last six months. This kind of information was difficult for a non SAP Security person to find out without any help from the backend. Now SAP GRC Access Control 10.0 makes the life of an auditor also simplified to be able to access this information as a SAP GRC power user. Any changes made to the rule sets, critical roles or profiles, functions, risks, org rule can be tracked by an Auditor with details like when the change was made and by whom. The historical value of these set of fields are also maintained.

7. Centralized Emergency Access Management aka Firefighter - access is now centralized in the SAP GRC Access Control 10.0 to manage and utilize firefighting activities from SAP GRC Access Control 10.0 applications. Workflow based provisioning and review process is introduced now which helps us greatly reduce our efforts compared to SAP GRC Access Control 5.3 for provisioning of firefighter ids and review of logs to monitor the usage of firefighter ids.

8. CUP Centralized – The Compliant User provisioning module of SAP GRC 5.3 has new avatar as SAP business workflow running through all the modules of SAP GRC suite. Seems like SAP GRC Access Control 10.0 will be able to support seamless provisioning across multiple rule sets as well something which was not possible in older versions. New features include customizable access request forms and approver views. The new enhancements also facilitate position-based role assignment requests which help us leverage our existing HR structure for automated and compliant position based role assignment.

9. ERM helps in Role Governance – Role Mining as a new feature noticed in SAP GRC Access Control 10.0 is going to help us bring out sanity every now and then by providing us information like Role usage. The feature can be used to periodically remove any un-used or over authorization from the roles there by maintaining governance around roles.

10. Stronger friends with IDM- The IDM story with SAP GRC Access Control 10.0 is set to grow. Tighter integration with SAP IDM 7.2 and SAP GRC Access Control 10.0 leading to faster and easier provisioning is promised as these 2 new versions of SAP products come into general availability. The communication channel between the two products is being made stronger and the audit reporting in SAP IDM around User Access Management is expected to boost.

Look out for these and many more new features introduced in the SAP GRC Access Control 10.0. As we move on, more details around these features will be shared. Surely the experience in GRC is will be getting better with SAP and it is up to us now to grab these features and put to use.

Comply with Controls to Compete.

Kunal Kant

"This article is copied from " http://sapgrc10.blogspot.in/2011/03/10-key-enhancements-in-sap-grc-access.html " written by Kunal Kant"

" Individuals or concerned organizations are requested to contact me directly in order to consolidate the removal of information deemed sensitive or harmful to them"