CIRM: Compliant Identity and Role Management in Practice
My previous blog “Remediating SOD Violations in SAP Access Control” gives tips and tricks as well as a best-practice approach how to remediate SOD violations in the first place. With this blog, I would like to go a step further and outline why remediating SOD violations in the long-run doesn’t stop once all remaining risks have either been remediated or mitigated. The concept of Compliant Identity and Role Management (CIRM) guarantees sustainable remediation and security.
In 2012, I successfully implemented SAP Access Control with all its modules in a global environment. I traveled to each subsidiary to remediate and finally mitigate remaining SOD violations. In early 2013, we finalized the last subsidiary and the violation count finally showed zero. We were amazingly proud of ourselves and went off for a long-awaited holiday. After three weeks and back in office, we realized that latest changes to users and roles had increased the number of violations sharply, even though compliance checks in Access Requests workflows were in place. What happened? The lack of integrated and sustainable processes resulted in this negative trend. Therefore, we had to come up with a whole concept to avoid that from happening.
Compliant Identity and Role Management (CIRM)
CIRM is a unique initiative between SAP and Xiting and covers the entire process in users and authorizations management lifecycle. CIRM ensures that users request access through a validated tool like SAP Identity Management (IDM) and checks requested authorizations for compliance in SAP Access Control (GRC). SAP Single Sign-On guarantees seamless encryption and security when accessing the systems. Also, it is important to test and replicate all authorizations that exist in the SAP environment adequately.
Only concepts like CIRM allow seamless and continuous compliance of the landscape.
Compliant Role Management
Authorization roles are the fundament when authorizing users in SAP systems. Therefore, it is highly important that roles are compliant with the actual rule set definitions. Ensuring such requirement is possible with tools like SAP Access Control (GRC), or the Xiting Authorizations Management Suite (XAMS), with its built-in risk analysis frameworks. Building roles is an active process and require authorization administrators to leverage existing tools. With the Role Designer, which is part of the XAMS, security personnel build roles virtually and run compliance tests either against SAP Access Control, or the built-in risk framework in XAMS. That enlarges the opportunity to come up with a complete role design that is not only risk-free from a role perspective but also built in the context of future user assignments.
Actively checking for SOD violations, critical actions- and authorization ensures risk-free and GRC compliant authorization roles. However, running simulations and risk analysis only against the naked role are not sufficient, as evaluation of the impact isn’t possible on actual assignments.
Xiting recommends a two-step analysis to ensure GRC-compliant roles:
- Running risk analysis on Permission Level to detect SOD violations, critical actions, and critical permissions. Execute this step in any environment that has up-to-date rule set definition. Also in the development environment where you build your roles.
- Running role impact analysis on productive environments to identify potential risks before they occur in production. Execute this step against all productive systems where you transport the role. Analyze the impact on users assigned to a role accordingly. That’s especially important for role changes, and not for new role creation.
Replicating roles requires tremendous manual effort and simplifying is possible with the Role Replicator module in XAMS. Role Replicator supports org sets and replicates them automatically to linked roles and offers reports to ensure the quality of the replication. Further, connecting Role Replicators’ org sets with SAP Identity Management leverages the role mining process when searching for roles.
If the role is conflict free, it’s ready to go and can be distributed through the landscapes. Distribution happens with transports or the distribution functionality in the Business Role Management (BRM).
Compliant User Management and Provisioning
When touching a user, it is necessary to run simulations to identify upcoming risks before they appear. SAP Identity Management, as well as the Access Request Management (ARM), has an interface to the Access Risk Analysis (ARA) module to run simulations and real-time analysis. The workflows have the capability to detour approval paths based on violations. Workflows allow the creation, change, lock, and unlock of users. You can also execute the provisioning process directly with the tool. Manually maintaining role assignments or users in e.g. the Central User Administration (CUA) is not sufficient and guaranteeing compliance is not possible. We also highly recommend restricting authorizations to transactions like SU01/SU10/PFCG accordingly, so that manual changes are not possible. We recommend to grant modifying access to such transactions only with the Firefighter functionality.
The following graphics shows a case of integrating SAP IDM, SAP Access Control, SAP SSO, and the Xiting Authorizations Management Suite, in the context of CIRM.
End user access all SAP systems via Single Sign-On functionality from SSO 3.0. A user requests role assignments in SAP Identify Management, and the systems determine the path and approval steps involved. Giving an approval in IDM triggers compliance checks against rule set definitions in GRC automatically. If a risk occurs, GRC triggers the risk mitigation workflow and allows possible mitigations, or initiate remediation actions. SAP IDM will consistently pull the risk status from GRC and once “green light” arises, the provisioning process starts. In case risks are not mitigated or rejected, IDM receives “red light” status and rejects the request. Automatically handling notifications in the systems ensure compliant password policies, etc. You can use roles for provisioning that were built with XAMS and validated against GRC.
Continuous Compliance Checks
Once compliant user and role management processes are in place, ensuring ongoing compliance in the long-run is a must. Therefore, SAP Access Control has built-in functionalities like the User Access Review Workflow (UAR) to periodically check role assignments in the context of a user. Also, the SOD Risk Review Workflow to run ad-hoc reports of systems to check for SOD violations, as well as the ability to perform real-time risk analysis. During the creation of roles, connecting tools like XAMS to risk frameworks help to actively check for potential harm. The Risk Terminator, a functionality that comes with SAP Access Control, monitors the profile generation of new or changed roles in development systems. Leveraging this functionality in production systems prevents the generation of authorization profiles, in case violations occur. This feature is extendable to control role assignments in SU01/SU10.
Compliant Identity and Role Management in Practice
XAMS, SAP Access Control (GRC), SAP IDM, and equivalent products support compliance checks and reduce the manual effort involved. Nevertheless, these are supporting tools and require the constant attention of security personnel to work efficiently and to guarantee expected results. Achieving continuous compliance requires integrated processes and the awareness of security personnel to check latest developments in the systems consistently. Also remember, no system will ever be risk-free as SAP systems are volatile due to changing demand and requirements.