GRC Access Control identifies and prevents access and authorization risks in cross-enterprise IT systems to prevent fraud and reduce the cost of continuous compliance and control. The role creation methodology designed into the Enterprise Role Management (ERM) capability is a part of this compliance and control system.
ERM provides the essential elements necessary to support this methodology, which comprise:
Role definition
Role information maintenance
Approval comments with date and time stamps for each role
Role comparison: to show any discrepancies between role definitions and actual roles generated in the back-end system
Included are preventive risk analysis at role design time prior to creating the role in the SAP Development environment, approval workflow and role generation, audit trails and reporting, and integration with the Compliant User Provisioning capability.
And, when linked to the Risk Analysis and Remediation (RAR) capability, the application also enforces the Segregation-of-Duties analysis during role design to prevent risks from entering application systems.
In the ERM capability itself, the Role Creation methodology is directly represented in the functions located in the Create Role selection on the Role Management tab.
The Create Role function works in phases that are seen to progress across the screen and are related to an array of tabs at the bottom of the screen. The tabs that you see depend on the phase.
This section describes the features that support and enable the methodology.
The Role Creation methodology tabs are as follows:
Use this text field to describe the role.
You use the Functional Area to add a new attribute to the role. You can use these attributes to select multiple functional areas, such as departments or locations.
You define default primary and alternate approvers for this role based on the Approval Criteria set up by Enterprise Role Manager Administrator.
You can also designate the Approver as a Role Owner, or an Approver (Provisioning), or both.
You use this tab to select from the Custom Fields configured by Enterprise Role Management Administrator. You can use this tab to create a custom attribute to reflect a number of states, such as role status or critical role.
When you are in the Authorization Data phase, the Organization Levels tab appears on the Role Create screen.
This tab displays all available organization levels for the role based on the authorization data added to the role.
After risk analysis has been performed in the Risk Analysis phase, then Risk Violations provides a breakdown of conflicting transactions, critical transactions, conflicting objects, and critical objects.