Considering the fact that so many people out here, have so selflessly shared their expertise through blogs, answers etc. So its only fair that I do my bit to balance the scales. Now if what I contribute is worth it or not, that’s a different story and I shall leave it to the moderators to judge for themselves.
The topic I would like to present to you is ARA. Just a heads up that whatever is presented here is just an overview of my understanding of what ARA is and how it works. I’ll leave it to the experts here to make corrections/suggestions if the need be for the benefit of everyone reading this document and myself included.
A lot of the key terminology has been explained rather brilliantly by Alessandro in the following two documents, so there is no point in me trying to reinvent the wheel.
So here we go.
|Access Risk Analysis – ARA
Analyzing Risks associated with Access
Risk: when an Employee in a Company is assigned with Task/Tasks that could provide him/her with an opportunity to commit fraud
Employee -> Company -> Task/Tasks -> Opportunity -> Fraud
Tasks are assigned to the employee in form of Roles, which are made up of Actions/Tcodes, which in turn are made up Permissions/Authorizations
Workshops with BP Owners and other relevant personnel would have to be conducted to gather information about the Risks associated with the following:
Roles -> Actions/Transaction Codes -> Permissions/Authorizations
Role1 Action1 Action2 Permission1 Permission2
Role2 Action3 Action4 Permission3 Permission4
Based on the information gathered we need to define the Risks
. Action1= Conflicting Action .Action2= Conflicting Action. Action3= Critical Action .Permission1= Critical Permission
Function1= Action1 .Function2= Action2 .Function3=Action3 .Function4= Permission1
Risk 1= Function1+Function2 . Risk 2= Function3
Rule is a condition: If Function1+Function2 is given to a user Then it is a Risk
Therefore Rule1 is generated against Function1, Function2 and Risk1
*Example: Action1= XK99: Vendor Mass Maintenance .Action2= ME2L: Maintain Purchase Order – Purchasing
Risk= Create a fictitious vendor and initiate purchases to that vendor
Run a Risk Analysis against all the Risks defined
Based on the Analysis, Remediate the Risks by executing cleanup process by Re-designing/defining the roles.
This can be done through Simulation to check if the defined Risks will be eliminated if the cleanup is executed.
In certain unavoidable circumstances Remediation isn’t an option, so the solution is to Mitigate the Risk
So when you create a Mitigation Control:
You specify the Risk Ids and the OU they are associated with-> The Risk Ids will look up the Function they are associated with->
Functions will look up the Actions (T-codes) they are associated with. Assign an Owner and Controller to the MC and
tie all of this up to an end user/role/profile who is assigned with a role/roles, which could pose a threat.
To Ensure all the hard work done so far does not go for a waste, run
SOD review, Audit Trails and Risk Analysis on a periodic basis
|SOD Management Process|
The entire process described above is termed as ‘SOD Management Process’.
Segregation of Duties (SoD) is an internal control within a Company implemented to prevent or decrease the risk of errors or regulatory irregularities and ensure corrective action is taken. Ideally, no one individual must have the authority of:
Creation .Modification .Reviewing .Deletion
SoD ensures no single user has access to separate phases of these business transactions. This is done by Dividing, Distributing and Allocating key tasks amongst various individuals thereby eliminating or at least reducing the possibility of errors and fraud. All of this is carried out in three separate phases:
Rule Building & Validation
|Configuration in a Nutshell|
Now that we’ve covered the what and the why part we have to get our hands dirty and physically create them. If you have access to a Server, after following SAP documentation for ‘From Post-Installation to First Risk Analysis’ and ‘Enhanced Access Risk Analysis’, try executing the following tasks:
I sincerely hope this document will help you in your pursuit to get a grasp on what ARA is all about.For a more comprehensive understanding/configuration and other bits and pieces on this topic, please check out the links in the following document put together by Alessandro, which covers everything in detail. Please check under Access Risk Analysis (ARA).