certain emergency transactions, but everything that user does in the system is
logged in a report for scrutiny. The temporary ID is issued with an expiration
time or date, so that after a certain point, the user is logged out of the system.
The IDs are automatically revoked so that no follow-up is necessary.
Compliant user provisioning, another feature of SAP GRC Access Control,
streamlines adding users and ensures that as new users are added, access
control stays clean. The idea is to automate everything from one authorita-
tive source, usually the HR system, where you define a new user account. SAP
GRC Access Control detects the creation of a new account and interprets the
business role attached to the user account into technical roles. Once it
knows what this user does to perform his or her job, and what accesses are
needed, it can create a user account, an identity with a username and pass-
word, and all the information necessary to give this person the appropriate
access for his role.
SAP GRC Access Control also provides a documented log of events — who
had access to what, who put what kind of information in and who approved
access to what transaction. These are just the kind of things that warms an
auditor’s heart.
Where Do You Go from Here? .....................................................................
After a company has gotten clean and is staying clean, the idea is to stay in
control. The sprint phase is over, the access control muscles are fit and well-
trained, and it’s time for the marathon. By staying healthy, keeping their roles
clean and eyes open for SoD violations, a company will be prepared for the
auditor’s next visit.
Proper SoD and access control over sensitive transactions is one of the most
effective safeguards against fraud. This is usually difficult to deploy and sus-
tain given the thousands of users, roles, and processes that all require testing
and remediation. Automating this process helps ensure that access control is
handled cleanly and consistently.
In Chapter 7, we expand the discussion of controls from access control to
controls placed in business processes to ensure that business processes are
proceeding in an efficient and auditable fashion.
126 Part II: Diving into GRC
