Management of Risk– and SoD-Policies &
Enforcement of Compliance
in SAP-Systems
Compliance Enforcer
Release 2016.1
The Compliance Enforcer is a component
of our software package SUIM-AIM
and is SAP certified.
Big Picture
To ensure and verify the conformity with the Sarbanes-Oxley-Guidelines (SOX) and other regulatory law specifica-
tions, an enterprise has to install, document and proof internal controlling mechanisms.
The Compliance Enforcer is the tool to ensure and proof the conformity with regulatory law specifications.
It does not only consider the potential risks caused by changes but analyses as well the information about
occurred risks from the Application Tracer data.
The Compliance Enforcer allows the verification of the entire SAP-
portfolio out of a central system. The results can be displayed and
stored centrally.
It thereby considers not only authorization-objects but as well roles,
profiles, role collections and in particular BI-profile-values. Through
the control extension on the system parameters and the integration of
an open interface to NonSAP-Systems, the Compliance Enforcer turns
into a comprehensive tool in the area of IT Controls.
In combination tith the prod-
ucts Access Manager or Identi-
ty Manager the Compliance
Enforcer works as an
"integrated permanent sys-
tem investigator".
It verifies in real time every
mapping of an authorization-
element based on the stored
rules and standards and
identifies developing risks.
Highlights
Compliance Enforcer - Rules and Risks The simple and clear structure based on the definition of rules allows a ergonomic compilation of risks.
The rule structuring is purposeful simplified by the grouping of differentiated rule types.
A risk is a logical link of any amount of rules. It forms the central point of an analysis.
Compliance Enforcer - Rule Types Extensive rule type catalog which can be improved by the customer with their own extensions.
Rules of the type authorization-object, SAP roles, SAP profiles, BI authorizations, system parameters, AM-/AMSO-
roles, AM-/AMSO-organizations and others are part of the standard catalog.
Compliance Enforcer - Rule and Risk Meta-Directory Rule– and risk-attributes can be defined and maintained with the help of a flexible tool.
The thus in the meta-directory defined values can be used for analyses.
Compliance Enforcer - Customizing Wizards Rules are arranged ergonomically in a tree-structure.
Intuitive and scalable customizing-scenarios of the desired rules and risks are integrated.
Simple possibility to define SoD-rules using a matrix.
Compliance Enforcer - Mitigation Acceptance of risks by person in charge using the CE Mitigation Sub-module..
Integration of AIM-time-variations and time rules in the mitigation process.
Compliance Enforcer - Alerts Periodical jobs are generating e-mails for the responsible person for the violation of a rule.
Compliance Enforcer - Analyses Execution of real-time- and run-time-time optimized (overnight collection of data) analyses.
Cross-System and –Rule-Type Analyses.
Analyses from different perspectives, e.g. from the point of view of SAP-users or SAP-roles.
Analyses are displayed in tree structures including the drill-down possibility.
Simulation possibilities of changes on authorization-elements.
Compliance Enforcer - History Risk results are being recorded and are available for historic comparison.
Compliance Enforcer Integration in AM, AMSO und IM Integration in the Access Manager, Access Manager for Support Organizations and Identity Manager.
Before an authorization-element is assigned to a user, it can be verified if not mitigated risks are created.
Compliance Enforcer: Functional Overview
Workplace The CE-Workplace is the central entry point to the Compliance Enforcer. Thanks to the clear design you will quick-
ly find your way around.
In the overview image it is differentiated between rules– and risk-analyses as well as between customizing and
help.
The rule– and risk-analyses are separated in different intuitive perspectives.
To customize rules and risks to fit the individual requirements, an ergonomically customizing user interface is
provided.
The documentation and a tutorial are directly integrated in the application.
Risk Mitigation For every risk, rule based risk-officers can be
defined.
The risk officers decide for the risks in their
responsibility if users are approved during a
defined period of time.
The risk officers receive a periodical overview
over risk violations in their responsibility.
Compliance Enforcer: Customizing
Rule Definition To keep the definition of rules simple and therefore to adapt to the individual customers needs, an
intuitive user interface was created. The tree structure is perfect to maintain all rule types in the same
overview.
By the input of divers selection criteria the rule overview is tailored to your needs.
The rules are according to their importance a warn level assigned. Further can via the meta-directory
any additional description attributes be stored.
Rule-Types The following authorization-elements are considered rule types:
SAP-authorization-objects, SAP-roles, SAP-profiles, system parameter (RZ10)
AM/AMSO organizations, AM/AMSO SUIM systems, AM/AMSO organization type - organization level
AM/AMSO roles, BI authorizations
Open API
Compliance Enforcer: Analyses
Rule Analysis On Entry to the rule analysis there is a choice between the following analysis paths:
Analysis in users
Analysis in SAP-roles and SAP-profiles
Analysis in Access Manager-/
Access Manager for Support
Organizations-roles
Analysis in BI-authorizations
Analysis in System parameters
Analysis in Open-API rules
With the different entry points the focus in the
result screen is optimally set on the essential.
The result view is presented in a tree structure, in
which drill-down interactions branch into the
details.
The rules can as well be analyzed by cross system
background processing. These results can be
evaluated online and via drill-down one can navi-
gate on the details
Risk Analysis On Entry to the risk analysis there is a choice between the following analysis paths:
Analysis in users
Analysis in SAP-roles und SAP-profiles
Analysis in AM-/AMSO-roles
Analysis in BI-authorizations
Risks are composed by logical connections of rules. Any number of rules of different rule types can be connected.
That results in a very flexible and comprehensive use of risks, different coherences and scenarios. With the drill-
down function in the result-view can rule violations be recreated in detail. With the detailing level “rule overview”
all by the selected risk violated rules are shown (matrix) and connected to the relevant authorization-elements.
Further more all results of the completed risk-analyses are logged. That allows the option to gain insight in complet-
ed analyses. That way one can for example compare results before and after corrections.
Our Software-Products are additional modules for SAP or frontend applications with SAP
-Integration. The focus is set on IT Service Management (ITSM) and the Internal Control
System (ICS).
We cover in the ITSM area from Service Design over Calculation, Acknowledgment and
Reporting to Accounting all customer oriented processes. As well the handling of the
Access– und Identity Management, the User Login and Network security are supported
by our Software-Product in an optimal way. Typical Users are IT-Organizational units
and Shared Services Centers.
The IKS is supported in the definition of requirements (risks) and in the compliance
check by our tools. We cover besides the manual and automatic controls on the process
level as well the general IT-Control. Typical Users are external and internal controller or
ICS- and Process officer.
«The requirements in the domain of
security are complex. Halfway solutions
do not lead to the goal».
Patrick Tambourgi
CEO SUIM
«Coming together is a beginning;
keeping together is progress;
working together is success».
Quote Henry Ford
Mirjam Stalder
Project manager CCE AG
Our Software-Products
SUIM LTD
Chemin du Marguery 15
1802 Corseaux,
Switzerland
www.suim.ch
Our collaboration
We offer a network of partners, each contributing expertise and experience in the area of
product development, client solution advice and customization and implementation. Our
networked approach means we can draw on our teams to respond to client's requests
and to work with them through the design and implementation phases. Crucially, we also
ensure that each client has a dedicated contact person for their day to day needs and for
future development.