Business Risk and Fix
R1: End Users that are assigned to incorrect Auto Provision (AP) AP Roles per types as part of Role Management and Workflows within SAP Identity Management (SAP IdM) and Access Control
Functional or Technical Issue
- T1: Remedy Legacy inaccuracies regarding Auto Provision User assignments for each CUSTMR (Customer) Type
- End Users in scope:
Users types that are assigned an AutoProvision Role by CUSTMR according to:
- Customer ID
- HR Mini-Master
- Identity Type:
CUSTMR: Hourly Manager AutoProvision roleControl where AutoProvision assignments are corrected and identified via AutoProvision Role Assignment Status link Using “User BR – AutoProv Assignment GAPS” report found in the IDM Secure IT Reporting Portal.
- The IDM Batch Job for Report User BR – AutoProv Assignment GAPS is being executed on a daily basis to view results the following business day.
- CUSTMR Security Leads (CSLs) are aware that the Internal SAP Security IDM Team is processing any findings manually or via Mass Load as pre-approved on a daily basis.
***Run the FOLLOWING Report and save results as a CSV file. This step is Critical because the report triggers a job that changes Report status.***
1. Go to SecureIT:
2. Select CUSTMR Folder:
3. Select Operations Support:
4. Select ‘User BR – AutoProv Assignment GAPS’ and filter on ‘ALL’ for all fields:
5. Click “View Report
6. Once report completes, (1) click “Save” icon and (2) select “CSV” option:
7. Use the “Open” or “Save” options to complete the export to CSV and save the file immediately (Open the file and “Save As” or use “Save As” from the “Save” drop down depending on user preference):
8. Create correction file template for Mass Load for ADDs and Removals and be sure to include any Service Incident Ticket (SIT) Details in the columns below as needed for processing.
9. Push AP Role ADD via via Mass Load:
10. Push AP Role REMOVAL via Mass Load
11. Remove User from Groups on AD (after regular business hours)
3a. Provide a separate list of Users that have incorrect groups assigned under the wrong CUSTMR
(i.e. Currently has CUSTMR>AUTOPROVISION:EMPLOYEE_NONEXEMPT_DAILY assigned vs. the NEWCUSTMR >AUTOPROVISION:EMPLOYEE_NONEXEMPT_DAILY assigned)
- Notify CUSTMRs impacted for that week via email as part of CUSTMR Internal Controls Process
- Create a GENERIC Service IDM Catalog Request and assign this task to ‘AccessIT Operations and Development’ an denote ‘User-BR Add and Remove MASS LOAD for xxxx being the CUSTMR Group Name)
A known set of data that does not need to be evaluated for this procedure (This can change is not static) Values to exclude in evaluation of report results.
If the results after allowing for the Exclusionary items are greater than (X) escalate to CUSTMR IAG Control Owner
Corrective Action – Only to be executed if escalation threshold is not met
1. Use Internet Explorer to go to AccessIT and log on with your user ID and password.
2. Select “Identiy Management” tab, (2) click “Identity Management” option, (3) select “Manage” tab, (4) select “Person” from drop down menu, (5) input user ID, and (6) click “Go.”
3. Click in the selection box to the left of the Unique ID to select the User and (2) select the “Change Employee Data” tab.
4. Click on the Assigned Roles tab to view current AP Role assignments
5. Click the “Save” icon to save your changes.
6. Repeat steps 1-5 until all users in the list have been corrected.