Implementing even the most complex SOD matrix, or segregation of duties, can take just a few minutes if you have the right tool. Effective SOD management is the foundation of IT systems security in any company. Let’s see how to professionally implement such a matrix in smartGRC – a solution that stands out for its speed and adaptability.
In the previous article in this series, we presented the implementation in SAP GRC AC. Today we go a step further, showing how to implement the same in smartGRC. The matrix preparation logic itself remains the same, so it’s worth looking at its implementation in practice.
After logging into smartGRC, the first step is to interact with the SOD matrix. In the smartSOD module, rich in functionality, the key is the list of risks, showing our SOD matrix associated with specific risks.
Each risk is characterized by: name (often numbered), process embedding, level, description and associated business activities.
The system distinguishes between two main types of risks: Sensitive Access, which is a single access to an activity that poses a risk (e.g., price changes), and Segregation of Duties, which is a combination of at least two activities (e.g., warehouse and customer management).
For each risk, a level can be defined, a description added and an owner assigned, taking into account organizational structures. This last feature proves invaluable in larger organizations, where responsibility for risks may depend on the country or company.
Key Stages of SOD Matrix Implementation in smartGRC.
In order to properly implement the SOD matrix in smartGRC, it is necessary to go through several key steps:
First, we define processes by entering information about business processes and indicating their owners – a simple step carried out through the system’s interface.
We then define groups of activities, which we aggregate for easier work with the matrix. Risk workshops are discussed precisely at the level of groups (e.g., customer master data, accounting), which greatly streamlines the entire process.
The next step is to define a list of activities, where we assign specific activities to each group. For example, “posting” can include postings in different modules of the system.
Technical definition of activities is also key, which involves mapping business activities to authorization objects in the system.
The final step is data import. To speed up deployment, smartGRC allows you to import from an Excel file in a specific format, allowing you to quickly enter processes, activities and definitions into the system.
The system also provides the possibility to exclude groups of users (e.g., consultants, administrators) from risk reports, since they have broad permissions by default. You can also define compensating controls for identified risks.
smartGRC stands out because it supports not only SAP systems, but virtually all IT systems. The SmartSOD module allows you to define permissions for different solutions and automatically feed data to each connected system.
Configuration of a business activity in SmartSOD starts with defining a variant, i.e. a complete definition of how to perform this activity. Since an activity can be performed in many ways, the system allows you to enter different variants.
We also specify the system in which the action can be performed, and then define authorization objects with fields and values.
The process for non-SAP systems looks similar, but instead of authorization objects, we use an XML-based structure, defining atoms (direct access to functions) or composites (aggregations of atoms).
Mapping business activities to authorization objects is crucial when implementing the SOD matrix. In smartGRC, this process is presented in a tree format for easy understanding and navigation.
For SAP systems, smartGRC offers predefined matrices and mapping to standard transactions and authorization objects. For other systems, the solution allows you to define your own structures through templates and interfaces that exchange data in XML.
Reporting Risks in smartGRC
Once business activities are mapped, risk reporting follows. smartGRC retrieves data from any systems (CSV, TXT, XML) and has built-in connectors for SAP and Active Directory systems. The download combines the data with the technical mapping of the matrix and presents it in reports.
One of the most impressive features of smartGRC is the speed of analysis. It takes only a few seconds to compile reports from a dozen systems for many thousands of users, making this solution one of the fastest on the market.
The system offers a variety of reports to fit the needs of different audiences: business reports (risks, level, description, owners) and reports for administrators, focusing on technical issues such as objects and roles causing risks.
The main view of SmartReport shows a summary of risks in different views: per system, monthly, daily, per user or role. You can also filter data by organizational structure.
Detailed reports are also available, such as the ability to execute activities, reasons for assigning activities to a user, a transaction code report, and validation reports that check the correctness of the SOD matrix.
The system also allows data export to Excel and PDF formats and integration with analytical tools and SIEM-class security monitoring systems.
smartGRC stands out for its flexibility and versatility, supporting not only SAP systems, but virtually all IT systems, a rarity among GRC products.
With the ability to define custom structures and import data from various sources, smartGRC is applicable to organizations of all sizes and complexities. It effectively supports risk management, helping to identify conflicts of authority and make decisions about accepting or minimizing them.
