GRC Access Control Overview
Agenda Purpose & Target Audience GRC Solutions Why GRC Access Control GRC Access Control Basics GRC Access Control Architecture GRC Access Control Applications • Risk Analysis & Remediation • Compliant User Provisioning • Enterprise User Management • Super User Privilege Management
New features of Access Control 5.3 GRC Access Control – Critical success factors to implement GRC Access Control benefits GRC Products and Vendors Appendix
2
Purpose
The purpose of this document is: Provide an overview of GRC AC system architecture and functionality.
Intended audience: • Infrastructure, Security • SAP Functional • Internal Control/ Internal Audit • IT Security • Security Compliance
3
GRC Solutions
4
Governance, Risk & Compliance (GRC) Solutions
ACCESS CONTROL Risk Analysis and Remediation Compliant User Provisioning Superuser Privilege Management Enterprise Role Management
5
Why GRC Access Control
6
Business Drivers / Common Challenges Customers face a host of security challenges, including: Continued increase in compliance spend Requirement for continuous compliance monitoring Requirement for centralized Internal controls repository Fraud Examiner report recently estimated average loss of existing fraud is 7% of revenue. Disparate and complex application landscape with process inefficiencies/redundancies Existing segregation of duties violations and compliance issues Desire to automate user provisioning to support compliance requirements, operational efficiency goals, and regulatory requirements Request of Emergency access (admin rights) is ad hoc and insufficiently monitored and controlled Poor communication between Business & IT results in “best-guess” approval of requests
7
GRC Access Control Goals
8
Compliance World-wide
GRC to ensure Compliance with regulatory mandates 9
Integrated GRC
Unified process, compliance and risk methodologies
Alignment of risk and strategy management
Increased visibility across impact of risk
Standardized risk and compliance methodologies
10
Necessity to Implement Access Control  Common approaches rely on periodic audits/manual evaluations and subsequent remediation of the findings  Despite the high effort, without a process in place to continuous monitor Segregation of Duties risks are not under control
11
Maturity Model  Evolve from Manual, unreliable and inefficient controls to technology-based, cost effective, reliable controls
12
GRC Access Control Basics
13
Terminology
Segregation of Duties (SoD): Segregation of Duties deals with access controls ensuring that no one user has access to two or more than two incompatible duties. Some examples of incompatible duties are: • Creating vendor and initiate payment • Creating and modifying invoices • Processing inventory, and posting payments Roles: A role is a container that holds Transactions/Reports and an associated profile Authorization: Permission to access data or execute transactions Authorization Object: A group of fields that allow for management of authorizations User: End Users given access to SAP applications Risk: This defines the potential risks existing in the system due to SOD and is based on the standard business process Risk Analysis: The Process of analyzing Roles, Profiles and/or Users for Risks Mitigation Control: Mitigation Controls gives the ability to associate controls with Risks, so they can be applied to Users, Roles identified to violate SoDs during Risk Analysis.
14
Governance, Risk and Compliance
Corporate Governance:
Risk Management
• Ethical corporate behavior together with management and practices in the creation of all stakeholders
• Identify, classify, document, and reduce risks to an acceptable level
• Spells out the rules and procedures for making decisions about corporate affairs
• Risk is a result of three different parameters
IT Governance:
• Existence of a threat for a business process • Likelihood of occurrences
• Helps to ensure alignment of IT and enterprise objectives
• Impact on the Business process
•IT resources are used responsibly and its risks are managed properly
Act accordingly: • National and International legal requirements: • Sarbanes – Oxley Act (US) • Data Protection Law (Germany) • J – SOX ( Japan) • Corporate policies represents both corporate philosophy and strategic thinking on a high level • Low – level policies focus on the operational layer Policies need to be in sync with the overall business strategy and legal requirements 15
Evolution of SAP GRC
Virsa Systems founded in 1996 Sarbanes-Oxley Act (SOX) 2004 SAP AG announced acquisition of Virsa on 3 rd April 2006 SAP AG renamed SAP Virsa Application to SAP GRC suite SAP upgrades GRC SAP integrates GRC AC with PC,EHS & GTS SAP GRC + SAP BO GRC = SAP BO GRC SAP BO GRC + RM + PC= SAP BO GRC SAP BO GRC + IDM components + Dashboards
16
GRC AC Risk Remediation Strategy
Pro-active real-time compliance by preventing security and controls violations before they occur. The approach of GRC AC in implementing Access Control is top to bottom. 17
GRC Access Control Processes GRC AC
GRC RAR •
SOD – Rules repository Maintenance – Mitigation Plan Maintenance – Management Reporting
•
Continuous Compliance monitoring
GRC CUP • Dynamic approval workflows, audit trails •Authorization changes •Role design changes •Compliance repository changes •Access, Authorization Changes, Approvals, Audit Trials • Emergency access requests
GRC SPM • Emergency Change Access Management • Emergency session log capture and storage
GRC ERM • SAP Role Management • Compliant SAP Role management • Role management audit trails
18
Segregation of Duties A segregation of duty issue for a business process is when an individual can perform two or more of the following functions on a given transaction
Record Keeping: Activities to record the transaction or event in the company’s records Custody:
Activities assigned to personnel to safeguard an asset, including information
Authorization:
Implied or explicit approval to perform a business transaction or activity
Reconciliation:
Comparisons of recorded balances or volumes to actual between time intervals to detect differences and take action on any differences 19
Authorization Concept Glen, a G/L Accountant wants to execute a GL Posting. Job Task
SAP Role
In addition to this, if Glen had access to FS00 – G/L Account Master record maintenance Transaction Code
Execute Tcode FB50
Check auth.object S_TCODE
F_SKA1_BES: G/L Account: Account Auth F_BKPF_BLA: Acctg Doc: Auth for Doc Types
Auth Objects and Field Values Check auth.object F_BKPF_BUK
Accounting document: Authorization for Company Code
Check auth.object F_BKPF_GSB
Accounting document: Authorization for Business area
Check auth.object F_BKPF_KOA
Accounting document: Authorization for Account type 20
Authorization Concept (contd..) FS00 – G/L Account Master record maintenance
FB50 – G/L Account posting Authorization Concept
Risk! Gives someone the access to create a fictitious GL account and generate journal activity or hide activity via posting entries 21
GRC SOD Rules Approach
Analysis
Evaluate
22
RAR Standard Rule Set •
SAP – 256 Risks • 58,649 action combinations – As of 2008 Q2 update for the below business processes –HR and Payroll
–Materials Management
–Procure to Pay (70/11104)
–APO/SCM
–Order to Cash (32/6101)
–SRM
–Finance (37/6229) •General Accounting •Project Systems
–CRM
•Fixed Assets
•
• •
•
–Basis, Security and System Administration (25/13556)
Oracle – 162 Risks • 13,183 action combinations PeopleSoft – 57 Risks • 27,906 action combinations JD Edwards – 21 Risks • 303 action combinations Non-RTA system analysis framework for legacy systems
–Consolidations
23
Cross-Enterprise Rules Library Delivered out of the box
24
GRC Access Control Architecture
25
Terminology RTA: It respond to events or signals as fast as possible, or as they happen and sits in the backend .
JCO:
A programming interface (API) that provides an interface between a Java program and a legacy application such as CICS and ECC
IGS: The IGS is used to generate graphical content, and to give you enough information to incorporate such graphics into your own Web Dynpro applications
UME:
A Java-based user administration component with central user administration, an SSO, and secure access to distributed applications
SLD: Signifies the layout of the systems in an environment. Landscape is the highest node within the system landscape hierarchy.
26
Standard GRC Architecture
27
GRC Architecture-Generic view
28
RTA: The Enterprise Software Real-Time Agent
RTA Usage
TYPE
Prebuilt for SAP
BAPI速 programming interface
Prebuilt for Oracle Stored procedure
Stored procedure
Prebuilt for PeopleSoft Web services
Web services
Prebuilt for Hyperion Web services
Web services
Custom-built for direct access to legacy system database Query Custom-built for upload file extraction to legacy system
Query Flat file (delimited)
29
GRC Access Control Landscape - Basic
SAP GRC Access Control Application System Landscape for a Typical Installation 30
GRC Access Control Landscape – Authoritative User Sources
SAP GRC Access Control Application System Landscape with Authoritative-User Sources 31
GRC Access Control Landscape – Central User Administrator
SAP GRC Access Control Application System Landscape with User Provisioning with or Without the CUA 32
GRC Access Control Applications
33
GRC Access Control Overview
34
GRC AC Applications GRC Access Control is an enterprise application that provides end-to-end automation for documenting, detecting, remediating, mitigating, and preventing access and authorization risk enterprise wide, resulting in proper segregation of duties, lower costs, reduced risk, and better business performance; it also provides an integrated framework for designing, enforcing and monitoring continuous compliance in SAP systems GRC Access Control consists of the below four Applications: • Risk Analysis & Remediation (RAR) and Risk Terminator – Sustainable SoD definition, remediation, monitoring and reporting for continuous compliance • Complaint User provisioning (CUP) – Proactive, compliant, automated auditable access approval and provisioning • Enterprise Role management (ERM) – Compliant role design, maintenance and auditability • Super user Privilege Management (SPM) – Controlled and reviewable privilege user management 35
Risk Analysis and Remediation Risk Analysis and Remediation enables monitoring of SAP User Access and applies a library of Segregation of Duties (SoD) rules to detect potential irregularities and minimize risks of fraudulent activity. It is a real-time and preventive compliance solution.
RAR Functionalities • Audit & Assessment of existing practice • Risk Identification and Assessment • Business SoD rules definition • Mitigation Controls definition • Assessment of Mitigation Controls • Remediation plans • Progress Monitoring • Dynamic Dashboards
36
RAR - features and benefits include Facilitate discussion between Business and IT Centralized definition of Risks related to User Access Real-time and Cross-system risk analysis Remediation of SoD Violations Proactive detection of SoD issues by simulation Audit ability of Change Documents
SAP GRC Super User Privilege Management (Firefighter)
SAP GRC Compliant User Provisioning (Access Enforcer)
SAP GRC Enterprise Role Management (Role Expert)
SAP GRC Risk Analysis and Remediation (Complaince Calibrator)
37
Risk Terminator •Provides real-time SOD analysis during user and role maintenance and user to role assignment • Risk Terminator can be configured to run a risk analysis when one of the four tasks is performed • When a role is generated using PFCG • When users are assigned to a role using PFCG • When a role or profile is assigned to a user using SU01 • When a role or profile is assigned to users using SU10 • The Risk Analysis report will be displayed to the user with showing the SoD violations •The configuration setting “Stop generation if violation exists” will determine if this is an error or a warning. •If the User continues to process the task, a warning message is displayed with two options: •Discard changes •Continue
38
Superuser Privileged User Access Management The Privileged User Access Management Tool lets "superusers" perform emergency activities outside of their role under a controlled and auditable environment.
Work Order Acceptance
FFID Is Required
No
Current E.RFC
Yes
Emergency Situation
Pre-Designated Firefighter logs into CUP and requests a FF ID + Notification sent to BTO Firefighter logs into SAP using their ID and executes a TCode to check out the FF id. Access auto expires after pre-determined period
Firefighter ID Owner logs into CUP and approves the FF ID to the FF with an expiration date.
Firefighter has required access remediate situation. Audit Logs / Transactions are Archived for Future Audits
39
SPM - features and benefits include Pre-approved emergency access Automatic email notification when Firefighter mode is activated Automatic sending of log report to controller Detailed audit trial of performed actions Audit ability ( FF User not equal to SAP_ALL User) Web based log reports, including Risk Analysis
SAP GRC Super User Privilege Management (Firefighter)
SAP GRC Compliant User Provisioning (Access Enforcer)
SAP GRC Enterprise Role Management (Role Expert)
SAP GRC Risk Analysis and Remediation (Complaince Calibrator)
40
SPM – Process Overview
41
Compliant User Provisioning Job functions change frequently and employees transition into new roles or inherit new responsibilities, but companies often overlook how these changes impact SoD requirements. By incorporating control activities into everyday business processes, companies avoid after-the-fact violation detection. SAP GRC Access Control creates visibility, enables fully compliant user provisioning throughout the employee life cycle, and prevents new SoD violations.
CUP Functionalities • Assessment of Business • Assessment of Business relationship • Design Dynamic workflow service • Automate User provisioning • Reduce burden on IT • Prevents Risks by proactive analysis • Meets Regulatory compliance target
42
CUP - features and benefits include Homogenized access request process Automated approval management (Workflow) Dynamic routing for approval Risk analysis before request approval Transparent view on impact of the approval (in business language) Automated user provisioning to SAP Automated logging of request approvals and modifications SAP GRC Super User Privilege Management (Firefighter)
SAP GRC Compliant User Provisioning (Access Enforcer)
SAP GRC Enterprise Role Management (Role Expert)
SAP GRC Risk Analysis and Remediation (Complaince Calibrator)
43
CUP – Functional Overview
44
CUP – Typical End User
Requestors – request access to systems and roles
Approvers – approve user access request; security, managers, data owners (role owners), process owners, etc
Administrators – administer requests, configure workflow, manage application security, manage other system settings/configuration
45
CUP – Provisioning Workflow
ECC
Security Coordinator Approval
HR
CRM User Access Request
Role Owner Approval
Manager Approval
Security Coordinator Approval
Legacy
46
CUP – Workflow features
Flexible configuration of workflows
Multiple Approvers
Different workflow paths for different request attributes
Parallel Paths – Different workflow paths based on role selection
Detours and Forks – certain predefined conditions can trigger detours
Escape Routes
Forwarding to another approver
Automated provisioning without security review
Automated Actions
Create/Change User
Change User Master record information (validity date, user group, etc)
Lock/Unlock user
Delete Users
Notifications
47
CUP - Other Workflow types (non user access request)
Risk Analysis and Remediation
Risk Change Approvals
Mitigation change approvals
SOD Management by exception
Superuser Privilege Management – Automates E-RFC process while providing audit trail and maintaining compliance
Enterprise Role Management
Role maintenance approvals
User Access Review – Can facilitate Quarterly Access Review
Superuser access assignment
Reviews sent to approvers to approve user’s current access
SOD Management by Exception
Exception based reporting and remediation via workflow
48
CUP - Additional Capabilities
Password Self-Service
HR Triggers
Ability to setup automatic workflow requests based on a function/action that occurs in an SAP HR system
BI Integration for detailed custom reporting
Allows users to reset their password using challenge and response (If not authenticating against MS AD)
Standard cube is available (as of 5.3)
Integration with Training System
Verification of user training status
Will need web service integration configuration
49
CUP - Typical Administration
Maintain Roles
Upload new roles on periodic basis
Remove roles on periodic basis
Maintain Approvers
Upload new approvers
Remove approver information as required
Maintain Workflow
Maintain workflow paths
Opportunities to streamline workflow process
Manage Requests
On hold or stale requests
50
CUP - Integration Points and Data Sources
Possible points of integration
ECC, BI, BI-EP, Solution Manager
Non SAP Systems (with custom RTA)
Supported Data Sources
Multiple SAP Systems
Multiple LDAP Systems
Out of the Box
Active Directory
SunOne
Novel E-directory
IBM Tivoli
Any LDAP system supported by SAP UME
Non-SAP Support Systems
Oracle, PeopleSoft, JD Edwards
51
Enterprise Role Management Enterprise Role Management addresses the root of access control through standardized and centralized role design, testing, and maintenance. It helps you eliminate manual errors and makes it easier to enforce best practices. The application puts role ownership in the hands of business process owners rather than IT staff, allowing them both to document role definitions, perform automated risk assessments, track changes, and conduct maintenance with ease, which increases consistency and lowers IT costs.
Centralized Role Management Enterprise Rules
SAP GRC Access Control
ERM Functionalities • Creation and maintenance of role
Audit log
• Integrates with RAR for SoD analysis • Assignment of Role Owner to roles
Across applications
• Triggers dynamic approval workflow • Dual environment : Analysis & Generation • Provision opening SAP profile generator
…
Role
Role Role Role Role
Role
Role
Role
Role
Role
Compliant enterprise roles 52
ERM - features and benefits include Central management of authorization roles Automatic notification of change of Role Owners Approval workflow for Role Changes Preventive Risk analysis for roles Automatic role generation in SAP system Audit trials and reporting of all role changes
SAP GRC Super User Privilege Management (Firefighter)
SAP GRC Compliant User Provisioning (Access Enforcer)
SAP GRC Enterprise Role Management (Role Expert)
SAP GRC Risk Analysis and Remediation (Complaince Calibrator)
53
ERM – Process Overview HR
Compliant User Provisioning
CRM
HR CRM
ECC
Definition
ECC
Authorization
Derive
Risk Analysis
Approval
Generation
Test
Risk Analysis & Remediation Security
Business Process Owner
54
New Features of Access Control 5.3
55
New Features of Access Control 5.3 Risk Analysis and Remediation: Single launch pad for all the four capabilities (multiple window may be open) Performance improvements Enterprise portal and UME integration (Risk Analysis and user provisioning) Import/Export utilities (Component, Configuration, Mitigation data) Enhanced reporting •
Many added reports and more reports can be exported
•
BI integration of custom reporting
Enhancements of change Management Audit Trail SoD management by exception •
Identifies unmitigated risks
•
Provides Mitigation reaffirm functionality
56
New Features of Access Control 5.3 (contd..) Compliant User Provisioning: End user request form customization Integration with multiple data sources Password reset •
Supported for Oracle, PeopleSoft, JD Edwards
•
User password self-service with a challenge response
Cross-system risk analysis for access requests Compliant User Provisioning for Oracle, PeopleSoft, JD Edwards Utilize HR triggers fro PeopleSoft Enhance CUA support Integration with training systems Identity Management integration with major IDM vendors
57
New Features of Access Control 5.3 (contd..) Enterprise Role Management Enhanced role derivation (org. value maps) Enhanced risk analysis and simulation Ability to generate roles for multiple systems at one time Ability to copy a role Documentation of Non-SAP roles and enterprise wide roles Integration with SAP ERP’s profile generator
Superuser Privilege Management Enhanced log report Multiple owners for firefighter IDs Automatic archival of Log report
58
GRC Access Control Critical success factors
59
Access Control – Critical success factors to implement Engaging Business and IT team- In order to customize and fine-tune risk definitions and gather all requirements. Validate rule set with Internal Audit. Management support- Having support from appropriate level of the organization will assist in addressing points of resistance Resources- Understanding the organization’s key business initiatives will be critical, since multiple initiatives often compete for the same (business) resources “Avoid the Big bang”- Building out the GRC Access Control solution component by component allows to absorb all parts of a sustainable solution Installation Vs Integration- An operational installation of SAP Access Control is realistic in relatively less time, however a successful integration requires much more time, effort and expertise Embed the solution in the organization- By defining the operational processes to sustain compliance ( impact on new projects, new risks, new systems, changes in organization)
60
SAP GRC Benefits
61
SAP GRC Benefits Reduced Risk: • Lower fraud-related loss • Faster remediation • Improved business processes and overall performance Reduced Cost of compliance : • Automation /Monitoring frees up resources for value tasks • Shorter audit cycles • Streamlined evaluations • Lower TCO Improved confidence: • Visibility /Real-time information • Single version of the truth • Reinforced accountability
62
SAP GRC Benefits (contd..) Key Areas Segregation of Duties
Add/Change/Delete Users
Observation of “AS IS” Process
Benefits
Security activities require 25% to 50% of security admin time Automated monitoring and tracking Manual processes are inefficient and prone to error, Annual audit time of several weeks to manually create SoD reports and Preventive and detective to review controls Manual data entry is inefficient, generates error, and creates Automated users risk administration Frequent Add/Change requests requiring manual effort Delays of process create risk of unauthorized access Deletion of users is not consistently and accurately implemented
Privileged User Access
Access is granted for extended period of time Activity is not verifiable
Question of “What did they do when they had access?” Role Design and Management Limited Role reaffirm process Limited ability for validation of current roles and proposed changes of roles
Automated Superuser access with tracking of all activities Compliant role design and management
Difficult to manage large number of master roles and derived roles
Sensitive Transactions Management Reporting
Limited, manual tracking of access Current control does not meet Audit requirements well Manual reporting process Manual analysis of differences between time periods
Automate alerting, tracking, and logging Automated pre-built access controls reporting
Limited visibility for management 63
Qualitative Benefits Manual Process
GRC AC Process
Provides Providespartial partialpro-active pro-activeSOD SODanalysis analysis
Provides Providesfully fullypro-active pro-activeSOD SODanalysis analysis
SOD SODanalysis analysislevel levelrestricted restrictedtotoTransaction Transaction Code Codelevel level
SOD SODanalysis analysisspreads spreadstotoAuth. Auth.Object Objectlevel levelvalues values
Captures Capturesthe theSOD SODimplications implicationsatat periodic periodic Internal Audit control Internal Audit control
Captures Capturesthe theSOD SODimplications implicationsatatrun runtime time
Captures Capturespotential potentialrisk riskwith withno nosolution solution
Captures Capturespotential potential Risks Riskswith with probable probablesolution solution
Prone Pronetotohuman humanerror errorininprovisioning provisioningRoles Roles totousers users
Avoids Avoidshuman humanerror errorininprovisioning provisioningRoles Rolesby by Defining Pre-approved approval paths Defining Pre-approved approval paths
Manual ManualLog Logprocess processfor foremergency emergencyaccess access provisioning leading to discrepancy provisioning leading to discrepancyand and missing missingAudit Audittrail trail
Automatically Automaticallycaptures capturesthe theLog Logfor foremergency emergency access provisioning and limits access access provisioning and limits accesstototime time period periodproducing producingAudit Audittrail trail
Manual Manualdefinition definitionofofRole Rolecreation creationprocess process resulting resultingininloss lossofofcontrol controland andAudit Audittrail trail
Standard Standardmethodology methodologydefined definedfor forRole Rolecreation creation Process Processresulting resultinginto intoAuditable Auditableroles roles
Comparative study of GRC AC v. Manual Process
64
GRC Products and Vendors
65
GRC – Products and vendors SAP- SAP is a German Enterprise business software company provides a comprehensive suite of GRC solutions. Some of the major GRC products are: •
GRC Access Controls
•
GRC Process Controls
•
Enterprise Risk Management
•
Global Trade Services and others
Oracle- Oracle, is one of the giant companies to provide GRC solutions. Oracle offers “Oracle Governance, Risk and Compliance Manager” solution. Oracle provides an enterprise GRC platform that integrates business intelligence, process management, and automated controls enforcement to enable sustainable risk and compliance management. Core capabilities includes: •
GRC Insight
•
GRC Process
•
GRC Controls
Approva Corporation- Approva’s Controls Intelligence Suite provides real-time insight and analysis about the state of controls across your business. Companies are using the product to address a wide array of business challenges. Some of the GRC products from Approva are: •
User Access Controls & Security
•
Financial & Operational Controls 66
•
Master Data Integrity & Accuracy
•
Fraud Identification & Prevention
•
Controls Design & Optimization
•
Compliance & Continuous Auditing
Archer Technologies- Archer’s out-of-the-box solutions provide the foundation for a best-inclass enterprise governance, risk and compliance (GRC) program. They include Policy, Threat, Asset, Risk, Business Continuity, Incident, Vendor and Compliance Management. Enterprise Governance, Risk and Compliance Solutions Over 6 Million Licensed Users. Security Weaver- Security Weaver is a leading enterprise IT security solutions provider company with world class solutions for all sizes of customers. Using Security Weaver’s GRC solutions you get Superior Application Performance with less hardware expenses and minimal Installation Expense, yet Leverage Existing Organizational Competency. Security Weaver provides following solutions: •
Separations Enforcer
•
Emergency Repair
•
Secure Provisioning
•
Secure Audit
•
Secure Enterprise
Trintech- Trintech- Trintech provides a world class solution to address SOX and other compliance initiatives, such as HIPAA, PCI-DSS, FERC/NERC, etc. 67
68
Appendix
69
Glossary Terminology
Description
Segregation Of Duties
A primary internal control intended to prevent or decrease the risk of errors or irregularities by assigning conflicting duties to different personnel.
Personalization
Applications may support community personalization to allow organizational groups to customize views for all users.
SOX
Sarbanes Oxley Compliance commonly called SOX, it is a controversial United States federal law passed in response to a number of major corporate and accounting scandals.
GRC
Governance Risks Compliance
Mitigation Controls
It is a term used for the controls defined for the Identified Risks in the system.
Mitigation Objects
It is a term used for identifying the conflicting roles and users which has the Mitigation controls defined
Risks
This defines the potential risks existing in the system due to SOD and is based on the standard business process.
Rules
This is the collection of risks and functions that forms the core for analyzing the SOD Conflicts
Rule set
This is the facility in GRC to bucket the specific rules for different Business Requirements
Role Provisioning
It is the process of assigning the authorization to the requested user in the system.
Auto provisioning
Auto provisioning is taken care by SAP GRC internally from the CUP approval workflow
Firefighter
It defines the emergency access provided to the user in the system based on the request for the limited duration and is monitored for its activities
Firefighter ID
It is the ID pre defined in the system to be used by the firefighter on emergency basis
RAR
Risk Analysis and Remediation
CUP
Compliant User Provisioning
ERM
Enterprise Role Management
SPM
Superuser Privilege Management 70