PowerPoint Presentation

[Audio] Access Request User Access Provisioned Request Initiation User Needs access/ additional access to sap to perform his day-to-day activities The user will connect with the line manager requesting about the process of initiating access to sap The manager will share the Process or S-P-O-C-- ( Single point of Contact) who can assist the user in creating an access request The user will request access or with the help of SPOC / Manager The request will go to the manager Manager will review the user access request the justification provided & Check for any sods in the request worKFLOW worKFLOW worKFLOW User Access Process Manager IT Security worKFLOW Role Owner 2/14/2024.

[Audio] Key Actors involved IT Security Manager Role Owner Approve - ( If roles requested can full fill user responsibility & no sod found ) Reject - ( If the roles requested don't fit the user responsibility & causing sod) Hold - Requesting additional info from the user about cross-functional roles & take decisions accordingly ( approve/ Reject ) Partially approve - The role owner can partially approve the request and reject the roles that don't fit user responsibility Approve ( If the request is aligned with all right roles and justification ) Reject ( Any Cross-functional roles which don't suit user responsibilities & might cause critical sod) Hold -Ex ( Manager seeking any additional info from the user about the cross-functional roles can place the request on hold and take a decision accordingly to approve/ reject ) Approve - If the mitigation control is approved by (risk Owner/mitigation approver)- IT- security will assign the Mitigation control to the user and approve the request. Once approved- The user will be assigned the roles requested Reject - If the existing mitigation controls are not approved by the stakeholders ( Manager/BPO) then the IT - security team will reject the access request. Hold - If mitigation controls are not available 2/14/2024.

[Audio] Process of creating the mitigation control A manager requests BPO Approval for the need to mitigation control to provide sod risk to his team member User will be provisioned with the approved roles Once the mitigation control is created assign it to the user for the sod risk and approve the request A manager requests BPO(Risk Owner) Approval for the need to mitigation control to provide sod risk to his team member IT Security will implement by creating new mitigation control/ Modify the existing ones Manager along with IT will forward this approval to auditors Mitigation Control The manager will inform BPO & and forward to A-U-D-I-T- approval or technical implementation of mitigation control & Post to sign off from Audit it moves to IT - Security to implement the control Auditors will validate the request and request for mitigation controls details Manager request to IT to support for creation of the mitigation CONTROL IT will provide required technical details for mitigation control to monitor or mitigate the sod Risk.