Ajay
Aggarwal
SAP
Security Architect/ mySAP Netweaver Security
408.499.3605
(cell)
Professional
Summary:
§
Work experience of over 16 years specializing in
information technology and various other business areas like manufacturing,
shop floor processing, sales & distribution, inventory control.
§
Over 8 Years of extensive
§
Guest Speaker at
§
Involved in full implementation cycles from Design
phase to Post implementation in industries ranging from Finance/ Portfolio
Management, Manufacturing and Pharmaceutical.
§
Experienced with R/3 releases versions 3.1H through ECC5.0
& ECC6.0 Netweaver 2004s on various modules like MM, PP, SD, FI, CO, PS, PI
with familiarity of BW, HR & CRM with Enterprise Portal knowledge.
§
Performed SAP Security related task such as Role
development using Profile Generator, Activating-setting up Profile generator
and upgrading, Corrections and transports.
§
On hands strong experience with working on profiles,
authorizations and objects for access management and authorization control.
§
Experienced and strong with Security Audits, SOX Section
404 compliance and Audit Information System.
§
Extensively used and proficient administered third
party utilities and tools like RBE, VIRSA (VRAT, Compliance Calibrator &
Access Enforcer), SAFE (PWC) and KPMG tools to analyze assigned access, to
simulate and monitor user authorizations and reporting.
§
Former Virsa Consultant involved in VRAT program
designing and testing. Installation and Configuration of SAP GRC Components
including Compliance Calibrator, Access Enforcer, Role Expert and Fire Fighter.
§
Experienced with 21 CFR part 11 regulation for
electronic record management for FDA regulated companies like pharmaceutical,
biotechnology and medical device companies.
§
Strong working experience with MS Excel, Visio, MS
Project and MS Access for complex queries, data storage and data massaging.
§
Worked closely with functional consultants for
evaluation of requirements and defining, developing and testing the roles.
§
Strong ability to diversify and understand new
technologies and applications and grasp them in order to stay in tune with the
tech sector and its requirements.
§
Exceptional communication & interpersonal skills.
Trainings
& Achievements:
§
SAP R/3 Architecture.
§
CA940 Authorization Concepts.
§
Oracle 8.0, RDBMS concepts, PL/SQL, Visual Basic,
Developer 2000.
§
Certified Clarify Developer (CRM) and trained
PeopleSoft Developer (HRMS)
§
Web Development,
Computer Networking and Internet Applications with Introduction to
Firewall, Creation of Web Pages using Html, JavaScript, Java and Applets.
§
Security Upgrades & Audit Compliance Speaker at ASUG
Northern
Professional
Experience:
01/2008 – 01/2008
Position: SAP GRC Consultant
Client: Novartis/Chiron
§
Technical Upgrade and Configuration of SAP GRC Compliance
Calibrator 4.0 from version 3.0
§
Provided end user
training on CC4.0 usage and available reporting
§
Provided upgrade documentation highlighting new
features available after upgrade
§
Configured and tuned Matrix 1 for running similar
reports as client used prior to upgrade
05/2007 – 12/2007
Position: SAP Security Consultant Sr. DBA
Client: Genentech, Inc.
§
Implemented and Configured SAP GRC Compliance Applications
versions 5.2 such as the Access Enforcer, Compliance Calibrator, Firefighter
and maintained the former PWC/ Virsa SAFE CCXT tool
§
Review and performed system analysis of existing
environment by studying audit reports issued by
the external auditors and based on the audit findings defined the scope
of project to target the efficiencies
identified
§
Gathered Information and Customized Access Enforcer
Workflows leveraging clients existing user creation process
§
Assisted client resolving Access Enforcer and Workflow
configuration issues during POC prototyping
§
Suggested alternatives for SOD remediation during and
after the Go Live for naming conventions, role swaps for users with conflicts
and configuration changes to keep track of project progress
§
Defined critical transactions to be used for Fire
Fighter Access
§
Create FAQs and ‘How To’ documents for SAP
applications Firefighter, Compliance Calibrator, Role Expert, and Access
Enforcer
§
Experienced with Netweaver for handling user
maintenance through
§
Provided technical Security support users on modules
FI/CO, MM, PP, PM, SCM APO, SD, BI, WM, SRM EBP 4.0, SM and XI
§
Handled all Security issues related to authorizations
and remediation around support and upgrades
§
Maintained multi system, multiple environment landscape
through CUA configured on Solution Manager for easier user provisioning and
administration
§
Support continuous improvement in existing and new
environments by contributing to the problem management process and ensuring
execution of corrective actions assigned to the team
§
Work with Maintenance & Engineering and IT
Security management regarding potential access violations per US Security
standards and best practices
§
Contribute to daily Security monitoring of all SAP
application environments and respond to Service Center tickets for user
administration in SAP production and non-production environments within
designated SLA’s
§
Provide an insight on process improvement to junior
team members and groom internal FTE’s to perform and understand Security
challenges
08/2006 – 05/2007
Position: mySAP Security, Identity Management Lead
Client: Toyota Motor Corporation (TFS Division)
§
Supporting ECC6.0 mySAP ERP 2005
implementation on multiple landscapes on CUA with SAP Basis release 700, mySAP
CRM 2006 Wave -1(CRM 5.1 SP02), BI - Netweaver 2004s, PI/XI 700, Enterprise
Buyer Professional 5.0 (SRM EBP), FI - Asset Finance and leasing (AFL) & Consumer
and Mortgage Loans (CML)
§
Designing Security & SOX Compliance
Controls Strategy document in review of existing security policies and
procedures and put together a detailed Security Project Plan in MS Project
§
Conducting workshops with
Functional/Business team members on business requirements helping them
understand their deliverables from Security perspective. Review and approve FRS
& TDS documents for requested functional and technical enhancements specs
§
Building Business Roles and test user
id’s for Business Analysts and power users in preparation for Realization phase
§
Train internal resources on day to day
Security Support tasks and impart strategies helping them understand and
minimize downtime impact
07/2006 – 02/2007
Position: Security & Controls Architect
Client: Avanex Corporation (High Tech/ Optic Fiber)
§
Developed audit analysis insights and
observations worksheets for client on audit findings for Basis Security &
Business with internal auditors from Deloitte
§
Engaged in identifying compliance
shortfalls, their documentation and performing related technical fixes for R/3
modules FI, MM & SD in release 4.7/6.20.
§
Supporting the client to identify a
Segregation of Duties matrix suiting the business and performing runtime
analysis on the same to list internal violations
§
Providing the client key information on
Basis & Security issues and reworking on system & profile parameters to
help further secure their landscape
§
Help client understand their business
need and help draw a time-bound structured approach remediation process going
forward.
§
Assist client identify a SOX compliance
utility suiting their business and arrange vendor presentations to their
specifications
§
Cleanup existing Roles to be compliant
with new Security Design
§
Redefine Organization Structure in
existing Roles to restrict end users to their respective areas
§
Provide remote development support and be
onsite for end user training as needed
05/2006 – 7/2006
Position: Sr. SOX/Security Architect
Client: Smith & Nephew Inc. (Endoscopy)
§
Worked as a Sr. Security Architect on
Audit Remediation and providing client support on installation & user
training on Virsa Compliance Calibrator CC5.0 Configuration and Maintenance ,
Access Enforcer and Role Expert tools
§
Using Compliance Calibrator to test,
simulate and document security and SOD conflicts. Trained customer of the existing reports and
functionality contained within AE and CC
§
Helped mediate SAP support level issues
for reported bugs resolve issues
§
Configured background jobs for
Firefighter to extract historical reports from STAT and CDHDR tables
§
Scheduled and held remote WEBEX
conferences to review customer issues and provide end user and process owner training
§
Simulate adding roles and/or transactions
to users to find SOD prior to adding authorization. Using VIRSA Risk Terminator, create real-time
analyst of possible conflicts when adding a transaction or authorization
objects to an existing role
§
Provide Compliance Calibrator custom
reports and SUIM reports to identify SOD conflicts
§
Redesigned Role Based Access Control for
MM, SD and FI modules in compliance to SOx.
§
Audit compliance and configuration of
incompatible combinations of business tasks in respect of SOx compliance on
existing Security roles and access
§
End user training on detailed report
generation techniques and table updates
§
Provide remote development support and be
onsite for end user training as needed
2/2006 – 4/2006
Position: Security Lead (Cap Gemini)
Client: Genentech Inc.
(Pharmaceutical)
§
Worked as a Cap Gemini Consultant on
Phase 2 Blueprint activities for rolling out new modules.
§
Worked with business tracks on
requirement gathering for Blueprint preparing to transition into Realization
around June 2006.
§
Implemented CUA on large multiple
landscapes on Sandbox, Development, QA, and Integration Testing systems. Used
and trained client on CATT and LSMW to automate user management.
§
Provided technical support to power users on existing
systems. New modules like MM, PP, PM, SCM APO, FIN, SD, WM, SRM EBP being
added.
§
Provided training and support being a part of the
audit team & analyzing SOD’s to comply with SOX/ Audit compliance using
CCXT
§
Completed all required Safety and GMP/FDA compliance
training courses
04/2004
– 1/2006
Client:
Applied Materials, Inc. (Semiconductor)
§
Worked on the 4.7 upgrade project as a Senior
Security Analyst in tandem with the upgrade teams from different areas.
Designed and built custom authorizations, roles and profiles in development for
UAT in QAS based on provided info from business.
§
Worked with role creation (PFCG) for building new
composite, single & derived roles along with conversions from profiles to
roles and other issues related to upgrade tasks in a CUA setup.
§
Analyzed existing program codes to validate authority
checks for using in new role design. Used tables to extract data for reporting
and used custom reports for analysis.
§
Provided Post Go-Live support to end users after
having successfully gone live with SAP upgrade on 5th Dec 05
globally.
§
Successfully went live with SOx compliance globally
on 12th Nov 04 on the previous project as a Security Lead.
§
Simultaneously working on SOX compliance and
maintenance of R/3 security on release 4.5b as a part of the core SAP security
team of Applied Global Services (AGS Division) supporting over 2300 users
globally.
§
Experience on audit issues for SOX compliance and for
SOD access removal extensively using VIRSA as an administrator.
§
Worked on streamlining and reclassification of user
groups for easier addressal of issues and user administration.
§
As a part of the upgrade team, build/ review strategy
to upgrade from profiles based security to role-based security for the new
ongoing 4.7 upgrade project.
§
Set up procedures to troubleshoot R/3 security
problems.
§
Developed roles and profiles for developers, basis,
security, regional user administrators and other teams. Using CATT & LSMW
(client preferred) extensively to enhance productivity and to automate large
changes related to the upgrade and audit.
§
Define procedures to clean up of access from the
production clients, review and remove unnecessary additional access from users.
§
Resolved audit issues of removing critical
authorizations, profiles from users, restrict sensitive table display/update
access in production, remove debug access from production, and restrict access
to business or system sensitive transactions.
§
Impart training to group team members and management
on security architecture, design, arising security issues and resolution
strategies.
§
Successfully implemented SOx compliance and controls
on time as scheduled in Nov 2004.
04/2003 – 03/2004
Position: Sr. SAP Security Administrator
Project Assignment: Guidant Corporation (Medical Devices)
Responsibilities: Security Lead in R/3 upgrade from 4.5B to
4.7 (
§
Working on SAP R/3 Enterprise upgrade as a Security
Lead for a Global implementation rolling out to 23 countries, 171 sites worldwide.
§
Defined upgrade procedures and steps for Security
Conversions from Profile to Roles based Security.
§
Identified major areas of pitfalls and critical
issues leading to serious Security and Audit concerns.
§
Worked on LAW to set up user types for license usage
and reporting to SAP.
§
Assisted the management in identifying insecure
access to users resulting from inappropriate assignment of Profiles and their
Authorizations. Prepared & delivered presentations showing real-time
examples it's seriousness to Business & Audit managements resulting in
approval and sanctioning of a new project to soon revamp entire Security.
§
Extensively created and used CATT scripts to automate
processes for conversion activities and user maintenance on the fly.
§
Delivered technical training sessions in Security to
employees and helpdesk personnel to handle user maintenance affectively and
efficiently.
§
Trained regular employees made them self sufficient
in day-to-day management of R/3 Security and user administration tasks and procedures.
§
Worked with the trainees to ensure a successful
migration of Security to the new release.
§
Providing a 24x7 Production support to 2000 users in
171 sites globally.
12/2002 – 03/2003
Position: Security Consultant
Project Assignment: MGM
(Entertainment)
Responsibilities:
Redesigning and implementing SAP R/3 Security in a 4.7 upgrade environment
remotely.
§
Working on Role Definitions based on the inputs provided by the client
and defining the Role Matrix in MS Excel.
§
Defining new Roles redesigning the existing Definitions and building
smaller meaningful Roles based on concentration of job duties.
§
Using SOD Matrix and third party tools to determine conflicts and
Segregation of Duties issues in Role Definitions before building Roles.
§
Creation of Roles based on the inputs from the above Matrix and testing
in respect to failure or missing authorizations.
08/2002– 12/2002
Responsibilities:
Contracting on a SAP R/3 upgrade project as a security consultant for
development, creation, testing and a successful implementation.
§
Modifying existing profiles and converting them to new roles using
profile generator and providing assistance for integration from version 3.0H to
4.6C.
§
Assisting role owners and functional teams on defining and testing new
roles.
§
Developing new single and composite roles and conducting a positive and
a negative testing on 4.6C version for team approval before transporting to
Production.
§
Providing User Acceptance Testing as well as Training support to
training and UAT teams parallel to their testing.
§
Handling all user assignment and other issues related to user
management.
§
Documenting all development procedures, sensitive objects, manual
inputs and all other critical changes as per FDA regulations and guidelines.
01/2002– 08/2002
Responsibilities:
Providing remote SAP/R3 security support for Production and Development systems.
§
Maintaining and modifying existing SAP roles/Authorizations,
Segregation of Duties conflicts for Sensitive Transaction Access.
§
Evaluated customer’s security requirement
to fit into their business needs.
§
Troubleshoot R/3 security problem by using different
scenarios such as system trace, parameter change,
buffer reset, SU53, and SU56 in order to find security related problems.
§
Analyzed all business roles and mapped
business roles to transaction code according to business processes.
§
Designed and developed Authorization List
in MS Excel database. Organized all job roles and associated transaction codes
to expedite implementation and improve accuracy.
§
Analyzed, designed and developed
development profile for development system in order to reduce security risk during
implementation phase.
§
Held security workshop with Basis,
functional and management teams to educate them about security concept and
importance of security in SAP R/3 environment.
§
Educated testing team about how to test
security profiles.
§
Documented procedure for different
security process such as creating table and program authorization group, adding
transaction codes to company menu, change user authorization request form, new
user request form, Security profile maintenance procedure etc.
§
As a core team member, gained knowledge on Security
issues and problems.
§
Provided Production Systems Support for all SAP
Security related issues.
§
Provided Ongoing Security Support for Non-Production
SAP Systems.
02/2000
– 12/2001
Project
Assignment: Nortel Networks (Telecom)
Responsibilities:
Responsible for setup and maintenance of SAP R/3 Security environments and
integration with CRM technologies.
§
Configured profile generator for SAP security.
§
Analyzed and built Activity groups and
Profiles manually and through Profile Generator. Responsible for maintaining
the Profile Generator company menu e.g. addition of transactions to the company
menu.
§
Analyzed custom programs for authority checks and
configured for Profile generator in order to automate Profile generator for
customer transaction.
§
Act as a liaison to other teams on the project,
integrating input from all functional teams into the security development.
§
Applied
§
Developed and followed Naming conventions for roles,
profiles, activity groups, authorization groups, etc.
§
Set up procedures to Troubleshoot R/3 security
problems.
§
Designed and developed the end user roles and jobs
for SAP R/3 system.
§
Define procedures to clean up of Temporary access
from the Production clients, review and remove additional access from Users
which was given for Go-Live.
§
Provided training to Security Administrators and
documented the procedures.
§
Provided TOI for SAP R/3 security environment,
explaining the concepts of authorization objects, profiles, authorizations,
fields and field values, user master records as well as profile generator to
security team as well as functional team.
§
On Call support for security problems in Production
and non-production systems.