Sie sind auf Seite 1von 16

SAP GRC V5.

30 December 2009 English

Master Data (678)


Building Block Configuration Guide

SAP AG Neurottstr. 16 69190 Walldorf Germany

SAP Best Practices

Master Data (678): Configuration Guide

Copyright
Copyright 2009 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP AG

Page 2 of 16

SAP Best Practices

Master Data (678): Configuration Guide

Icons
Icon Meaning Caution Example Note or Tip Recommendation Syntax

Typographic Conventions
Type Style Example text Description Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options. Cross-references to other documentation. Example text EXAMPLE TEXT Emphasized words or phrases in body text, titles of graphics and tables. Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE. Screen output. This includes file and directory names and their paths, messages, source code, names of variables and parameters as well as names of installation, upgrade and database tools. Keys on the keyboard, for example, function keys (such as ENTER key.
F2)

Example text

EXAMPLE TEXT

or the

Example text <Example text>

Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.

SAP AG

Page 3 of 16

SAP Best Practices

Master Data (678): Configuration Guide

Contents
Master Data: Configuration Guide.................................................................................................. 5 1 Purpose........................................................................................................................................ 5 2 Prerequisites................................................................................................................................ 5 3 System Information...................................................................................................................... 5 3.1 SAP ERP System Information............................................................................................... 5 3.2 SAP GRC Access Control Components................................................................................6 4 Master Data in SAP ERP............................................................................................................. 7 4.1 Create Roles......................................................................................................................... 7 4.2 Create User ID GRC_RFC for Connection............................................................................8 4.2.1 Create User Group.......................................................................................................... 9 4.2.2 Create Users................................................................................................................... 9 4.2.3 Create Superuser Privilege Management Users...........................................................11 5 Configuration in SAP GRC Access Control Components...........................................................12 5.1 Create User SAPGRC in User Management Engine (UME)...............................................12 5.2 Add Roles to Existing Users in User Management Engine..................................................13 5.3 Change User Password in User Management Engine........................................................14 6 Static Text to Risk Analysis and Remediation............................................................................15 6.1 Download Text from SAP.................................................................................................... 15 7 Authorization Objects ................................................................................................................ 16 7.1 Download Data from SAP.................................................................................................... 16

SAP AG

Page 4 of 16

SAP Best Practices

Master Data (678): Configuration Guide

Master Data: Configuration Guide 1 Purpose


This configuration guide provides the information you need to set up the configuration of building blocks.

2 Prerequisites
The SAP ERP and SAP GRC Access Control 5.3 (AC) have been successfully installed.

3 System Information
Use
The configuration of AC requires system information from the SAP ERP system and the AC components. Since such information is specific to your installation, your system administrator needs to provide you information that will be used in the subsequent configuration steps.

3.1 SAP ERP System Information


1. You may get the SAP ERP system information from the system administrator. Alternatively if you have the system set up in the logon pad, you may find the information in the following way: 2. In the SAP Logon window, select the SAP ERP system. 3. Choose the Change Item button. 4. In the System Entry Properties dialog box, you will find the information for the Application Server, the System Number and the System ID. Field name Application Server System Number System ID Value <Application Server> <System Number> <System ID> Comment For example, iwdf4176 For example, 02 For example, EA6

5. For the client number is the SAP ERP client that connects to the SAP GRC Access Control component, you have to obtain this information from your system administrator. Field name Client Number Value <Client Number> Comment For example, 100

Above system parameters are used in the subsequent configuration steps. You need to make sure that are accurate and complete.

SAP AG

Page 5 of 16

SAP Best Practices

Master Data (678): Configuration Guide

To log into the SAP ERP system, you need to obtain a SAP ERP user ID and password from your system administrator.

3.2 SAP GRC Access Control Components


The following is the AC Landscape list: System J2EE AC Launchpad Risk Analysis and Remediation Compliant User Provisioning Enterprise Role Management Superuser Privilege Management Description http://<J2EE Servername>:<J2EE Port> http:// <J2EE Servername>:<J2EE Port>/webdynpro/dispatcher/sap.com/grc~acappcomp/AC http://<J2EE Servername>:<J2EE Port>/webdynpro/dispatcher/sap.com/grc~ccappcomp/ComplianceCalibrato r http://<J2EE Servername>:<J2EE Port>/AE/index.jsp http://<J2EE Servername>:<J2EE Port>/RE/index.jsp http://<J2EE Servername>:<J2EE Port>/webdynpro/dispatcher/sap.com/grc~ffappcomp/Firefighter

You need to get the server name and port from your system administrator.

To log into SAP GRC Access Control components, you need a user_ID and password from your system administrator, for example user java_admin password java123. If you get an error after logging on with this user id, check with your system administrator to make sure you have following roles assigned: Superuser Privilege Management Role, for example FF_ADMIN Compliant User Provisioning Role, for example AE_ADMIN Enterprise Role Management Role, for example RE_ADMIN Risk Analysis and Remediation Role, for example VIRSA_CC_ADMIN Java Administrator Role, for example Administrator

Actual role names may be different than the ones mentioned above. In your browser, create a folder called SAPGRC in your Favorites and save the URLs (mentioned in the table) to access the GRC systems.

SAP AG

Page 6 of 16

SAP Best Practices

Master Data (678): Configuration Guide

4 Master Data in SAP ERP


Use
The AC scenarios require the following master data created in the SAP ERP system. The master data includes the following items: User ID for connection Sample composite roles Sample profiles User groups and users

4.1 Create Roles


Use
The following roles would be created: VS_USER_ADMIN VS_FI_AP_DISPLAY_MASTER VS_FI_ACCOUNTS_MANAGER VS_FI_AP_INVOICES VS_FI_ACCOUNTS_PAYABLE_CLERK

Procedure
1. 2. Log into SAP ERP with your user and password provided by the administrator. In the SAP Easy Access screen, in the command line, enter transaction code PFCG. SAP ERP menu Transaction code 3. 4. 5. 6. 7. Tools Administration User Maintenance Role AdministrationRoles PFCG

Enter VS_USER_ADMIN and choose Single Role. Choose the Menu tab (Save the role) and add transaction codes SU01, PFCG, SU05, SU01D. Choose the Authorization tab and choose Change Authorization Data (Save the role). Assign Full Authorization to Org Levels, Choose Save. Maintain all fields with full authorization

8.

Choose the Save button and choose

Arrow. Choose

Generate

SAP AG

Page 7 of 16

SAP Best Practices 9. Go back to the main PFCG screen.

Master Data (678): Configuration Guide

10. Enter VS_FI_AP_DISPLAY_MASTER and choose Single Role. 11. Choose the Menu tab (Save the role) and add transaction codes FK03, XK03. 12. Repeat steps 5 to 9. 13. Enter VS_FI_ACCOUNTS_MANAGER and choose Single Role. 14. Choose the Menu tab (Save the role) and add transaction codes F-41, F-44, F-63, F110, FB00, FB07, FB1K, FB1S, FBL1, FBV0, FBV2, FBV5, FBVB, FBZ0, FSF1, MK03, MM03. 15. Repeat steps 5 to 9. 16. Enter VS_FI_AP_INVOICES and choose Single Role. 17. Choose the Menu tab (Save the role) and add transaction codes F-44, FB60, FB65, FB70, FI01, FIBB, FV60, FV65, XK01, ME21N. 18. Repeat steps 5 to 9. 19. Enter VS_FI_ACCOUNTS_PAYABLE_CLERK and choose Single Role. 20. Choose the Menu tab (Save the role) and add transaction codes F-41, F-43, F-44, FB01, FCH2, MK04. 21. Repeat steps 5 to 9.

4.2 Create User ID GRC_RFC for Connection


1. 2. Log into SAP ERP with your user and password provided by the administrator. In the SAP Easy Access menu, in the command line, enter transaction code SU01. SAP ERP menu Transaction code 3. 4. Tools Administration User Maintenance Users SU01

In the User Maintenance: Initial Screen, in User, enter GRC_RFC and choose the Create button. In the Maintain User screen, choose the Address tab and enter the following details: Last name: GRC First name: RFC Language: EN English

5.

Choose the Logon data tab and enter the following details: Use Type: Service Initial Password: initial1 Repeat Password: initial1

6.

Choose the Default tab and enter the following information: Decimal Notation: 1,234,567.89 Date Format: MM/DD/YY

7.

Choose the Profiles tab and enter the following profiles: SAP_ALL

SAP AG

Page 8 of 16

SAP Best Practices 8. SAP_NEW

Master Data (678): Configuration Guide

Choose the Save button.

Integration Point: This user is used in the connector configuration in building block 681.

4.2.1
1.

Create User Group


Tools Administration User Maintenance User Group SUGR

On the SAP Easy Access screen, in the command line, enter transaction code SUGR. SAP ERP menu Transaction code

2.

In the Maintain User Groups screen, in User Group, choose the Create button to create the following user groups: User Group AP_GROUP PURCHASING TECHNICAL Description Accounts Payable Group Purchasing Group Technical User

4.2.2

Create Users
Tools Administration User Maintenance Users SU01

1. Access the transaction choosing the following navigation option: SAP ERP menu Transaction code

2. In the User Maintenance: Initial Screen, in User, enter MBOND and choose the Create button. 3. Within the Logon data tab, enter the following: Last name: Bond First name: Maria Department: Accounts Payable Language: EN English Telephone: 650-221-2020 Extension: 202 E-Mail: Enter the e-mail that you would like to use for testing, for example maria.bond@sap.com Comm Meth: E-Mail

4. Choose the Logon data tab and enter the following details: Use Type: Service Initial Password: initial1 Repeat Password: initial1 User Group: AP_GROUP

SAP AG

Page 9 of 16

SAP Best Practices

Master Data (678): Configuration Guide

5. Choose the Roles tab and enter the relevant information. VS_FI_AP_DISPLAY_MASTER /VIRSA/Z_VFAT_FIREFIGHTER

6. Choose the Save button. 7. Repeat steps 1 to 8 to create the following users. Unless the values are different as indicated in the table below, use the same values mentioned in above steps: User Name (USERI D) MWON G Wong Last Name First Nam e Mae Depar tment Telep hone Exten sion User Grou p AP_G ROUP Roles Profiles

Accou nts Payab le Accou nts Payab le

1 650 2522252

200

/ VIRSA/Z_VFAT_FIRE FIGHTER

CPERKI NS

Perkins

Cyru s

6502522252

400

AP_G ROUP

/ VIRSA/Z_VFAT_ID_O WNER VS_FI_ACCOUNTS_ MANAGER VS_FI_AP_DISPLAY_ MASTER / VIRSA/Z_VFAT_ID_O WNER VS_FI_ACCOUNTS_ MANAGER VS_FI_AP_INVOICES VS_FI_ACCOUNTS_ MANAGER

FWILSO N

Wilson

Fox

Accou nts Payab le

6502522252

202

AP_G ROUP

BLAW

Law

Brian

Accou nts Payab le Accou nts Payab le

6502212020 6508582225

101

AP_G ROUP

JMURP HY

Murphy

John

100

AP_G ROUP

VS_USER_ADMIN

SAP_ALL SAP_NEW

WEBUS ER SFRITS HE

Webuser Fritshe Stefa nie Purch asing 6502522522 100

TECH NICAL PURC HASI NG / VIRSA/Z_VFAT_FIRE FIGHTER VS_FI_AP_DISPLAY_ MASTER VS_FI_AP_INVOICES

SAP_ALL SAP_NEW

SAP AG

Page 10 of 16

SAP Best Practices

Master Data (678): Configuration Guide

4.2.3

Create Superuser Privilege Management Users


Tools Administration User Maintenance Users SU01

1. Access the transaction choosing the following navigation option: SAP ERP menu Transaction code

2. In the User Maintenance: Initial Screen, enter FF_BASIS. 3. Choose the Create button. 4. In the Address tab, enter the following: FIELD Last Name First Name Language Comm. Meth FIELD User Type Initial Password Repeat Password User Group FIELD Decimal Notation Date Format ROLES /VIRSA/Z_VFAT_FIREFIGHTER 8. Choose the Profiles tab and enter the following: PROFILES SAP_ALL SAP_NEW 9. Choose the Save button and the Exit button. 10. Repeat steps 1 to 9 to create following users. Unless the values are different as indicated in the table below, use the same values mentioned in above steps: User FF_VENDORS Last Name Vendor Maintenan ce First Name Firefighter Roles / VIRSA/Z_VFAT_FIREFIGHT ER Profiles Leave blank. VALUE FF_BASIS FIREFIGHTER EN English Remote Mail VALUE Service Initial1 Initial1 Technical VALUE 1,234,567.89 MM/DD/YYYY

5. Choose the Logon Data tab and enter the following:

6. Choose the Defaults tab and enter the following:

7. Choose the Roles tab and enter the following:

SAP AG

Page 11 of 16

SAP Best Practices

Master Data (678): Configuration Guide VS_USER_ADMIN VS_FI_ACCOUNTS_MANA GER VS_FI_AP_INVOICES VS_FI_ACCOUNTS_PAYAB LE_CLERK

FF_WEBUSER

FF_Webu ser

Firefighter

/ VIRSA/Z_VFAT_FIREFIGHT ER

SAP_ALL SAP_NEW

5 Configuration in SAP GRC Access Control Components


5.1 Create User SAPGRC in User Management Engine (UME)
Use
This section creates user ID and assigns appropriate SAP GRC roles.

Procedure
1. Log on to J2EE with the URL http://<J2EE Servername>:<J2EE Port>. 2. Click on User Management 3. Log in with Java administrator user ID and password, for example user java_admin and password java123. 4. Choose the Create User button Logon ID = SAPGRC Last Name: SAP First Name: GRC Define Password: initial1 (for example) Confirm Password: initial1 (for example) Language: English 5. In the General Information tab at the lower panel, enter the following:

6. Choose the Assigned Roles tab. 7. Choose Go. 8. Select the roles FF_ADMIN (for example), and press control key and enter key to select CC_ADMIN (for example), AE_ADMIN (for example), RE_ADMIN(for example) as shown below:

SAP AG

Page 12 of 16

SAP Best Practices

Master Data (678): Configuration Guide

The actual role names can be different depending on the naming convention that the system administrator has used during the system setup. Confirm with the system administrator for the correct role name and use those names accordingly. 9. Choose Add. 10. Choose Save.

You will be logging into SAP GRC Access Control Components as user SAPGRC to create the required configurations in building blocks 678 to 684.

5.2 Add Roles to Existing Users in User Management Engine


Use
This step is to add GRC Access Control roles to the existing User Management Engine (UME) users.

The following procedure to change the existing users is based on the assumption that users already exist in the SAP ERP system and they are available in the UME. If your UME is configured differently (see SAP note 718383), then you may have to create the users independently in UME.

Procedure
1. Log on to J2EE with the URL http://<J2EE Servername>:<J2EE Port>. 2. Click on User Management. 3. Log in with your Java administrator user ID and password, for example user java_admin and password java123. 4. Under the Identity Management tab, enter user ID WEBUSER in the search criteria field and choose the Go button. 5. In the logon ID column, select the user ID WEBUSER. 6. In the details of user section, choose Modify button. 7. Choose the Assigned Roles tab. 8. Choose Go. 9. Select the roles FF_ADMIN (for example), and hold the control key down to select CC_ADMIN (for example), AE_ADMIN (for example), RE_ADMIN(for example) as shown below:

The actual role names can be different depending on the naming convention that the system administrator has used during the system setup. Confirm with the system administrator for the correct role name and use those names accordingly. 10. Choose Add.

SAP AG

Page 13 of 16

SAP Best Practices

Master Data (678): Configuration Guide

11. Choose Save. At the top left hand corner, you would see a message User attributes successfully modified. 12. Repeat steps 4 to 11 for the following users: User Mae Wong Maria Bond Fox Wilson User ID MWONG MBOND FWILSON Role AEAPPROVER RE_ADMIN CC_ADMIN FF_ADMIN AEAPPROVER RE_ADMIN CC_ADMIN Brian Law BLAW FF_ADMIN AEAPPROVER RE_ADMIN CC_ADMIN AEAPPROVER RE_ADMIN CC_ADMIN AEAPPROVER CC_ADMIN

John Murphy

JMURPHY

Cyrus Perkins

CPERKINS

If you have trouble to log into the UME with the java_admin (for example) ID, close all the web browser sessions and re-log in. 13. Log off and close all the browser windows before you proceed to the next step.

5.3 Change User Password in User Management Engine


Use
The user has to log into UME or the Access Control Launch pad and change the password to initial2 (for example) before logging into SAP GRC Access Control components If the password is not changed and the user tries to log in, the error message User credentials not valid appears.

Procedure
1. Log into J2EE with the URL http://<J2EE Servername>:<J2EE Port>. 2. Click on User Management. 3. Log in with SAPGRC and password initial1 (for example). 4. In the Welcome screen: Enter the old password initial1 (for example). Enter the new password initial2 (for example).

SAP AG

Page 14 of 16

SAP Best Practices

Master Data (678): Configuration Guide

Confirm the password initial2 (for example).

5. Choose the Change button. Ignore the error messages that appear. 6. Click Log Off at the top right pane. 7. Repeat steps 1 6 for the User IDs in the table below. User Mae Wong Fox Wilson Brian Law John Murphy WEBUSER Cyrus Perkins User ID MWONG FWILSON BLAW JMURPHY WEBUSER CPERKINS

Integration Point: Make a note that the user id WEBUSER and its new password are used in the configuration steps in the remaining building blocks.

6 Static Text to Risk Analysis and Remediation


6.1 Download Text from SAP
Use
This step is to create one text file with descriptions for objects, transactions, fields, values and organizational levels.

For development testing, this can be done once but should be done periodically in a Production box.

Procedure
1. Log onto the SAP ERP system. 2. Enter transaction code SE38. The ABAP Editor: Initial Screen is displayed. 3. In the Program field, enter /VIRSA/ZCC_DOWNLOAD_DESC. 4. Choose the Execute button. 5. Enter the file path where you want to download the text file and the name of the file in the Local File field (for example, C:\GRC_US_V1530\misc\textdescriptions.txt). 6. Choose the Execute button.

The text file contains the following items: Transaction descriptions (ACT) from table TSTCT

SAP AG

Page 15 of 16

SAP Best Practices

Master Data (678): Configuration Guide

Field Descriptions (FLD) from DD03T Organizational Level descriptions from USORG/USVAR Object descriptions (PRM) from TBOJT Field Values descriptions (VAL)

Data is downloaded in the language designated during sign on. To download multiple languages for upload to Risk Analysis and Remediation, log off, log on in another language, and run the download text program again. Repeat for every language.

7 Authorization Objects
7.1 Download Data from SAP
Use
This step creates a text file with the SU24 check/maintain data from USOBT_C.

Procedure
1. Log onto the SAP ERP system. 2. Enter transaction code SE38. The ABAP Editor: Initial Screen is displayed. 3. In the Program field, enter /VIRSA/ZCC_DOWNLOAD_SAPOBJ. 4. Choose the Execute button. 5. Enter the file path where you want to download the text file and the name of the file in the Local File field (for example, C:\GRC_US_V1530\misc\USOBT_C.txt).

Integration Point: This file will be uploaded in the building block 678.2. 6. Choose the Execute button.

The file contains Check/Maintain objects, fields, and default values from USOBT_C.

Result
Your base setup is complete. Proceed to the next building block to continue with the configuration of Access Control 5.3.

SAP AG

Page 16 of 16