Sie sind auf Seite 1von 76

www.keylabstraining.com

www.keylabstraining.com GRC 10 ONLINE TRAINING info@keylabstraining.com USA: +1-908-366-7933 India: +91-9550645679 Skype : keylabstraining

GRC 10 ONLINE TRAINING

info@keylabstraining.com USA: +1-908-366-7933 India: +91-9550645679 Skype : keylabstraining

www.keylabstraining.com

ACCESS CONTROL 10.0: INTRODUCTION

Access Control 10.0: Introduction

SAP BusinessObjects Access Control is an enterprise software application that enables organizations to control access and prevent fraud across the enterprise, while minimizing the time and cost of compliance.

The application streamlines compliance processes, including access risk analysis and remediation, business role management, access request management, superuser maintenance, and periodic compliance certifications. It delivers immediate visibility of the current risk situation with real-time data.

Access Control 10.0 is part of newly released SAP Governance Risk & Compliance (GRC) 10.0 which also comprised of Process control 10.0, Risk Management 10.0 and Global Trade Services.

The greatest value in GRC 10.0 is the Harmonization of Access Control, Process Control and Risk

management which ultimately results in shared processes, data and user interface with reduction in redundancy.

www.keylabstraining.com ACCESS CONTROL 10.0: INTRODUCTION Access Control 10.0: Introduction SAP BusinessObjects Access Control is an enterprise

www.keylabstraining.com

ACCESS CONTROL 10.0: LANDSCAPE

www.keylabstraining.com ACCESS CONTROL 10.0: LANDSCAPE
www.keylabstraining.com ACCESS CONTROL 10.0: LANDSCAPE

Front end:

www.keylabstraining.com

The front-end needs a web browser or (optionally) a client installation of the NetWeaver Business Client The web browser can be used to access the embedded NWBC or GRC via the NetWeaver Portal The Adobe flash player 10 is used for displaying dashboards e.g. RM heat mapOverview of SAP BusinessObjects Access Control 10.0 SAPGUI 7.10 PL 15 or higher is required for administration or customizing tasks –note that SAPGUI 7.20 is recommended due to the end-of-maintenance of SAPGUI 7.10 The Crystal Reports Adapter (CRA) is required for viewing (GRC) Crystal Reports.

Portal:

www.keylabstraining.com

The NetWeaver Portal 7.02 can be used optionally The GRC Portal Content contains the GRC Portal UI elements to access the GRC suite The Portal’s AS Java can contain an Adobe Document Services instance, in effect Portal and ADS may be shared on one AS Java instance ERP and Non SAP Business Applications:

The GRC solutions can communicate with SAP ERP and non-SAP business applications via plug-ins NW Function Modules hold the AC functions for ERP systems without HR (former non-HR RTA) PC relevant features are contained in the plug-in GRCPIERP, for example, for running automated controls and the HR relevant functions for AC (former HR RTA) GTS functions are part of the SLL-PI plug-in, for example, for GTS integration into the Logistics, HR, FI/CO and/or HCM processes in SAP ERP Non-SAP ERP systems can also be connected via adapters from an SAP Partner company

BI Content:

www.keylabstraining.com

NetWeaver BW can be used for reporting via the GRC BI Content The GRC BI Content is part of BI Content 7.06 NetWeaver BW 7.02 is used for the GRC BI Content. Identity Management:

AC can be integrated bi-directionally to IdM solutions for provisioning and risk analysis NetWeaver IdM7.2 is required for integrating with AC 10.0

Adobe Document Services:

An instance of Adobe Document Services (ADS) should be accessible from the GRC AS ABAP for generating offline forms . Although it is technically optional, it is highly recommended for generating PDF reports These ADS can be an existing instance and can also be shared with other applications The Portal’s AS Java can contain an Adobe Document Services instance, so Portal and ADS may be shared on one AS Java instance.

www.keylabstraining.com

NEW AND ENHANCED FEATURES:

1) Enhanced Visualization and Streamlined Navigation – This enhancement provides a common look and feel with configurable role-based user access for GRC functions from the SAP Portal or SAP

NetWeaver Business Client (NWBC). Streamlined user navigation with shared work centers emphasizes function rather than component. This significantly reduces duplication of menu items

(e.g., one inbox, not three) and makes possible sharing of data and functions. Menu items seen by the individual user within each work center is controlled by the user’s GRC role(s). This also enables

data shared across components to be viewed differently by different users

www.keylabstraining.com NEW AND ENHANCED FEATURES: 1) Enhanced Visualization and Streamlined Navigation – This enhancement provides a

www.keylabstraining.com

NEW AND ENHANCED FEATURES:

Improved Reporting – GRC reporting leverages the Business Suite ABAP List Viewer (ALV) –

Crystal integration framework to present and personalize ABAP (WebDynpro) reports and convert into Crystal reports. This lowers the TCO and extends the benefits of Crystal without the need for a separate BOE server. It also reduces the time spent by business users on reporting needs. Custom Crystal reports with embedded graphics can also be created easily with Crystal Designer.

www.keylabstraining.com NEW AND ENHANCED FEATURES:  Improved Reporting – GRC reporting leverages the Business Suite ABAP

www.keylabstraining.com

SEPARATION OF DUTIES

Separation of duties (SoD) is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error. The concept is alternatively called segregation of duties

www.keylabstraining.com SEPARATION OF DUTIES Separation of duties (SoD) is the concept of having more than onefraud and error . The concept is alternatively called segregation of duties " id="pdf-obj-8-13" src="pdf-obj-8-13.jpg">

www.keylabstraining.com

SOD RISK MANAGEMENT PROCESS OVERVIEW

SAP has developed a three-phase approach to risk management. By applying this method, it is possible to implement a process for segregation of duties (SoD) risk management.The process begins by defining the risks, and building and validating rules.

www.keylabstraining.com SOD RISK MANAGEMENT PROCESS OVERVIEW SAP has developed a three-phase approach to risk management. By
www.keylabstraining.com SOD RISK MANAGEMENT PROCESS OVERVIEW SAP has developed a three-phase approach to risk management. By

www.keylabstraining.com

SOD RISK MANAGEMENT PROCESS OVERVIEW

www.keylabstraining.com SOD RISK MANAGEMENT PROCESS OVERVIEW
www.keylabstraining.com SOD RISK MANAGEMENT PROCESS OVERVIEW

www.keylabstraining.com

Segregation of Duties and Critical Actions:

In a Sarbanes Oxley Act regulated environment, business need to define their access controls based on segregation of duties (SoD). In some cases, it is challenging to define SoDs because in many cases, processes are shared among business areas. Below are examples of risks in non- segregated duties

www.keylabstraining.com Segregation of Duties and Critical Actions: In a Sarbanes Oxley Act regulated environment, business need

www.keylabstraining.com

Rule Building and Validation :

After risk recognition, the second step in Phase One of the SoD Risk Management process is Rule Building and Validation.

www.keylabstraining.com

www.keylabstraining.com

www.keylabstraining.com

Rule Building Process:

Rules include risks, functions, and business processes. The main components of the rule building process are shown below. Access Control automatically generates the rules as permutations of the different actions and permissions derived from the combined functions.

www.keylabstraining.com Rule Building Process: Rules include risks, functions, and business processes. The main components of the

www.keylabstraining.com

Functions:

Functions include specific actions commonly used for a job role or set of tasks, for example Maintain General Ledger Master Records or Post Journal Entry. Authorization to perform certain combinations of functions results in a risk.

www.keylabstraining.com Functions: Functions include specific actions commonly used for a job role or set of tasks,

Rule Structure:

www.keylabstraining.com

Actions and permissions combine to form functions. Functions in certain combinations result in a risk. Risks are associated with business processes and all the components come together to form rules. Rules are collected in a rule set.

Rule Structure: www.keylabstraining.com Actions and permissions combine to form functions. Functions in certain combinations result in

www.keylabstraining.com

PHASE TWO OVERVIEW

The purpose of this phase is to provide business process analysts and business process owners with alternatives for correcting or eliminating risk. Risk Analysis During Risk Analysis, perform a security analysis to identify risks for:

Simple roles Composite roles Users

Review the roles to determine how certain personnel might be restricted from performing undesired activities by checking:

Objects

Fields

Values

www.keylabstraining.com

PHASE 2 FIGURE

www.keylabstraining.com PHASE 2 FIGURE

www.keylabstraining.com

RISK REMEDIATION OVERVIEW

The purpose of the remediation phase is to determine alternatives for eliminating issues in roles. The recommended approach is to resolve issues in the following order:

Single roles This is the simplest place to start Prevents SoD violations from being reintroduced Composite roles Users

Risk Remediation Use a simulation to perform a "what if" analysis on the assignment or removal of user actions Use the Management view or Risk Analysis reports for analysis Security Administrators should document the plan Business Process Owners should be involved and approve the plan

Simulation

Simulation allows you to preview the result of changes to roles and user

actions to see if your changes create new risk situations before implementing them Decide whether to add or remove a value

www.keylabstraining.com

MITIGATION CONTROLS

www.keylabstraining.com MITIGATION CONTROLS

www.keylabstraining.com

EXAMPLES OF MITIGATION CONTROLS

Examples of Mitigation Controls Review of strategies and authorization limits Review of user logs Review of exception reports

Detailed variance analysis Establish insurance to cover impact of a security incident

Types of Mitigation Controls

Preventative Controls: minimize the likelihood or impact of a risk before it actually occurs Detective Controls: alert when a risk takes place and enable the responsible person to initiate corrective measures Best Practices

Segregate creation and approval from assignment Use mitigation as a last resort for exceptions left over from remediation efforts that have legitimate business reasons to not use SoD controls

www.keylabstraining.com

CONTINUOUS COMPLIANCE

www.keylabstraining.com CONTINUOUS COMPLIANCE

www.keylabstraining.com

THE GRC ARCHITECTURE

GRC solutions share a common technology platform and can be installed on a single NetWeaver ABAP system.

www.keylabstraining.com THE GRC ARCHITECTURE GRC solutions share a common technology platform and can be installed on

GRC COMPONENTS

www.keylabstraining.com

ComponentsGRC 10.0 runs on AS ABAP 7.02 SP6 or higher. The installation components are broken out as follows:

Access Control, Process Control, and Risk Management are contained in one ABAP add-on GRCFND_A Global Trade Services resides in a separate add-on SLL-LEG

GRC COMPONENTS www.keylabstraining.com ComponentsGRC 10.0 runs on AS ABAP 7.02 SP6 or higher. The installation components

Nota Fiscal Eletronica has its own add-on SLL-NFE Content Lifecycle Management (CLM) contains functions for transporting GRC business data, for example, Access Control rules or Process Control controls. CLM has the same version requirements as the GRC 10.0 solution and is installed during the GRC installation. CLM can be disabled if not required.

www.keylabstraining.com

ACCESS CONTROL 10.0 ARCHITECTURE

NetWeaver ABAP is the underlying platform

Harmonized with the other GRC 10.0 applications Leverages existing NWABAP investments:

Role comparison at Action or Permission level Comparison between roles within Access Control Harmonization with Process Control and Risk Management allows users to leverage master data

www.keylabstraining.com ACCESS CONTROL 10.0 ARCHITECTURE NetWeaver ABAP is the underlying platform Harmonized with the other GRC

www.keylabstraining.com

ACCESS CONTROL ARCHITECTURE COMPONENTS

Access Control constitutes a set of core components:

Access Risk Analysis and Management

Compliance Certification Review

Role Management

Role Mining

Superuser Access Management

Access Control Repository

www.keylabstraining.com

GRC COMMON COMPONENTS

Access Control uses a set of GRC common components as part of the harmonization of the GRC suite. These components are also available to Process Control and Risk Management:

GRC Master Data

Workflow

Reports and Dashboards

www.keylabstraining.com

NETWEAVER COMPONENTS

Access Control uses ABAP Web Dynpro as the user interface or UI technology.

The GRC solution can be presented to end users by using either NWBC (NetWeaver Business Client) or through the use of SAP Portal.

Configuration for Access Control is executed using the SAP IMG via the SAP GUI, which is common across the GRC suite.

Access Control connects to SAP and non-SAP systems with adapter or IdM systems using the integration framework.

The ABAP database is the common repository for all Access Control data.

www.keylabstraining.com

www.keylabstraining.com

www.keylabstraining.com

SECURITY AND AUTHORIZATIONS

You are planning a solution and must be able to explain object-level security, authorization requirements, and identify delivered roles and security objects.

Object-Level Security

Object-Level Security gives you the ability to limit access for end users to what they need to see at a granular level. you can limit access by function, risk, user, or anyother authorization objects available within role maintenance.

www.keylabstraining.com SECURITY AND AUTHORIZATIONS You are planning a solution and must be able to explain object-level

Authorizations

www.keylabstraining.com

To configure the IMG, you need:

PFCG role(s) relative to specific components to be configured

PFCG role(s) sufficient to configure SAP workflow and other non-GRC technologies

PFCG role(s) on GRC and non-GRC systems to set up Continuous Monitoring

To access GRC 10.0 solutions, you must have at least the following:

Portal authorization or NWBC authorization

Applicable PFCG base roles

www.keylabstraining.com

PFCG role(s) relative to specific components (AC, PC, RM) to be used

Using Access Control with GRC Solutions

If you use Access Control with other GRC solutions, you can leverage this functionality to:

Manage PFCG roles used with GRC

Create GRC users

Assign GRC PFCG roles to users

Perform SoD analysis for PFCG role authorizations

Assignment of entity-level authorization (via application role assignment) and ticket-based authorization (via substitution or transfer) must be done in the respective component.

www.keylabstraining.com

INSTALLATION

Installation Prerequisites –Server

NetWeaver AS ABAP 7.02 SP6 or higher

Installation Prerequisites –Back-end

For ERP systems that will install Access Control Plug-In the

following prerequisites must be met:

For SAP ERP system 4.6C, the system must be at SAP_BASIS Support Pack 55 For SAP ERP 4.70 system, the system must be at SAP_BASIS Support Pack 63

For ERP 2004 system, the system must be at SAP BasisSupport Pack

18

For ERP 6.0 system, the system must be at SAP_BASIS Support Pack 13

For NetWeaver systems that will install Access Control Plug-In the following prerequisites must be met:

For SAP Basis 4.6C, the system must be at SAP_BASIS Support Pack 55

For NW 6.20 system, the system must be at SAP_BASIS Support Pack

63

For NW 6.40 system, the system must be at SAP_BASIS Support Pack

www.keylabstraining.com

WHERE TO OBTAIN THE GRC 10.0 SOFTWARE

http://service.sap.com/swdc

www.keylabstraining.com WHERE TO OBTAIN THE GRC 10.0 SOFTWARE http://service.sap.com/swdc

www.keylabstraining.com

CONTENT OF THE INSTALLATION ZIP

www.keylabstraining.com CONTENT OF THE INSTALLATION ZIP

www.keylabstraining.com

ACCESS CONTROL INSTALLATION NOTES

Installation Notes

SAP Note 1490996: Install SAP GRC Access Control 10.0 on SAP NW 7.02 SAP Note 1500168: Install SAP GRC Access Control 10.0 Plug- In on SAP BASIS 46C NW SAP Note 1497971: Install SAP GRC Access Control 10.0 Plug- In on SAP BASIS 620 NW SAP Note 1501882: Install SAP GRC Access Control 10.0 Plug- In on SAP BASIS 640 NW SAP Note 1500689: Install SAP GRC Access Control 10.0 Plug- In on SAP BASIS 700 NW SAP Note 1503749:Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 710 NW SAP Note 1500169: Install SAP GRC Access Control 10.0 Plug- In on SAP BASIS 46C ERP SAP Note 1497972: Install SAP GRC Access Control 10.0 Plug- In on SAP BASIS 620 ERP

www.keylabstraining.com

INSTALLATION OF MAIN COMPONENTS OFAC/PC/RM 10.0

General Steps:

1.Main installation components:

GRCFND_A 2.Download the installation packages from Service Marketplace 3.Install with the transaction SAINT 4.Follow the detailed

instructions from the SAP Note

1490996

5.Apply the most recent

Support Packages

www.keylabstraining.com INSTALLATION OF MAIN COMPONENTS OFAC/PC/RM 10.0 General Steps: 1.Main installation components: GRCFND_A 2.Download the installation

INSTALLATION OF PLUG-IN FOR AC/PC 10.0 ON ERP

General Steps:

1.Main installation

components:

GRCPINW

GRCPIERP

2.Download the installation

packages from SMP

3.Install with the transaction

SAINT

4.Follow the detailed

instructions from the SAP

Notes 1500689 and 1500690

5.Apply the necessary Support

Packages if there is any

INSTALLATION OF PLUG-IN FOR AC/PC 10.0 ON ERP General Steps: 1.Main installation components:  GRCPINW 

Note: Plug-Ins vary depending

Attention:The AC 10.0 plug-ins will upgrade any existing RTA

on back end ERP system.

from previous AC releases.

This means that any AC instance on running 5.X will stop

working after the plug-ins

www.keylabstraining.com

are installed.

www.keylabstraining.com

GRC 10.0 POST-INSTALLATION

1.Client Copy

2.Activating Applications in Client

3.Check SAP ICF Services

4.Activating BC Sets

5.Creating the Initial User in the ABAP System

6.Activate Profile of Roles Delivered by SAP

7.Activate Common Workflow

CLIENT COPY

www.keylabstraining.com

T-code which starts from SCC*

  • 1. Choose Administration --> System administration -->

Administration >Client admin.>Client Copy-->Local Copy.

  • 2. Select a copy profile.

  • 3. Enter the source client.

click the tick mark it will take some time ....

you can refer the link below

www.keylabstraining.com

ACTIVATING APPLICATIONS IN CLIENT

Call the customizing

with transaction SPRO

Choose SAP

Reference IMG

Expand the

Governance, Risk and

Compliance > General

Settings node and

choose Activate

Applications in

Choose New Entries

Client

www.keylabstraining.com ACTIVATING APPLICATIONS IN CLIENT Call the customizing with transaction SPRO Choose SAP Reference IMG Expand
www.keylabstraining.com ACTIVATING APPLICATIONS IN CLIENT Call the customizing with transaction SPRO Choose SAP Reference IMG Expand

www.keylabstraining.com

ACTIVATING APPLICATIONS IN CLIENT

Click the first row and select the GRC solution(s)

required for your project

Then choose the Activecheckbox

Click Save

Note: you may have to create a transport

request

EXAMPLE IS OF GRC –PC,YOU MAY NEED AC

IF YOU NEED ONLY ACCCESS CONTROL

www.keylabstraining.com ACTIVATING APPLICATIONS IN CLIENT Click the first row and select the GRC solution(s) required for
www.keylabstraining.com ACTIVATING APPLICATIONS IN CLIENT Click the first row and select the GRC solution(s) required for

www.keylabstraining.com

CHECK SAP ICF SERVICES

Call transaction SICF

www.keylabstraining.com CHECK SAP ICF SERVICES Call transaction SICF Click the Execute icon

Click the Execute icon

www.keylabstraining.com CHECK SAP ICF SERVICES Call transaction SICF Click the Execute icon

www.keylabstraining.com

CHECK SAP ICF SERVICES

Expand the node default_host-> sap

-> public

Right click publicand choose

Activate Service

Choose Activate Service for all

sub-nodes
sub-nodes
www.keylabstraining.com CHECK SAP ICF SERVICES Expand the node default_host-> sap -> public Right click publicand choose

www.keylabstraining.com

CHECK SAP ICF SERVICES

Proceed likewise with the node

default_host-> sap -> bc

Activate all sub-nodes too

www.keylabstraining.com CHECK SAP ICF SERVICES Proceed likewise with the node default_host-> sap -> bc Activate all

www.keylabstraining.com

CHECK SAP ICF SERVICES

Now activate the node default_host->

sap -> grc

Also activate all sub-nodes

www.keylabstraining.com CHECK SAP ICF SERVICES Now activate the node default_host-> sap -> grc Also activate all

www.keylabstraining.com

ACTIVATING BC SETS

Call transaction SPRO again

Click SAP Reference IMG

Click Existing BC Sets in the next

screen

www.keylabstraining.com ACTIVATING BC SETS Call transaction SPRO again Click SAP Reference IMG Click Existing BC Sets

www.keylabstraining.com

ACTIVATING BC SETS

Select a BC Set

Click “BC Sets for Activity”

www.keylabstraining.com ACTIVATING BC SETS Select a BC Set Click “BC Sets for Activity”

www.keylabstraining.com

ACTIVATING BC SETS

From the menu choose Goto >Activation Transaction

These BC sets can also be activated via transaction code

SCPR20

www.keylabstraining.com ACTIVATING BC SETS From the menu choose Goto >Activation Transaction These BC sets can also

www.keylabstraining.com

ACTIVATING BC SETS

Activate the corresponding BC sets.

Proceed likewise for all required PC, RM, and/or AC BC sets

For a complete list of BC Sets please refer to the PC/RM/AC install

guide!

NOTE:BELOW EXAMPLE IS FOR ACTIVATION ON TIME FRQUENCY

FOR GRCPC:PROCESS CONTROL.

www.keylabstraining.com ACTIVATING BC SETS Activate the corresponding BC sets. Proceed likewise for all required PC, RM,

www.keylabstraining.com

ACTIVATING BC SETS

When activating always use “Expert” mode

www.keylabstraining.com ACTIVATING BC SETS When activating always use “Expert” mode

www.keylabstraining.com

CREATING THE INITIAL USER IN THE ABAP SYSTEM

Call transaction SU01, create a user

Assign following role to access GRC applications, such as AC

SAP_GRC_FN_BASE

Assign following power user role to the person doing the

customization of the product

SAP_GRC_FN_ALL

Assign following role to the business users

SAP_GRC_FN_BUSINESS_USER

Assign following role if you use NWBC as front end UI instead

of Portal

SAP_GRC_NWBC

www.keylabstraining.com

ACTIVATE PROFILE OF ROLES DELIVERED BY SAP

•Activate profile of roles delivered by SAP via

transaction PFCG if you want to use them directly

•For the list of the roles, please refer to Security

Guide -here is an example of the SAP-GRC-NWBC

role

•Please use transaction “SUPC” for mass profile

generation in case you want to generate profiles

www.keylabstraining.com ACTIVATE PROFILE OF ROLES DELIVERED BY SAP •Activate profile of roles delivered by SAP via

for multiple roles

www.keylabstraining.com

ACTIVATE COMMON WORKFLOW

Call transaction SPROagain

Click SAP Reference IMG

Access Workflow node under Governance,

Risk and Compliance > General Settings

Execute Perform Automatic Workflow

Customizing

www.keylabstraining.com ACTIVATE COMMON WORKFLOW Call transaction SPROagain Click SAP Reference IMG Access Workflow node under Governance,

www.keylabstraining.com

ACTIVATE COMMON WORKFLOW PERFORM AUTOMATIC WORKFLOW CUSTOMIZING

Execute Perform

Automatic Workflow

Customizing

Make sure that all tasks are

green after the generation

as show in the screenshot

Note: you may have to

create a transport request

During the activation

procedure you might

receive an error message,

then check the created

system user „WF-BATCH“ in

SU01 if the user has

sufficient roles assigned –

see SAP Note 1251255and

the GRC Security Guide.

You may need to run

program RHSOBJCH to fix

www.keylabstraining.com ACTIVATE COMMON WORKFLOW PERFORM AUTOMATIC WORKFLOW CUSTOMIZING Execute Perform Automatic Workflow Customizing Make sure that

www.keylabstraining.com

ACTIVATE COMMON WORKFLOW PERFORM AUTOMATIC WORKFLOW CUSTOMIZING

Maintain the Prefix Numbers to your needs or like

shown in the screenshot

www.keylabstraining.com ACTIVATE COMMON WORKFLOW PERFORM AUTOMATIC WORKFLOW CUSTOMIZING Maintain the Prefix Numbers to your needs or

www.keylabstraining.com

ACTIVATE COMMON WORKFLOWPERFORM TASK- SPECIFIC CUSTOMIZING

Execute PerformTask- Specific Customizing Expand the GRCnode. Click the Assign Agents link at the right side
Execute
PerformTask-
Specific
Customizing
Expand the
GRCnode.
Click the
Assign
Agents link
at the right
side of the
GRCnode.

Note: if no folders are visible below the “GRC“ folder please run

report “RS_APPL_REFRESH” in SE38

www.keylabstraining.com

ACTIVATE COMMON WORKFLOWPERFORM TASK- SPECIFIC CUSTOMIZING

Assign Task as General

Task via Task Attribute.

Make sure all tasks that

are not using Background

task have been assigned

as General Task.

www.keylabstraining.com ACTIVATE COMMON WORKFLOWPERFORM TASK- SPECIFIC CUSTOMIZING Assign Task as General Task via Task Attribute. Make

www.keylabstraining.com

ACTIVATE COMMON WORKFLOWPERFORM TASK- SPECIFIC CUSTOMIZING

www.keylabstraining.com ACTIVATE COMMON WORKFLOWPERFORM TASK- SPECIFIC CUSTOMIZING k Activate event linking

k Activate event linking

www.keylabstraining.com

ACTIVATE COMMON WORKFLOWPERFORM TASK- SPECIFIC CUSTOMIZING

Click the Properties icon

Set the Linkage Status to No

errors

Make sure Event linkage

activated is checked.

Set Error feedback to Do not

change linkage

Be sure to activate all WS.

www.keylabstraining.com ACTIVATE COMMON WORKFLOWPERFORM TASK- SPECIFIC CUSTOMIZING Click the Properties icon Set the Linkage Status to
www.keylabstraining.com ACTIVATE COMMON WORKFLOWPERFORM TASK- SPECIFIC CUSTOMIZING Click the Properties icon Set the Linkage Status to

www.keylabstraining.com

ACTIVATE COMMON WORKFLOWPERFORM TASK- SPECIFIC CUSTOMIZING

Repeat the first four steps to

activate the solutions you need

(e.g. for Access Control “GRC-

AC”)

Note: task-

specific

customizing for

GRC-AC is

notavailable in

case you have

the GRC plug-ins

installed in your

GRC system,

check the

Appendix for

www.keylabstraining.com ACTIVATE COMMON WORKFLOWPERFORM TASK- SPECIFIC CUSTOMIZING Repeat the first four steps to activate the solutions

perfomingthe

customizing in

www.keylabstraining.com

POST-INSTALLATION TO FIRST EMERGENCY ACCESS

Requirements

oAdding connector to SUPMG scenario

oCreating users and assigning roles

oVerifying time zones

Configuration

oMaintaining AC owners

oAssigning owners to firefighter IDs

oAssigning firefighter IDs and controllers to firefighters

oCreating reasons codes

Starting an emergency access session

Managing Logs

oRunning log collection

oViewing the firefighter reports

www.keylabstraining.com

MAINTAIN CONFIGURATION SETTINGS

www.keylabstraining.com MAINTAIN CONFIGURATION SETTINGS

www.keylabstraining.com

ADDING CONNECTOR TO SUPMG SCENARIO

To create access requests it is required to have the SUPMG

scenario linked to the connector, this is done via IMG:

www.keylabstraining.com ADDING CONNECTOR TO SUPMG SCENARIO To create access requests it is required to have the

www.keylabstraining.com

CREATING USERS AND ASSIGNING ROLES

Please create users and roles as needed. Remember to

synchronize again the repository (program

GRAC_REPOSITORY_OBJECT_SYNC ). These roles are

provided as examples and customer roles need to

be created based on their authorizations.

In the AC systemRole

Firefighter userSAP_GRAC_SUPER_USER_MGMT_USER

FirefightercontrollerSAP_GRAC_SUPER_USER_MGMT_CNTLR

FirefighterownerSAP_GRAC_SUPER_USER_MGMT_OWNER

In the target systemRole

Firefighter IDSAP_GRAC_SPM_FFID

In the AC system the Firefighter ID role is configured in

ParamID 4010 (Firefighter ID role name)

Reminder: end users will require also the roles

based on SAP_GRC_FN_BASEand

SAP_GRC_FN_BUSINESS_USER

www.keylabstraining.com

VERIFYING TIME ZONES

For logs to be properly captured the time zones in the

connected ERP systems need to be configured to

match the operating system and also the AC server

time zone. This is done in IMG under SAP

NetWeaverGeneral Settings Time Zones

Maintain System Settings

www.keylabstraining.com VERIFYING TIME ZONES For logs to be properly captured the time zones in the connected

www.keylabstraining.com

CONFIGURATION

Maintaining AC owners

Assigning owners to firefighter IDs

Assigning firefighter IDs and controllers to

firefighters

Creating reasons codes

www.keylabstraining.com

MAINTAINING AC OWNERS

Go to NWBC Access Management GRC Role

Assignments Access Control Owners and maintain the

controllers and owners as shown below:

www.keylabstraining.com MAINTAINING AC OWNERS Go to NWBC  Access Management  GRC Role Assignments  Access

After this is done it is possible to assign those to

FireFighterIDs.

www.keylabstraining.com

ASSIGNING OWNERS TO FIREFIGHTER IDS

In Access Management go to SuperuserAssignment and

click on Owners. Here owners are assigned to firefighter

IDs.

www.keylabstraining.com ASSIGNING OWNERS TO FIREFIGHTER IDS In Access Management go to SuperuserAssignment and click on Owners.

www.keylabstraining.com

ASSIGNING FIREFIGHTER IDS AND CONTROLLERS TO FIREFIGHTERS

Now you need to assign firefighter IDs and controllers

to users. This is done by going to

SuperuserAssignment Firefighter IDs

www.keylabstraining.com ASSIGNING FIREFIGHTER IDS AND CONTROLLERS TO FIREFIGHTERS Now you need to assign firefighter IDs and

Note: Multiple firefighter users and controllers can be

assigned to a multiple firefighter ID.

www.keylabstraining.com

CREATING REASONS CODES

The reason codes available for firefighter users are

maintained under Superuser Maintenance Reason

Codes

www.keylabstraining.com CREATING REASONS CODES The reason codes available for firefighter users are maintained under Superuser Maintenance

STARTING EMERGENCY ACCESS

Starting a firefighter session

Login to the AC system using the

firefighter user and launch

transaction GRAC_SPM

You will be able to connect to the

target system using the firefighter IDs

previously assigned

STARTING EMERGENCY ACCESS Starting a firefighter session Login to the AC system using the firefighter user

www.keylabstraining.com

www.keylabstraining.com

MANAGING LOGS

Running Log Collection

Viewing the firefighter reports

Running log collectionForeground mode

The foreground job for log collection can be executed from the “Update

Firefighter Log Button” which can be found in the following path:

Reports And Analytics Super User Management Reports Consolidated

Log Report
Log Report
www.keylabstraining.com MANAGING LOGS  Running Log Collection  Viewing the firefighter reports Running log collectionForeground mode

www.keylabstraining.com

RUNNING LOG COLLECTIONBACKGROUND MODE

The Background Job for Log Collection can be

scheduled periodically from SM36 using

program GRAC_SPM_LOG_SYNC_UPDATE.

www.keylabstraining.com RUNNING LOG COLLECTIONBACKGROUND MODE The Background Job for Log Collection can be scheduled periodically from

www.keylabstraining.com

THANK YOU KEYLABS

WWW. KEYLABSTRAINING.COM