Professional Documents
Culture Documents
GRC 10 Online Training
GRC 10 Online Training
GRC 10 Online Training
GRC 10
ACCESS CONTROL 10.0: LANDSCAPE
GRC 10
Front end:
The front-end needs a web browser or (optionally) a client
installation of the NetWeaver Business Client
The web browser can be used to access the embedded NWBC
or GRC via the NetWeaver Portal
The Adobe flash player 10 is used for displaying dashboards
e.g. RM heat mapOverview of SAP BusinessObjects Access
Control 10.0
SAPGUI 7.10 PL 15 or higher is required for administration or
customizing tasks –note that SAPGUI 7.20 is
recommended due to the end-of-maintenance of SAPGUI 7.10
The Crystal Reports Adapter (CRA) is required for viewing (GRC)
Crystal Reports.
GRC 10
Portal:
The NetWeaver Portal 7.02 can be used optionally
The GRC Portal Content contains the GRC Portal UI elements to
access the GRC suite
The Portal’s AS Java can contain an Adobe Document Services
instance, in effect Portal and ADS may be
shared on one AS Java instance
ERP and Non SAP Business Applications:
The GRC solutions can communicate with SAP ERP and non-SAP
business applications via plug-ins
NW Function Modules hold the AC functions for ERP systems
without HR (former non-HR RTA)
PC relevant features are contained in the plug-in GRCPIERP, for
example, for running automated controls
and the HR relevant functions for AC (former HR RTA)
GTS functions are part of the SLL-PI plug-in, for example, for GTS
integration into the Logistics, HR, FI/CO
and/or HCM processes in SAP ERP
Non-SAP ERP systems can also be connected via adapters from an
SAP Partner company
BI Content:
NetWeaver BW can be used for reporting via the GRC BI Content
The GRC BI Content is part of BI Content 7.06
NetWeaver BW 7.02 is used for the GRC BI Content.
Identity Management:
AC can be integrated bi-directionally to IdM solutions for provisioning
and risk analysis
NetWeaver IdM7.2 is required for integrating with AC 10.0
GRC 10
NEW AND ENHANCED FEATURES:
Improved Reporting – GRC reporting leverages
the Business Suite ABAP List Viewer (ALV) –
Crystal integration framework to present and
personalize ABAP (WebDynpro) reports and
convert into Crystal reports. This lowers the TCO
and extends the benefits of Crystal without the
need for a separate BOE server. It also reduces the
time spent by business users on reporting needs.
Custom Crystal reports with embedded graphics
can also be created easily with Crystal Designer.
GRC 10
SEPARATION OF DUTIES
GRC 10
SOD RISK MANAGEMENT PROCESS
OVERVIEW
SAP has developed a three-phase approach to risk
management. By applying this method, it is possible to
implement a process for segregation of duties (SoD)
risk management.The process begins by defining the
risks, and building and validating rules.
GRC 10
SOD RISK MANAGEMENT PROCESS OVERVIEW
GRC 10
Segregation of Duties and Critical Actions:
In a Sarbanes Oxley Act regulated environment, business need to define
their access controls based on segregation of duties (SoD). In some
cases, it is challenging to define SoDs because in many cases, processes
are shared among business areas. Below are examples of risks in non-
segregated duties
GRC 10
Rule Building and Validation :
After risk recognition, the second step in Phase One of the SoD
Risk Management process is Rule Building and Validation.
GRC 10
GRC 10
Rule Building Process:
Rules include risks, functions, and business processes. The main components
of the rule building process are shown below. Access Control automatically
generates the rules as permutations of the different actions and permissions
derived from the combined functions.
GRC 10
Functions:
Functions include specific actions commonly used for a job role or set of
tasks, for example Maintain General Ledger Master Records or Post Journal
Entry. Authorization to perform certain combinations of functions results in a
risk.
GRC 10
Rule Structure:
Actions and permissions combine to form functions. Functions in certain
combinations result in a risk. Risks are associated with business processes and
all the components come together to form rules. Rules are collected in a rule
set.
GRC 10
PHASE TWO OVERVIEW
The purpose of this phase is to provide business process
analysts and business process owners with alternatives for
correcting or eliminating risk.
Risk Analysis
During Risk Analysis, perform a security analysis to identify
risks for:
Simple roles
Composite roles
Users
GRC 10
PHASE 2 FIGURE
GRC 10
RISK REMEDIATION OVERVIEW
The purpose of the remediation phase is to determine alternatives for eliminating issues in
roles.
The recommended approach is to resolve issues in the following order:
Single roles
This is the simplest place to start
Prevents SoD violations from being reintroduced
Composite roles
Users
Risk Remediation
Use a simulation to perform a "what if" analysis on the assignment or removal of user actions
Use the Management view or Risk Analysis reports for analysis
Security Administrators should document the plan
Business Process Owners should be involved and approve the plan
Simulation
Simulation allows you to preview the result of changes to roles and user actions to see if your
changes create new risk situations before implementing them Decide whether to add or
remove a value
GRC 10
MITIGATION CONTROLS
GRC 10
EXAMPLES OF MITIGATION CONTROLS
GRC 10
THE GRC ARCHITECTURE
GRC solutions share a common technology platform and can be installed on a
single NetWeaver ABAP system.
GRC 10
GRC COMPONENTS
ComponentsGRC 10.0 runs on AS ABAP 7.02 SP6 or
higher. The installation components are broken out
as follows:
Access Control, Process Control, and Risk
Management are contained in one ABAP add-on
GRCFND_A
Global Trade Services resides in a separate add-on
SLL-LEG
GRC 10
ACCESS CONTROL ARCHITECTURE
COMPONENTS
Access Control constitutes a set of core components:
Role Management
Role Mining
GRC 10
GRC COMMON COMPONENTS
Access Control uses a set of GRC common components as part of the
harmonization of the GRC suite. These components are also available to
Process Control and Risk Management:
Workflow
GRC 10
NETWEAVER COMPONENTS
Access Control uses ABAP Web Dynpro as the user interface or UI technology.
The GRC solution can be presented to end users by using either NWBC
(NetWeaver Business Client) or through the use of SAP Portal.
Configuration for Access Control is executed using the SAP IMG via the SAP
GUI, which is common across the GRC suite.
Access Control connects to SAP and non-SAP systems with adapter or IdM
systems using the integration framework.
The ABAP database is the common repository for all Access Control data.
GRC 10
GRC 10
SECURITY AND AUTHORIZATIONS
You are planning a solution and must be able to explain object-level security,
authorization requirements, and identify delivered roles and security objects.
Object-Level Security
Object-Level Security gives you the ability to limit access for end users to what they
need to see at a granular level. you can limit access by function, risk, user, or anyother
authorization objects available within role maintenance.
GRC 10
Authorizations
To configure the IMG, you need:
GRC 10
PFCG role(s) relative to specific components (AC, PC, RM) to be used
If you use Access Control with other GRC solutions, you can leverage this
functionality to:
GRC 10
INSTALLATION
Installation Prerequisites –Server
NetWeaver AS ABAP 7.02 SP6 or higher
GRC 10
CONTENT OF THE INSTALLATION ZIP
GRC 10
ACCESS CONTROL INSTALLATION NOTES
Installation Notes
SAP Note 1490996: Install SAP GRC Access Control 10.0 on SAP NW 7.02
SAP Note 1500168: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 46C
NW
SAP Note 1497971: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 620
NW
SAP Note 1501882: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 640
NW
SAP Note 1500689: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 700
NW
SAP Note 1503749:Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 710
NW
SAP Note 1500169: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 46C
ERP
SAP Note 1497972: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 620
ERP
SAP Note 1501880: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 640
ERP
SAP Note 1500690: Install SAP GRC Access Control 10.0 Plug-In on SAP BASIS 700
ERP
INSTALLATION OF MAIN COMPONENTS OFAC/PC/RM 10.0
General Steps:
1.Main installation components:
GRCFND_A
2.Download the installation
packages from Service Marketplace
3.Install with the transaction SAINT
4.Follow the detailed instructions
from the SAP Note 1490996
5.Apply the most recent Support
Packages
GRC 10
INSTALLATION OF PLUG-IN FOR AC/PC 10.0 ON ERP
General Steps:
1.Main installation components:
GRCPINW
GRCPIERP
2.Download the installation
packages from SMP
3.Install with the transaction SAINT
4.Follow the detailed instructions
from the SAP Notes 1500689 and
1500690
5.Apply the necessary Support
Packages if there is any
GRC 10
CLIENT COPY
http://help.sap.com/printdocu/core/print46c/en/data/pdf/bcctscco/bcctscc
o.pdf
GRC 10
ACTIVATING APPLICATIONS IN CLIENT
Call the customizing with
transaction SPRO
Choose SAP Reference
IMG
Expand the Governance,
Risk and Compliance >
General Settings node and
choose Activate
Applications in Client
Choose New Entries
ACTIVATING APPLICATIONS IN CLIENT
Click the first row and select the GRC solution(s) required for
your project
Then choose the Activecheckbox
Click Save
Note: you may have to create a transport request
EXAMPLE IS OF GRC –PC,YOU MAY NEED AC IF YOU NEED
ONLY ACCCESS CONTROL
GRC 10
CHECK SAP ICF SERVICES
Call transaction SICF
Click the Execute icon
GRC 10
CHECK SAP ICF SERVICES
Expand the node default_host-> sap -> public
Right click publicand choose Activate Service
Choose Activate Service for all sub-nodes
GRC 10
CHECK SAP ICF SERVICES
GRC 10
CHECK SAP ICF SERVICES
GRC 10
ACTIVATING BC SETS
Call transaction SPRO again
Click SAP Reference IMG
Click Existing BC Sets in the next screen
GRC 10
ACTIVATING BC SETS
Select a BC Set
Click “BC Sets for Activity”
GRC 10
ACTIVATING BC SETS
From the menu choose Goto >Activation Transaction
These BC sets can also be activated via transaction code SCPR20
GRC 10
ACTIVATING BC SETS
Activate the corresponding BC sets.
Proceed likewise for all required PC, RM, and/or AC BC sets
For a complete list of BC Sets please refer to the PC/RM/AC install guide!
GRC 10
ACTIVATING BC SETS
When activating always use “Expert” mode
GRC 10
CREATING THE INITIAL USER IN THE ABAP SYSTEM
Assign following power user role to the person doing the customization of
the product
•SAP_GRC_FN_ALL
Assign following role if you use NWBC as front end UI instead of Portal
•SAP_GRC_NWBC
GRC 10
ACTIVATE PROFILE OF ROLES DELIVERED BY SAP
•Activate profile of roles delivered by SAP via transaction
PFCG if you want to use them directly
•For the list of the roles, please refer to Security Guide -
here is an example of the SAP-GRC-NWBC role
•Please use transaction “SUPC” for mass profile
generation in case you want to generate profiles for
multiple roles
GRC 10
ACTIVATE COMMON WORKFLOW
Call transaction SPROagain
Click SAP Reference IMG
Access Workflow node under Governance, Risk and
Compliance > General Settings
Execute Perform Automatic Workflow Customizing
GRC 10
ACTIVATE COMMON WORKFLOW PERFORM
AUTOMATIC WORKFLOW CUSTOMIZING
Execute Perform Automatic
Workflow Customizing
Make sure that all tasks are
green after the generation as
show in the screenshot
Note: you may have to create a
transport request
During the activation procedure
you might receive an error
message, then check the created
system user „WF-BATCH“ in SU01
if the user has sufficient roles
assigned –see SAP Note
1251255and the GRC Security
Guide.
You may need to run program
RHSOBJCH to fix HR control
tables GRC 10
ACTIVATE COMMON WORKFLOW PERFORM
AUTOMATIC WORKFLOW CUSTOMIZING
Maintain the Prefix Numbers to your needs or like shown in
the screenshot
GRC 10
ACTIVATE COMMON WORKFLOWPERFORM TASK-
SPECIFIC CUSTOMIZING
Execute
PerformTask-
Specific
Customizing
Expand the
GRCnode.
Click the Assign
Agents link at the
right side of the
GRCnode.
Note: if no folders are visible below the “GRC“ folder please run report
“RS_APPL_REFRESH” in SE38
GRC 10
ACTIVATE COMMON WORKFLOWPERFORM TASK-
SPECIFIC CUSTOMIZING
GRC 10
ACTIVATE COMMON WORKFLOWPERFORM TASK-
SPECIFIC CUSTOMIZING
Click Activate event linking
GRC 10
ACTIVATE COMMON WORKFLOWPERFORM TASK-
SPECIFIC CUSTOMIZING
Click the Properties icon
Set the Linkage Status to No errors
Make sure Event linkage activated
is checked.
Set Error feedback to Do not
change linkage
Be sure to activate all WS.
GRC 10
ACTIVATE COMMON WORKFLOWPERFORM TASK-
SPECIFIC CUSTOMIZING
Note: task-specific
customizing for GRC-AC
is notavailable in case
you have the GRC plug-
ins installed in your
GRC system, check the
Appendix for
perfomingthe
customizing in this case
GRC 10
POST-INSTALLATION TO FIRST EMERGENCY ACCESS
•Requirements
oAdding connector to SUPMG scenario
oCreating users and assigning roles
oVerifying time zones
•Configuration
oMaintaining AC owners
oAssigning owners to firefighter IDs
oAssigning firefighter IDs and controllers to firefighters
oCreating reasons codes
•Starting an emergency access session
•Managing Logs
oRunning log collection
oViewing the firefighter reports
GRC 10
MAINTAIN CONFIGURATION SETTINGS
GRC 10
ADDING CONNECTOR TO SUPMG SCENARIO
To create access requests it is required to have the SUPMG scenario linked to
the connector, this is done via IMG:
GRC 10
CREATING USERS AND ASSIGNING ROLES
Firefighter userSAP_GRAC_SUPER_USER_MGMT_USER
FirefightercontrollerSAP_GRAC_SUPER_USER_MGMT_CNTLR
FirefighterownerSAP_GRAC_SUPER_USER_MGMT_OWNER
In the target systemRole
Firefighter IDSAP_GRAC_SPM_FFID
In the AC system the Firefighter ID role is configured in ParamID 4010
(Firefighter ID role name)
Reminder: end users will require also the roles based on
SAP_GRC_FN_BASEand SAP_GRC_FN_BUSINESS_USER
GRC 10
VERIFYING TIME ZONES
For logs to be properly captured the time zones in the connected
ERP systems need to be configured to match the operating
system and also the AC server time zone. This is done in IMG
under SAP NetWeaver General Settings Time Zones
Maintain System Settings
GRC 10
CONFIGURATION
Maintaining AC owners
Assigning owners to firefighter IDs
Assigning firefighter IDs and controllers to firefighters
Creating reasons codes
GRC 10
MAINTAINING AC OWNERS
Go to NWBC Access Management GRC Role Assignments
Access Control Owners and maintain the controllers and owners as
shown below:
GRC 10
ASSIGNING OWNERS TO FIREFIGHTER IDS
In Access Management go to SuperuserAssignment and click on
Owners. Here owners are assigned to firefighter IDs.
GRC 10
ASSIGNING FIREFIGHTER IDS AND
CONTROLLERS TO FIREFIGHTERS
Now you need to assign firefighter IDs and controllers to users.
This is done by going to SuperuserAssignment Firefighter IDs
GRC 10
CREATING REASONS CODES
The reason codes available for firefighter users are maintained
under Superuser Maintenance Reason Codes
GRC 10
STARTING EMERGENCY ACCESS
Starting a firefighter session
GRC 10
MANAGING LOGS
GRC 10