Hands-On Lab: Part 1: A Beginner's Guide To The Configuration of SAP Access Control

Hands-On Lab: Part 1: A Beginner’s Guide to the
Configuration of SAP Access Control
Kurt Hollis and Nicole Teibel
Deloitte
kuhollis@deloitte.com
nteibel@deloitte.com
1
SECTION 1 - Lab Contents
 Section 1:
o Lab Overview
o Lab Schedule
o Lab User Access Information
 Section 2: GRC Post-Installation Setup Steps and Verification
 Section 3: GRC Risk Analysis Configuration and First Risk Analysis
 Section 4: GRC Emergency Access Configuration and First Emergency Access
 Section 5: GRC Access Request Configuration and First Access Request
SECTION 1 - Lab Overview
 GRC System for this lab is running locally on the laptops and not on a server across the
network.
 We have 40-50 GRC systems running here, one per laptop.
o This was done to guarantee good performance and complete independence
from others working on the same system.
 The system is strictly yours and not shared.
 Laptop is running VM Workstation 10.
 The GRC system is running on SUSE Linux 11.3 and MAXDB 7.5
 The GRC system is based on SAP NetWeaver 7.40 SP13.
 The GRC system is running GRCFND_A 10.1, SP11, GRC plug-in is installed and is
version 10.1, SP11.
 The SAP GUI is installed and is version 7.40 SP2.
SECTION 1 - Lab Schedule
Wednesday, March 16th, 2016 (3:00-6:00)

 Lab Overview I 15 Minutes (3:00-3:15)
 Lab – Part 1 70 Minutes (3:15-4:25)
 Short Break 10 Minutes (4:25-4:35)
 Lab Overview II 15 minutes (4:35-4:50)
 Lab – Part 2 70 Minutes (4:50-6:00)
2
SECTION 1 - Lab User Access Information
• SAP System SID is “GRD”
• Client number is 200
• Server host is “USSLTCSNL1271”, Instance number is 00
• Start the SAP GUI
• Launch the GRD LAB system GUI
• Log in to client 200 as grctrain1, grctrain2, and grceamadm (for Section 4 only) with password of
“grc2016lab"
• Launch Transaction “NWBC” for the GRC Web Interface
3
SECTION 2 - GRC Post-Installation Setup Steps and Verification
Login to the Workflow EMAIL Setup

System Setup (skipped)
Verify the System

Test NWBC
Client Copy is Connections
user Interface
Completed Setup
Activate
Applications in New UI5 Odata
Client Services
Maintain Web
STRUST SSO
Services in
Setup
SMICM (HTTP)
4
Steps Steps to be performed
Section 2 The lab system should have the Lab Image “USSLTCSNL1273” loaded for you already. If not, contact the
Step 1 instructor.
STARTUP Start SAP GUI and connect to GRD System.

LOGIN
The login will item will be “GRD LABS”
SAP Login screen. Log in to the GRD system.

Log in client 200 with user grctrain1 (or grctrain2 for some parts of the lab) and password “grc2016lab”.
5
Steps Steps to be performed (VERIFY STEP ONLY, NO CHANGES)
Section 2 After logging into the system, perform the post-installation steps for GRC.
Step 2
First check is to verify the client copy from client 000 to client 200 has completed successfully.
CLIENT We previously made this copy using client copy profile SAP_ALL. This is the recommended way to copy the
COPY client for a new system.
Navigate the menu tree, Tools  Administration  Client Administration  Copy Logs.
Verify the copy was successful. Screen is as shown above.
6
Section 2 Next step is done using transaction SPRO. Transactions are entered into the blank field in the upper left.
Step 3
SPRO
Activate
GRC
Apps
7
Click on the button “SAP Reference IMG.”
NOTE: Much of the configuration is done using transaction SPRO and the SAP Reference IMG during this
session.
In the menu that comes up, go to the area Governance, Risk and Compliance  General Settings 
Activate Applications in Client.
Three applications exist in this setting: GRC-AC, GRC-PC, and GRC-RM. We are activating only GRC-AC for
this system.
Verify the setting only, no changes needed.
Exit this screen.
8
Section 2 We are done with SPRO for a moment. Exit SPRO. Now enter transaction SICF.
Step 4
Click the EXECUTE button under Maintain Services.
ICF
SETTING
Verify the Services are activated. See the screen below: public, bc, grc. (Just check it, no need to do any
changes here.)
Maintain Services for Web Applications allows the content to be used in the system. It must be activated.
See that the public, bc, grc, iwbep, and opu are bold, this means they are activated.
No changes needed here, verify only. Exit this screen.
9
Section 2 Now enter transaction SMICM. Go to menu Goto  Services.
Step 5
ICM
SETTING
Check the services. Verify the HTTP, HTTPS, and SMTP services are enabled. Verify the timeout settings are
3600 for Keep Alive, 1800 for Process Timeout.
No changes needed here, verify only. Exit this screen.
10
Section 2 Now enter transaction STRUSTSSO2. Check that the System PSE is green and the SSL server, client, and
Step 6 client SSL are green.
This setup requires entries in the system profiles and the SAPCRYPTO libraries to be installed in the Kernel
SSO at the operating system level of the SAP system. This is needed for NWBC operation. No changes needed
SETTING here, verify only. Exit this screen.
This is an example of settings in the system profile needed for NWBC and GRC. No need to verify this
(provided as FYI).
11
Section 2 Set up new User Interface (UI5) views and SAP NetWeaver Gateway. This is required for the new Access
Step 7 Control Request Screens in the NWBC and the Remediation View for the User Level Risk Analysis.
UI5 Go back into SPRO again. Navigate to SAP NetWeaver  Gateway  OData Channel  Administration
ODATA  General Settings and execute Activate and Maintain Services
Gateway
SETTING
Look at the ICF Nodes and System Aliases at the bottom of the screen. The ICF Node needs to be active and
the System Alias needs to have assigned LOCAL Alias.
No need to make any changes here, this step is verify only. Exit this screen.
12
Section 2 Launch and test the NWBC interface. Now that all the previous steps have been completed, it is possible to
Step 8 test the NWBC interface.
NWBC Enter transaction NWBC in the transaction window to the right of the green check. If you are currently not
SCREEN at the main menu and inside another screen, enter /nNWBC to run the transaction.
The NWBC screen should appear in a new browser window (pop up).
Navigate to each sub-menu My Home, Setup, Access Management, Reports, and Analytics one at a time to
test this access. See each sub-menu appear.
No need to make any changes here, this step is verify only. Exit this screen.
13
Section 2 Workflow Customizing.
Step 9 Go back into SPRO IMG again. Navigate to GRC  General Settings  Workflow, and execute Perform
Automatic Workflow Customizing.
WORK
FLOW
SETUP
Before it looked like screen print below on the left. After it should look like screen print below on the right.
14
BEFORE AFTER
We need to verify a few items. The following are just checks, no changes are needed. Please see the
sections of this menu, click on them, and read the text in the right-hand pane for instructions followed
during setup.
Check that the jobs are scheduled. These should all have green checks. The Event Queue job is optional and
sometimes will not be running; this is OK.
15
The RFC destination is important, see the USER used for this function. Please take note of this user. No
changes required.
16
Steps Steps to be performed (requires changes during this step)
Section 2 Go to transaction SPRO again, into the IMG. Enter into Workflow, Perform Task Specific Customizing by
Step 10 selecting
Governance, Risk and Compliance  General Settings  Workflow  Perform Task-Specific
WORK Customizing.
FLOW
TASKS
17
Expand the GRC area. We will explore the GRC-SPC agents and event linking.
Click on Assign Agents across from the GRC-SPC area.
18
Select the line and click the Attributes button. A pop-up displays.
This procedure is only done for the tasks with IDs starting with letters TS, not WS.
Set General Task and click the Transfer button.
Check the setting in the screen. It should now say General Task
19
Now, go back to the screen before and select the “Activate event linking” for the GRC-SPC workflow.
Scroll down to the bottom of the list until you see the WS Events.
Click on the Deactivated button for the WS 75900005 event to activate it. You will need to create a transport
request as part of this process. Click the white paper icon.
Enter a Short Description and click the save icon to save the request.
20
Click the Puzzle piece Icon. In the pop-up, change the error feedback to “Do not change linkage” and click
save. Then click the green check button.
Exit this application.
Click the note with the glasses and review the documentation for this IMG activity. This exercise was an
example of the settings needed in this area for the Workflow setup.
Note: For Access Control, more steps need to be completed when the system has the plug-in installed.
These are not covered in this lab due to time constraints. These settings have already been made for your
systems.
21
Steps Steps to be performed (PARTS OF THIS STEP ARE PERFORMED)
Section 2 Set up the connectors to the other systems. Go back into the SPRO IMG and navigate to the Integration
Step 11 Framework under Governance, Risk and Compliance  Common Component Settings  Integrated
Framework.
CONNECT Setup of the connectors involves settings made in seven places. These steps are very important for the
SYSTEMS integration of SAP systems with the GRC applications. We are not covering the Portal integration, LDAP
integration, or non-SAP integration in this lab due to time constraints and level of complexity.
The first part is in this area of the IMG. Many of the settings are done already for you. However, you
will have to make certain settings. These are pointed out to you.
22
Part 1 - IMG area we are focusing on first.
Enter the first IMG activity step “Create Connectors.” This is actually transaction SM59.
Look at the ABAP connections and find GRDCLNT200. This step is already done for you. Please verify
the settings.
CREATE CONNECTORS - RFC Connection is GRCCLNT200. Double-click and verify the settings. We are
actually connecting back to the same system GRC system to GRC system. This is possible because we
have the GRC Plug-In installed is this system.
Verify the settings.
23
Exit the connector settings after verifying them.
See the details under the Login & Security tab. The correct client 200 is filled in. The user must have the
correct roles assigned in the remote system. No changes, verify only.
24
The next setting is the “Maintain Connectors and Connection Types.” Here we are assigning the
connectors to the connection types and the connector groups.
Click Define Connectors after selecting the SAP box on the left side.
Verify the connector is GRDCLNT200. This is how you assign the connector to each connector type. We
are only using SAP type here.
25
After clicking into the DEFINE CONNECTOR GROUP, select the line SAP_BAS_LG, and then click the
ASSIGN CONNECTORS TO CONNECTOR GROUP FOLDER
The connector group is based on the rule sets loaded. See below for guidance. We are using only the
GRAC_RA_RULESET_SAP_BASIS rule set for this training (SAP_BAS_LG). Please only assign the SAP_BAS_LG
for this training class. Assign connector type SAP if blank.
Rule Sets (EXAMPLE ONLY)

GRAC_RA_RULESET_SAP_R3: Rules for ERP including Basis and HR (SAP_R3_LG)
GRAC_RA_RULESET_SAP_HR: Rules for HR only (SAP_HR_LG)
GRAC_RA_RULESET_SAP_NHR: Rules for ERP excluding HR and Basis (SAP_NHR_LG)
GRAC_RA_RULESET_SAP_BASIS: Rules for Basis (SAP_BAS_LG)  We are only using this one
GRAC_RA_RULESET_SAP_APO: Rules for APO (SAP_APO_LG)
GRAC_RA_RULESET_SAP_CRM: Rules for CRM (SAP_CRM_LG)
GRAC_RA_RULESET_SAP_ECCS: Rules for ECCS (SAP_ECC_LG)
GRAC_RA_RULESET_SAP_SRM: Rules for SRM (SAP_SRM_LG)
GRAC_RA_RULESET_JDE: Rules for JD Edwards (JDE_LG)
GRAC_RA_RULESET_ORACLE: Rules for Oracle Apps (ORACLE_LG)
GRAC_RA_RULESET_PSOFT: Rules for PeopleSoft HRMS (PSOFT_LG)
The last step in this top section of the connector settings is one of the most important.
26
Maintain Connectors Settings:
In the Work Area pop-up, select each of the integration scenarios one at a time.
YOU MUST SET UP THE CONNECTOR FOR SCENARIO ROLMG!

The connectors for AUTH, PROV, and SUPMG have already been set up for you. Verify these. Please set
up the connector GRDCLNT200 with integration scenario ROLMG. Steps are below.
Select the ROLMG scenario and get to the screen below. Now click the box next to the ROLMG sub
scenario definition and click the Scenario-Connector Link on the right. This brings up a screen where
you assign the connector GRDCLNT200.
27
Click New Entries on the screen.
From the selection box that pops up, select the connector GRDCLNT200
Click the Save icon on the top menu bar. A transport request comes up. Click the white paper icon and
create a new request and fill in the description as shown below. Click the green check and save it.
This is done. Now use the arrow keys to exit this step until you are back at the IMG menu. This same
process would be repeated for each scenario. According to an SAP Note, it is needed to fill them out for
all scenarios even if you are using only one of them.
28
Part 2 of the connector settings is under the Access Control area and contains four steps.
Perform the validation of this next.
Click on configuration item “Maintain Connector Settings” and verify the target connector GRDCLNT200 is
assigned. Click in the Application Type area to see what the drop-down list provides. We are only using SAP
type for this system. No changes needed.
When done reviewing, exit this screen.
29
In the next step in the IMG, open Maintain Mapping for Actions and Connector Groups. Notice the
connector group(s). We are working with the SAP_BAS_LG group.
Select the SAP_BAS_LG group and click on the right side Assign default connector.
Here we have to fill in multiple entries. One entry for each action 1, 2, 3, 4. Verify this is correct. Click the
Action drop-down to see the list of actions available. These are assigned for the connector group we are
using, which is SAP_BAS_LG.
Exit this screen. Click the green arrow back a few times to get to the IMG menu again. Now for the last item,
Plugin settings.
Verify the Plugin settings. It needs one single entry for GRDCLNT200.
Exit this screen back to the IMG menu.
The connection is now setup for the applications and will appear in the application screens when choosing
the system. This section is very important for all applications in Access Control to function, and must be
done before configuring the applications.
This system is also connected to itself using the GRC Plug-In. So we are using the same GRC system to
manage the GRC systems for Access Control applications, such as Risk management, Super User
management, and user provisioning functions.
END OF LAB SECTION 2 – Congratulations, this was a big section to complete.
30
SECTION 3 - GRC Risk Analysis Configuration and First Risk Analysis
Run the Full Run the Batch

Activate BC Sets
Batch Risk Risk Analysis
(Rule Sets)
Analysis Monitor
Run the Risk

Generate the Test Risk
Violation
Rules Analysis
Dashboards
Maintain Run the Check the

Configuration Synchronization Application Logs
Settings for ARA Jobs SLG1
31
Section 3 Activate BC Sets.
Step 1
At the main menu of the system (out of the IMG/SPRO screen), enter transaction SCPR20.
BCSET
ACTIVATE
We are only activating the two rules sets we are using. The full table is shown for reference. The other
BCSETS will be actived during other lab steps when needed.
DO NOT ACTIVATE THE GREYED OUT BCSETS YET. Only the two needed for this section.
Access Risk Analysis
GRAC_RA_RULESET_COMMON SOD Rules Set (We activate this one now)

GRAC_RA_RULESET_JDE JDE Rules Set
GRAC_RA_RULESET_ORACLE ORACLE Rules Set
GRAC_RA_RULESET_PSOFT PSOFT Rules Set
GRAC_RA_RULESET_SAP_APO JDE Rules Set
GRAC_RA_RULESET_SAP_BASIS SAP BASIS Rules Set (We activate this one now)
GRAC_RA_RULESET_SAP_CRM SAP CRM Rules Set
GRAC_RA_RULESET_SAP_ECCS SAP ECCS Rules Set
GRAC_RA_RULESET_SAP_HR SAP HR Rules Set
GRAC_RA_RULESET_SAP_NHR SAP R/3 less HR Basis Rules Set
GRAC_RA_RULESET_SAP_R3 SAP R/3 AC Rules Set
GRAC_RA_RULESET_SAP_SRM SAP SRM Rules Set
Access Request Management
GRAC_ACCESS_REQUEST_REQ_TYPE* Request Type

GRAC_ACCESS_REQUEST_EUP* EUP (Note: Only the value EU ID 999 is valid for this BC set.)
GRAC_ACCESS_REQUEST_APPL_MAPPING* Mapping BRF Function IDs and AC Applications
GRAC_ACCESS_REQUEST_PRIORITY* Request Priority
Business Role Management
GRAC_ROLE_MGMT_SENTIVITY* Sensitivity
GRAC_ROLE_MGMT_METHODOLOGY* Methodology Process and Steps
GRAC_ROLE_MGMT_ROLE_STATUS* Role Status
GRAC_ROLE_MGMT_PRE_REQ_TYPE* Prerequisite Types
32
Superuser Management
GRAC_SPM_CRITICALITY_LEVEL* Criticality Levels
Workflow
GRC_MSMP_CONFIGURATION* MSMP Workflow Configuration Rules Set
Steps to activate the BCSETS
Fill in the name GRAC_RA_RULESET_COMMON and click the Activation button.
A transport request may pop up, fill this in and save using green check mark. If it is to be a new request,
click the white paper icon to create a new request. Then fill in and save it.
33
After activating this BC Set. You get the below message at the bottom of the screen.
Perform the steps again for the other BC Set GRAC_RA_RULESET_SAP_BASIS.
Activate it.
That concludes the rule set activation.
34
Section 3 Generate Access Rules.
Step 2
Generate the rules by going to IMG under Governance, Risk and Compliance  Access Control  Access
Generate Risk Analysis  SoD Rules  Generate SoD Rules. There are alternative methods to generating the rules.
Rules In the NWBC interface, in the RULESET sub-menu, you can generate the rule set rules there. For this
exercise, we are using the IMG method below.
Fill in the full range in the drop-down, from the first entry on the left to the last entry on the right.
Execute this. A small message appears at the very bottom of the screen showing program is completed.
35
Steps Steps to be performed (No changes needed, verify only)
Section 3 Maintain Configuration Settings. Use SPRO to review the configuration settings. Answer one question
Step 3 below, no changes needed.
Config
Settings
Note the setting for the Risk Analysis. What is the Default Rule Set used? HINT – Look at Param ID 1025.
FYI – SAP has a guide dedicated to the configuration settings available for download.
No changes needed here, only look at them.

36
Steps Steps to be performed (No changes needed, verify only, important step)
Section 3 Run the NWBC and check that the rules are loaded.
Step 4
Check
Rules
The Web browser launches.
Check that the Access Risks, Functions, and Rule Set exists. See next three screens.
37
Check that the Access Risks exist.
Check that the Functions exist.
Check that the Rule Set exists. What is the Rule Set Name?
If any of the above screens are empty, contact the instructor in the room immediately! This needs to be
correct before proceeding.
38
Section 3 We need to run the Synchronization jobs to get the user, role, profile, and authorizations data from the
Step 5 source systems. In our case, the source system is also the same GRC system. This is fine for learning
purposes, such as this training. We run two jobs.
Sync
Jobs In IMG go to Access Control Synchronization Jobs and run Authorization Synch (program
GRAC_PFCG_AUTHORIZATION_SYNC). It is recommended you run it in the background, but we will run it in
foreground during this lab exercise. This program contains three jobs: Org. Value sync, Transaction Sync, and
Objects sync.
1st Job to run = Authorization Data Synchronization
Fill in the Connector name and click Execute. We run this in the foreground.
NOTE: These jobs can be scheduled to run in background using SM36 to create the background job, and
SE38 to create the varients to store the values in the fields so they can be used over and over again.
39
The result screen comes up in about three to five minutes. It should not take that long for these systems.
Note: Larger ERP systems may take 30-40 minutes to run. That is why background processing is usually
preferred.
(Note – screen above has GRDCLNT100 for example, your screen should have GRDCLNT200)
In the same path go to Repository Object Synch (program GRAC_REPOSITORY_OBJECT_SYNC).
Be sure to select the Full Sync Mode.
This job runs in one to three minutes.

NOTE: On larger systems with many users and roles, this job may take 10-20 minutes to run.
NOTE: These jobs can be scheduled to run in background using SM36 to create the background job, and
SE38 to create the varients to store the values in the fields so they can be used over and over again. Usually
a full sync is done weekly and an incremental sync is done daily. More frequent jobs can be scheduled to
allow new users and roles to be used in the GRC analysis jobs, reports, and ad-hoc analysis.
40
(Note – screen above has GRDCLNT100 for example, your screen should have GRDCLNT200)
Completed job output above.
41
Section 3 Now you should be able to run a risk analysis. Go to Access Management Workcenter and run a User Level
Step 6 Risk Risk Analysis on a specific user.
Run Let’s test this. Go to the main menu of the system and run the NWBC transaction.
Risk
Analysis Run the NWBC again.
In the NWBC Browser window, Click the Access Management sub-menu.
Run the User Level anaylsis first. Use system GRDCLNT200 and user GRCTRAIN1. Fill out as shown below.
Use the minus button to remove unwanted items from the query screen.
42
Fill in the screen. Run in foreground. Check the settings carefully.
View the results. Example below:
43
Run the same Risk Analysis – User Level, change the Report Options for REMEDIATION VIEW only.
After choosing Remediatation view, it will look like the above. It may take longer to come up.
(Note: Screen above shows system GRDCLNT100 in this example, your screen will be actual system
GRDCLNT200)
44
Perform the same steps for the Role Level analysis. Use role SAP_GRC_SPC_SETUP for this analysis test.
Results of ROLE analysis above.
45
Section 3 Set up Parallel Jobs capability. This is in preparation of running the full batch risk analysis.
Step 7
Run RZ12 transaction (not in the IMG menu). Check if the Login Group parallel_generators exists. If so,
Setup verify the settings as shown below. Otherwise, click the white paper icon to create the group assignment.
Parallel The name must be “parallel_generators” to be used in the applications.
Jobs
Click Save. A message will appear at bottom in yellow. You must press enter to save and get past this
screen! INGORE WARNING and press enter to save it.
Go in and check the entry again to make sure it saved.
46
Section 3 To run the Full Batch Risk Analysis, go into the SPRO transaction again and click on the Execute Batch Risk
Step 8 Analysis menu item.
Run Fill out the screen as shown and execute the job. It will take about 10-15 minutes to complete it. You will
Full monitor the job during this time. After running this job, move immediately to the next step on how to
Batch monitor the job.
Risk
Analysis NOTE: It is possible to also run using a transaction GRAC_BATCH_RA (or program
GRAC_BATCH_RISK_ANALYSIS) as an alternative.
47
Fill out the Batch Risk Analysis screen as shown above and execute it.
48
Section 3 Monitoring the Batch Risk Analysis.
Step 9
Using SPRO (IMG) go to the menu Access Risk Analysis and run Monitor Batch Risk Analysis.
Monitor Change the dates so the start date is one day earlier. We have noticed some time issues with the system
Batch time not matching the local time. With time out of sync, you may miss picking up the jobs in the search.
Risk Making the date range larger will help to pick up the jobs.
Analysis
Note: You can monitor the batch risk analysis job with transaction GRACRABATCH_MONITOR.
49
Click the box in front of the job row and click Show Details. Drill into the details to see the detailed status.
You can see what is going on while it is running.
For large systems, this job can take a long time.
50
Check that the job is using parallel processes. Use transaction SM50 while the job is executing in the
background to see the two batch work processes running the job. Below is SM50 screen.
51
Section 3 View the Risk Analysis dashboards. The data in the dashboards are only visible after running the batch risk
Step 10 analysis jobs.
View In the NWBC screen, go to the Reports and Analytics menu. We will run the Risk Violations, User Analysis,
Dash- and Role Analysis dashboards. These pop up in another window. Run each one, one at a time. See below
boards screens for examples.
52
The Risk Violations screen is interactive. You can click into the pie chart or bar chart items to see the detail
below them. Try this for both the pie chart HIGH and MEDIUM and BS00 in the bar chart. Be sure to drill
down in the next screens that open. Check out the details. Try changing the Analysis Type from User to
Role.
53
Check the User Analysis dashboard too. Explore the details.
54
Find the GRC roles in the Role Analysis dashboard. They begin with SAP_GRC.
The data in the dashboards is based on the Batch Risk Analysis job. This job needs to be scheduled nightly to
get the data updated.
55
Section 3 Check the Application logs for errors. Run transaction SLG1 in the GRD system. Fill the screens as shown
Step 11 below and execute.
SLG1
Appl
Errors
See examples of log output below. This is a very useful tool for GRC applications when problems are
occurring.
56
SECTION 4 - GRC Emergency Access Configuration and First Emergency
Access
Special User Instructions:
1) The steps to configure the “Emergency Access Management” component of GRC 10.1
are illustrated in this section.
2) Please log in using GRCEAMADM for all the steps except for Step 10, where you will use
GRCTRAIN1 and GRCTRAIN2 for configuration and testing the EAM functions. The
users to be used for each step are pointed out in the documentation.
High Level Overview of the Configuration Steps
A pictorial depiction of the high-level configuration steps is shown below:
Activate BC Sets
Assign Firefighter Access Firefighter
(Emergency
IDs to Firefighters ID
Access)
Add Connectors Define Owners Run Log

to Firefighting and Controllers Collection Job
Scenario (SUPMG)
Maintain Access and

Complete
Configuration Review Firefighter
Synchronization
Settings Logs
Create Firefighter
Maintain
IDs in Target
Criticality Levels
Systems
57
Section 4 Activate BC Sets. (Logged in as user GRCEAMADM)
Step 1
Enter transaction code SCPR20. Enter GRAC_SPM_CRITICALITY_LEVEL in the BC Set field and press F7 or
Activate click Activate. Create a new transport request or assign to an existing one. Use the Expert Mode under the
BCSETS Activation Options window and click OK to complete the activation.
On successful activation, a confirmation message is shown as below.
58
Section 4 Maintain Plug-in settings. (Logged in as user GRCEAMADM)
Step 2
Navigate to Tcode SPROSAP Reference IMG Governance, Risk and Compliance (Plug-In)Access
Plug-In ControlMaintain Plug-In Configuration Settings.
Settings
Review and ensure the values for the following parameters exist:
1089  1
1090SAP_GRAC_SPM_FFID
59
Section 4 Add Connectors to the Super user Management Scenario (SUPMG) (Logged in as user GRCEAMADM)
Step 3
Navigate to Tcode SPROSAP Reference IMG Governance, Risk and ComplianceCommon Component
SUPMG SettingsIntegration Framework  Maintain Connection Settings
Connector
Enter SUPMG in Integration Scenario and click OK.
Highlight the row that indicates the SUPMG scenario and double-click the Scenario-Connector Link folder.
Review and confirm the entry for the target connection as shown in the screen below. If no entry exists, click
on New Entries and add the Target Connector.
60
Section 4 Review Criticality Levels for Emergency Access Management. (Logged in as user GRCEAMADM)
Step 4
Navigate to Tcode SPROSAP Reference IMG expand Governance, Risk and ComplianceAccess
Criticality ControlEmergency Access Management Maintain Criticality Levels for Emergency Access Management
Levels
Confirm that criticality levels are populated in the table as indicated in the screen below:
Changes can be made and saved, but would require the creation of a new transport or addition to an
existing transport.
61
Section 4 Review Key Configuration Settings for Emergency Access Management. (Logged in as user GRCEAMADM)
Step 5
Config ControlMaintain Configuration Settings.
Settings
for
EAM
Changes can be made and saved, but would require the creation of a new transport or addition to an
existing transport.
62
Section 4 Create Firefighter IDs. (Logged in as user GRCEAMADM)
Step 6 Use Tcode SU01
 Note: To run SU01 directly from the screen in step 5, enter /nsu01 in the transaction code entry box:
Create
FF IDs
Enter FF_TRAIN01 in the User field. Click User (Top menu) and click Copy. In the To field, enter
FF_TRAINGRC. Check all the boxes in the copy screen and click Copy (F5).
In the Logon data tab, click on the Wizard button next to the Initial password field. Save the changes to
complete the creation of the Firefighter ID.
63
Section 4 Synchronize Created Firefighter IDs using Tcode GRAC_REP_OBJ_SYNC. In the Connector field, use the
Step 7 Search button to choose the connector. (Logged in as user GRCEAMADM)
Choose Full Sync Mode:
Run
FULL
Repository
Sync Job
Click Execute (F8) to complete the sync.
64
Section 4 Define Owners and Controllers for the created Firefighter ID. (Logged in as user GRCEAMADM)
Step 8
Execute Tcode NWBC to launch the SAP NetWeaver Business Client window. Navigate to the Setup tab and
Define click “Access Control Owners” under Access Owners Sub menu.
Owners
and
Controllers
Confirm that GRC GRCTRAIN2 is setup as a Firefighter ID Owner and a Firefighter ID Controller. Once
confirmed close the window.
Navigate back to the Setup tab and click Owners. Within the Owners window, click Assign at the top of the
window.
65
Search for user GRCTRAIN2. To choose the user, highlight it on the search screen and then click on it. Click
on Add within the Firefighter ID table and click Go to show the list of Firefighter IDs.
Choose FF_TRAIN01 and move it to the selected pane by highlighting it and using the directional arrow
(shown above).
Click Save on the Owner Assignment screen.
To assign controllers, without leaving the Setup tab, click Controllers under Emergency Access Maintenance.
Within the Owners window, click Assign at the top of the page.
Search for user GRCTRAIN2. To choose the user, highlight it on the search screen and then click on it. Click
on Add within the Firefighter ID table and click Go to show the list of Firefighter IDs. Add the Firefighter ID
FF_TRAIN01 and set the ‘Notification By’ to Log Display. For “System”, specify “GRDLNT200”.
66
Section 4 Define Reason Codes for Firefighter Usage. (Logged in as user GRCEAMADM)
Step 9
Execute transaction NWBC. Within the Setup folder tab, locate the Reason Codes link under Emergency
Define Access Maintenance menu (bottom of the page) and click on it. Within the Reason Code window, click on
Reason Create to define a new reason code.
Codes
Add the Reason Code and a long description within the respective text fields. To define the systems for
which the created reason code is applicable, click Add within the system table. Click Save to save your
changes once all the fields have been defined.
67
Section 4 Assign Firefighter ID to Firefighter User. (Logged in as user GRCEAMADM)
Step 10
Execute Transaction NWBC. Within the Setup folder tab, locate the Firefighters link under Emergency Access
Assign Maintenance menu (bottom of the page) and click on it. Click Assign at the top of the Firefighter window.
Firefighter
Search for user GRCTRAIN1, highlight it on the search screen, and click on it to choose it.
Click on Add within the Firefighter ID table and click Go to show the list of Firefighter IDs. Choose
FF_TRAIN01 and move it to the selected pane by highlighting it and using the directional arrow. Choose the
Owner (GRCTRAIN2) from the search screen and click Save to save the assignment.
68
Section 4 Using a Firefighter ID. ** (Logged in as user GRCTRAIN1 now) **
Step 11
Logout as GRCEAMADM. Ensure you are logged in as GRCTRAIN1. Execute transaction GRAC_EAM. Click
Use the Logon button within the Emergency Access Management Dashboard.
Firefighter
Choose a reason code from the Reason Code dropdown. Enter the planned activity within the text area (use
your own). Enter transaction codes to be used (eg. PFCG, SU01, SU10, SE38 etc.) within the Actions field.
Click OK to launch the remote session. Once complete with activities, close the session.
69
Section 4 Execute the Firefighter Log Synchronization job to complete collection of the Activity log. (Logged in as user
Step 12 GRCEAMADM)
Run Execute Tcode GRAC_SPM_LOG_SYNC. Enter the connector name and click Execute (F8) to initiate the job
Log Sync that collects the activities performed under the Firefighter ID.
Job
70
Section 4 View the Firefighter logs.
Step 13
Execute Tcode NWBC. Click the Reports and Analytics folder tab. Locate the Firefighter Log Summary Report
View link under the Emergency Access User Management Reports menu and click on it.
FF Logs
Click on ‘Run in foreground’ to view the generated log list.
View the log by highlighting the item on the list and click Open to see the details.
71
SECTION 5 - GRC Access Request Configuration and First Access Request
Activate BC Sets
Create Access Approve Access
(User
Request Request
Provisioning)
Add Connectors Complete Review Auto

to Firefighting Synchronization Provisioning
Scenario (PROV)
Maintain
Configuration Import Roles
Settings
Maintain
Activate MSMP
Provisioning
Workflow
Settings
72
Section 5 Activate BC Sets.
Step 1
Enter transaction code SCPR20. Enter the BC Sets below, one by one in the BC Set field and use F7 or click
Activate Activate. Create a new transport request or assign to an existing one. Select Expert Mode under the
BCSETS Activation Options window and click OK to complete the activation.
 GRAC_ACCESS_REQUEST_APPL_MAPPING
 GRAC_ACCESS_REQUEST_EUP
 GRAC_ACCESS_REQUEST_PRIORITY
 GRAC_ACCESS_REQUEST_REQ_TYPE
On successful activation, a confirmation message is shown as below.
73
Section 5 Add Connectors to the User Provisioning scenario (PROV).
Step 2
Navigate to Tcode SPROSAP Reference IMG expand Governance, Risk and ComplianceCommon
Add Component SettingsIntegration FrameworkMaintain Connection Settings.
Connector
for Prov.
Enter PROV in Integration Scenario and click OK.
Highlight the row that indicates the PROV scenario and double-click the Scenario-Connector Link folder.
Review and confirm the entry for the target connection to the GRC system (GRDCLNT200). If no entry exists,
click on New Entries and add the Target Connector to the GRC system (GRDCLNT200). The connection type
should be “SAP”.
74
Section 5 Maintain Provisioning Settings.
Step 3
Maintain ControlUser Provisioning Maintain Provisioning Settings. Double click on “Maintain Global Provisioning
Prov. Configuration” folder.
Settings
Set the values as shown below.
Role provisioning Type  Direct

Auto Provisioning  Auto provisioning at end of request
Role assignment  Check Provisioning Effective Immediately
Save the settings and add to transport request.
75
Section 5 Activate the MSMP Workflow.
Step 4
Activate ControlWorkflow for Access Control Maintain MSMP Workflows.
MSMP
Workflow
Go to Change mode and click on Step 7 (Generate Versions) and choose Activate.
Confirm activation of the approval workflow.
76
Section 5 Import Roles.
Step 5
Execute Tcode NWBC. In the Access Management tab, under Role Mass Maintenance, click Role Import.
NWBC
Role
Import
In the Role Import screen, populate the screen as indicated below for Stage 1.
For Stage 2, enter the details similar to as shown below, project release should be “GRC 2016 Conference”
and approver to add should be “GRCTRAIN2”.
77
For Stage 3, click Next to move to Step 4. In Step 4, set the job as a background job using the parameters
shown below.
A confirmation message is shown in Stage 5 indicating successful scheduling.
78
Section 5 Run the Synchronization job.
Step 6
Execute Tcode GRAC_REP_OBJ_SYNC to initiate a repository sync job on completion of the background job
Run from Step 5.
Sync
Jobs
Click Execute (F8) to initiate the job. On completion, the log is shown (example below).
79
Section 5 Create an Access Request.
Step 7
Execute Transaction NWBC. Within the My Home tab, click on Access Request to launch the Access Request
Create screen.
Access
Request
In the Access Request screen, fill in the fields similar to below. You will be creating request of access for
‘other’ user (GRCTRAIN1) To add roles, click on Add and choose Role.
Navigate to the User Details tab and fill in the First Name, Last Name and Email for the user.
80
In the Add Role screen, click on Search to search for a role. Highlight one of the search results and use the
arrow buttons to move them to the selected screen.
Click OK to return to the Access Request screen.

Click Submit to submit the access request.
81
Section 5 Approve the Access Request.
Step 8
Login as GRCTRAIN2 (the role approver set up). Execute Tcode NWBC. From the My Home tab, click on Work
Approve Inbox.
Access
Request
In the Work Inbox, locate the request number and click on it to open the Request Approval window.
In the Approval window, review the request and click on Submit to approve the request.
82
Enter comments in the Comments tab prior to approval. A confirmation message is shown on the approval.
83
Section 5 Review the Auto Provisioning.
Step 9
Execute Tcode SU01. In the User field, enter the user which made the access request (e.g., “GRCTRAIN1”)
Review and click Display.
Auto
Provision.
Navigate to the Roles tab and review the request role. Confirm that it was assigned to the user.
End of Lab – Great Job, you made it, and thanks for attending!!
84
APPENDIX – FOR YOUR REFERENCE

Section Enter Transaction SCOT to set up email. (Validation Only in this section, no changes!)
Appendix
Click on SMTP Node under the Settings Folder, Outbound Messages Folder.
Step A
EMAIL
SETUP
Verify the settings in the screen below (NO CHANGES).
No changes needed, verify the settings. The settings for Internet should have * in the SET button.
85
Check that the job is running. You can double click the Job Name to open the popup panel. See the job runs
every ten minutes. Exit this transaction, SCOT.
(DO NOT PERFORM THE FOLLOWING COMMAND, READ ONLY)
86
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2016 Wellesley Information Services. All rights reserved.

Hands-On Lab: Part 1: A Beginner's Guide To The Configuration of SAP Access Control

Uploaded by

Copyright:

Available Formats

You might also like

Hands-On Lab: Part 1: A Beginner's Guide To The Configuration of SAP Access Control

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hands-On Lab: Part 1: A Beginner's Guide To The Configuration of SAP Access Control

Uploaded by

Copyright:

Available Formats

Hands-On Lab: Part 1: A Beginner’s Guide to the

Configuration of SAP Access Control

Kurt Hollis and Nicole Teibel

SECTION 1 - Lab Overview

SECTION 1 - Lab Schedule

Wednesday, March 16th, 2016 (3:00-6:00)

• Client number is 200

• Server host is “USSLTCSNL1271”, Instance number is 00

• Start the SAP GUI

• Launch the GRD LAB system GUI

• Launch Transaction “NWBC” for the GRC Web Interface

Login to the Workflow EMAIL Setup

Verify the System

STARTUP Start SAP GUI and connect to GRD System.

SAP Login screen. Log in to the GRD system.

Verify the copy was successful. Screen is as shown above.

Verify the setting only, no changes needed.

Exit this screen.

No changes needed here, verify only. Exit this screen.

Set General Task and click the Transfer button.

Exit this application.

Verify the settings.

Rule Sets (EXAMPLE ONLY)

YOU MUST SET UP THE CONNECTOR FOR SCENARIO ROLMG!

Exit this screen back to the IMG menu.

Run the Full Run the Batch

Run the Risk

Maintain Run the Check the

Access Risk Analysis

GRAC_RA_RULESET_COMMON SOD Rules Set (We activate this one now)

Access Request Management

GRAC_ACCESS_REQUEST_REQ_TYPE* Request Type

Business Role Management

GRAC_SPM_CRITICALITY_LEVEL* Criticality Levels

GRC_MSMP_CONFIGURATION* MSMP Workflow Configuration Rules Set

Steps to activate the BCSETS

Fill in the name GRAC_RA_RULESET_COMMON and click the Activation button.

Perform the steps again for the other BC Set GRAC_RA_RULESET_SAP_BASIS.

That concludes the rule set activation.

No changes needed here, only look at them.

The Web browser launches.

Check that the Functions exist.

1st Job to run = Authorization Data Synchronization

In the same path go to Repository Object Synch (program GRAC_REPOSITORY_OBJECT_SYNC).

Be sure to select the Full Sync Mode.

This job runs in one to three minutes.

In the NWBC Browser window, Click the Access Management sub-menu.

Results of ROLE analysis above.

Go in and check the entry again to make sure it saved.

You can see what is going on while it is running.

For large systems, this job can take a long time.

High Level Overview of the Configuration Steps

A pictorial depiction of the high-level configuration steps is shown below:

Add Connectors Define Owners Run Log

Maintain Access and

On successful activation, a confirmation message is shown as below.

Click Execute (F8) to complete the sync.

Click Save on the Owner Assignment screen.