a beginners guide to the post-installation configuration of sap access control

8/20/2019 A Beginners Guide to the Post-Installation Configuration of SAP Access Control

1/123

1

Hands-On Lab: Part 1: A beginners guide to the post-installation

configuration of SAP Access Control

Kurt Hollis, David Jayne, and Phil Dunbar

[email protected]

[email protected]

[email protected]

mailto:[email protected]:[email protected]


2/123

2

SECTION 1 - Lab Contents

Section 1:

o

Lab Overviewo

Lab Schedule

o Lab User Access Information

Section 2: GRC Post-Installation Setup Steps and Verification

Section 3: GRC Risk Analysis Configuration and First Risk Analysis

Section 4: GRC Emergency Access Configuration and First Emergency Access

Section 5: GRC Access Request Configuration and First Access Request

SECTION 1 - Lab Overview

GRC System for this lab is running locally on the laptops and not on a server across the network.

We have 50 GRC systems running here, one per laptop.

o This was done to guarantee good performance and complete independence from others working

on the same system.

The system is strictly yours and not shared.

Laptop is running VM Workstation 10.

The GRC system is running on Windows 2008 R2 Enterprise Server and uses MS SQL 2012 database.

The GRC system is based on SAP NetWeaver 7.40 SP09.

The GRC system is running GRCFND_A 10.1, SP07

The GRC plug-in is installed and is version 10.1, SP07.

The SAP GUI is installed and is version 7.30 SP4.


3/123

3

SECTION 1 - Lab Schedule

Wednesday, March 18th

2015 (8:30-11:45)

Lab Overview I 15 Minutes (8:30-8:45)

Lab – Part 1 75 Minutes (8:45-10:00)

Short Break 15 Minutes (10:00-10:15)

Lab Overview-II 15 minutes (10:15-10:30)

Lab – Part 2 75 Minutes (10:30-11:45)

SECTION 1 - Lab User Access Information

•

SAP System SID is “GRD”

• Client number is 200

• Server host is “grc10train” in domain grc2014.com, Instance number is 00

• Login to start the SAP System is grdadm, password is “Deloitte.1” (alternate login is user grctrain)

• Use the MMC Console to start the system

• Start the SAP GUI

• Launch the GRD system GUI

• Login to client 200 as grctrain1, grctrain2, and grceamadm (for Section 4 only) with password of “grc2015lab"

• Launch Transaction “NWBC” for the GRC Web Interface


4/123

4

Steps to Bring Up the Lab System:

Note: The steps below for starting up the lab system may have been done already in the classroom. The

instructors will notify the entire class about the status of the laptop systems.

Log in to the laptop

Navigate to folder C:\DRIVERS\SAP.OVF

Launch the GRC10_NEW.vmx by double clicking it in the above folder

The VMWARE Workstation control panel launches

Then power on the VM GRC10_TRAIN (USSLTCSNW1513) system (click the power on button)

Use the menu drop-down to log in (Control+Alt+Delete) from the menu, not from the keyboard, and then

log in to the system

You may want to go to the control panel display and increase the display size to 1024x768 or slightly

greater, but not too much or you will be scrolling windows around to see everything

Start the SAP system using the MMC console

Launch the SAP GUI and login to GRD

Screen prints are in Section 2 of this lab guide


5/123

5

SECTION 2 - GRC Post-Installation Setup Steps and Verification

Bring Systemup and Login to

the System

Verify the

Client Copy isCompleted

ActivateApplications in

Client

Maintain WebServices in

SMICM (HTTP)

STRUST SSOSetup

New UI5 OdataServices

Test NWBCuser Interface

WorkflowSetup

EMAIL Setup

System

ConnectionsSetup


6/123

6

Steps Steps to be performed

Section 2

Step 1

STARTUP

LOGIN

The lab system should have the Lab Image “GRC10TRAIN” loaded for you already. If not, contact the instructor.

Start the SAP system using the MMC console in Windows.

Log in to the SAP system using grdadm, password is “Deloitte.1”.

Using the MMC console, right-click on GRD and select Start from the menu.

System starts in a few minutes.

Start SAP GUI and connect to GRD System.


7/123

7

SAP Login screen. Log in to the GRD system.

Log in client 200 with user grctrain1 (or grctrain2 for some parts of the lab) and password “grc2015lab”.


8/123

8

Steps Steps to be performed (VERIFY STEP ONLY, NO CHANGES)

Section 2

Step 2

CLIENT

COPY

After logging into the system, perform the post-installation steps for GRC.

First check is to verify the client copy from client 000 to client 200 has completed successfully.

We previously made this copy using client copy profile SAP_ALL. This is the recommended way to copy the client for a new system.

Navigate the menu tree, Tools Administration Client Administration Copy Logs.


9/123

9

Verify the copy was successful. Screen is as shown above.


10/123

10


Section 2

Step 3

SPRO

Activate

GRC

Apps

Next step is done using transaction SPRO. Transactions are entered into the blank field in the upper left.


11/123

11

Click on the button “SAP Reference IMG.”

NOTE: Much of the configuration is done using transaction SPRO and the SAP Reference IMG during this session.


12/123

12

In the menu that comes up, go to the area Governance, Risk and Compliance General Settings Activate Applications in Client.

Three applications exist in this setting: GRC-AC, GRC-PC, and GRC-RM. We are activating only GRC-AC for this system.

Verify the setting only, no changes needed.

Exit this screen.


13/123

13


Section 2

Step 4

ICF

SETTING

We are done with SPRO for a moment. Exit SPRO. Now enter transaction SICF.

Click the EXECUTE button under Maintain Services.

Verify the Services are activated. See the screen below: public, bc, grc. (Just check it, no need to do any changes here.)

Maintain Services for Web Applications allows the content to be used in the system. It must be activated.


14/123

14

See that the public, bc, grc, iwbep, and opu are bold, this means they are activated.

No changes needed here, verify only. Exit this screen.


15/123

15


Section 2

Step 5

ICM

SETTING

Now enter transaction SMICM. Go to menu Goto Services.


16/123

16

Check the services. Verify the HTTP, HTTPS, and SMTP services are enabled. Verify the timeout settings are 3600 for Keep Alive,

1800 for Process Timeout.

No changes needed here, verify only. Exit this screen.


17/123

17


Section 2

Step 6

SSO

SETTING

Now enter transaction STRUSTSSO2. Check that the System PSE is green and the SSL server, client, and client SSL are green.

This setup requires entries in the system profiles and the SAPCRYPTO libraries to be installed in the Kernel at the operating system

level of the SAP system. This is needed for NWBC operation. No changes needed here, verify only. Exit this screen.


18/123

18

This is an example of settings in the system profile needed for NWBC and GRC. No need to verify this (provided as FYI).


19/123

19


Section 2

Step 7

UI5ODATA

Gateway

SETTING

Set up new User Interface (UI5) views and SAP Netweaver Gateway. This is required for the new Access Control Request Screens in

the NWBC and the Remediation View for the User Level Risk Analysis.

Go back into SPRO again. Navigate to SAP Netweaver Gateway OData Channel Administration General Settings andexecute Activate and Maintain Services

.


20/123

20

Look at the ICF Nodes and System Aliases at the bottom of the screen. The ICF Node needs to be active and the System Alias needs

to have assigned LOCAL Alias.

No need to make any changes here, this step is verify only. Exit this screen.


21/123

21


Section 2

Step 8

NWBCSCREEN

Launch and test the NWBC interface. Now that all the previous steps have been completed, it is possible to test the NWBC

interface.

Enter transaction NWBC in the transaction window to the right of the green check. If you are currently not at the main menu andinside another screen, enter /nNWBC to run the transaction.

The NWBC screen should appear in a new browser window (pop up).


22/123

22

Navigate to each sub menu My Home, Setup, Access Management, Reports, and Analytics one at a time to test this access. See

each sub-menu appear.

No need to make any changes here, this step is verify only. Exit this screen.


23/123

23


Section 2

Step 9

WORK

FLOW

SETUP

Workflow Customizing.

Go back into SPRO IMG again. Navigate to GRC General Settings Workflow, and execute Perform Automatic Workflow

Customizing.


24/123

24

Before it looked like screen print below on the left. After it should look like screen print below on the right.

BEFORE AFTER

We need to verify a few items. The following are just checks, no changes are needed. Please see the sections of this menu, click on

them, and read the text in the right-hand pane for instructions followed during setup.


25/123

25

Check that the jobs are scheduled. These should all have green checks. The Event Queue job is optional and sometimes will not be

running; this is OK.

The RFC destination is important, see the USER used for this function. Please take note of this user. No changes required.


26/123

26

Steps Steps to be performed (requires changes during this step)

Section 2

Step 10

WORKFLOW

TASKS

Go to transaction SPRO again, into the IMG. Enter into Workflow, Perform Task Specific Customizing by selecting

Governance, Risk and Compliance General Settings Workflow Perform Task-Specific Customizing.


27/123

27

Expand the GRC area. We will explore the GRC-SPC agents and event linking.

Click on Assign Agents across from the GRC-SPC area.


28/123

28

Select the line and click the Attributes button. A pop-up displays.

This procedure is only done for the tasks with IDs starting with letters TS, not WS.


29/123

29

Set General Task and click the Transfer button.

Check the setting in the screen. It should now say General Task

Now, go back to the screen before and select the “Activate event linking” for the GRC-SPC workflow.

Scroll down to the bottom of the list until you see the WS Events.


30/123

30

Click on the Deactivated button for the WS 75900005 event to activate it. You will need to create a transport request as part of this

process. Click the white paper icon.


31/123

31

Enter a Short Description and click Save.

Click the save icon to save the request.


32/123

32

Click the Puzzle piece Icon. In the pop-up, change the error feedback to “Do not change linkage” and click save. Then click the

green check button.

Exit this application.

Click the note with the glasses and review the documentation for this IMG activity. This exercise was an example of the settings

needed in this area for the Workflow setup.

Note: For Access Control, more steps need to be completed when the system has the plug-in installed. These are not covered in

this lab due to time constraints. These settings have already been made for your systems.


33/123

33

Steps Steps to be performed (PARTS OF THIS STEP ARE PERFORMED)

Section 2

Step 11

CONNECTSYSTEMS

Set up the connectors to the other systems. Go back into the SPRO IMG and navigate to the Integration Framework under

Governance, Risk and Compliance Common Component Settings Integrated Framework.

Setup of the connectors involves settings made in seven places. These steps are very important for the integration of SAP

systems with the GRC applications. We are not covering the Portal integration, LDAP integration, or non-SAP integration inthis lab due to time constraints and level of complexity.

The first part is in this area of the IMG. Many of the settings are done already for you. However, you will have to make

certain settings. These are pointed out to you.


34/123

34

Part 1 - IMG area we are focusing on first.

Enter the first IMG activity step “Create Connectors.” This is actually transaction SM59.

Look at the ABAP connections and find GRDCLNT200. This step is already done for you. Please verify the settings.


35/123

35

CREATE CONNECTORS - RFC Connection is GRCCLNT200. Double-click and verify the settings. We are actually connecting back

to the same system GRC system to GRC system. This is possible because we have the GRC Plug-In installed is this system.

Verify the settings.


36/123

36

Exit the connector settings after verifying them.


37/123

37

See the details under the Login and Security tab. The correct client 200 is filled in. The user must have the correct roles

assigned in the remote system. No changes, verify only.

The next setting is the “Maintain Connectors and Connection Types.” Here we are assigning the connectors to the connection

types and the connector groups.


38/123

38

Click Define Connectors after selecting the SAP box on the left side.

Verify the connector is GRDCLNT200. This is how you assign the connector to each connector type. We are only using SAP

type here.


39/123

39

After clicking into the DEFINE CONNECTOR GROUP, select the line SAP_BAS_LG, and then click the ASSIGN CONNECTORS TO

CONNECTOR GROUP FOLDER

The connector group is based on the rule sets loaded. See below for guidance. We are using only the

GRAC_RA_RULESET_SAP_BASIS rule set for this training (SAP_BAS_LG). Please only assign the SAP_BAS_LG for this training class.


40/123


41/123

41

Select the ROLMG scenario and get to the screen below. Now click the box next to the ROLMG sub scenario definition and

click the Scenario-Connector Link on the right. This brings up a screen where you assign the connector GRDCLNT200.

Click New Entries on the screen


42/123

42

Click New Entries on the screen.

From the selection box that pops up, select the connector GRDCLNT200

Click the Save icon on the top menu bar. A transport request comes up. Click the white paper icon and create a new request

and fill in the description as shown below. Click the green check and save it.


43/123

43

This is done. Now use the arrow keys to exit this step until you are back at the IMG menu. This same process would be

repeated for each scenario. According to an SAP Note, it is needed to fill them out for all scenarios even if you are using only

one of them.


44/123

44

Part 2 of the connector settings is under the Access Control area and contains four steps.

Perform the validation of this next.

Click on configuration item “Maintain Connector Settings” and verify the target connector GRDCLNT200 is assigned. Click in the

Application Type area to see what the drop-down list provides. We are only using SAP type for this system. No changes needed.

When done reviewing, exit this screen.


45/123

45

In the next step in the IMG, open Maintain Mapping for Actions and Connector Groups.

Notice the connector group(s). We are working with the SAP_BAS_LG group.

Select the SAP_BAS_LG group and click on the right side Assign default connector.


46/123

46

Here we have to fill in multiple entries. One entry for each action 1, 2, 3, 4. Verify this is correct. Click the Action drop-down to see

the list of actions available. These are assigned for the connector group we are using, which is SAP_BAS_LG.

Exit this screen. Click the green arrow back a few times to get to the IMG menu again. Now for the last item, Plugin settings.

Verify the Plugin settings. It needs one single entry for GRDCLNT200.

Exit this screen back to the IMG menu.

The connection is now setup for the applications and will appear in the application screens when choosing the system. This section

is very important for all applications in Access Control to function, and must be done before configuring the applications.

This system is also connected to itself using the GRC Plug-In. So we are using the same GRC system to manage the GRC systems for

Access Control applications, such as Risk management, Super User management, and user provisioning functions.

END OF LAB SECTION 2 – Congratulations, this was a big section to complete.


47/123

47

SECTION 3 - GRC Risk Analysis Configuration and First Risk Analysis

Activate BC Sets(Rule Sets)

Generate theRules

MaintainConfiguration

Settings for ARA

Run theSynchronization

Jobs

Test RiskAnalysis

Run the FullBatch RiskAnalysis

Run the BatchRisk Analysis

Monitor

Run the RiskViolation

Dashboards

Check theApplication Logs

SLG1


48/123

48


Section 3

Step 1

BCSET

ACTIVATE

Activate BC Sets.

At the main menu of the system (out of the IMG/SPRO screen), enter transaction SCPR20.

We are only activating the two rules sets we are using. The full table is shown for reference. The other BCSETS will be actived

during other lab steps when needed.

DO NOT ACTIVATE THE GREYED OUT BCSETS YET. Only the two needed for this section.

Access Risk Analysis

GRAC_RA_RULESET_COMMON SOD Rules Set (We activate this one now)

GRAC_RA_RULESET_JDE JDE Rules Set

GRAC_RA_RULESET_ORACLE ORACLE Rules Set

GRAC_RA_RULESET_PSOFT PSOFT Rules Set

GRAC_RA_RULESET_SAP_APO JDE Rules Set

GRAC_RA_RULESET_SAP_BASIS SAP BASIS Rules Set (We activate this one now)

GRAC_RA_RULESET_SAP_CRM SAP CRM Rules Set

GRAC_RA_RULESET_SAP_ECCS SAP ECCS Rules Set

GRAC RA RULESET SAP HR SAP HR Rules Set


49/123

49

GRAC_RA_RULESET_SAP_HR SAP HR Rules Set

GRAC_RA_RULESET_SAP_NHR SAP R/3 less HR Basis Rules Set

GRAC_RA_RULESET_SAP_R3 SAP R/3 AC Rules Set

GRAC_RA_RULESET_SAP_SRM SAP SRM Rules Set

Access Request Management

GRAC_ACCESS_REQUEST_REQ_TYPE* Request Type

GRAC_ACCESS_REQUEST_EUP* EUP (Note: Only the value EU ID 999 is valid for this BC set.)

GRAC_ACCESS_REQUEST_APPL_MAPPING* Mapping BRF Function IDs and AC Applications

GRAC_ACCESS_REQUEST_PRIORITY* Request Priority

Business Role Management

GRAC_ROLE_MGMT_SENTIVITY* SensitivityGRAC_ROLE_MGMT_METHODOLOGY* Methodology Process and Steps

GRAC_ROLE_MGMT_ROLE_STATUS* Role Status

GRAC_ROLE_MGMT_PRE_REQ_TYPE* Prerequisite Types

Superuser Management

GRAC_SPM_CRITICALITY_LEVEL* Criticality Levels

Workflow

GRC_MSMP_CONFIGURATION* MSMP Workflow Configuration Rules Set

Steps to activate the BCSETS


50/123

50

Steps to activate the BCSETS

Fill in the name GRAC_RA_RULESET_COMMON and click the Activation button.

A transport request may pop up, fill this in and save using green check mark. If it is to be a new request, click the white paper icon

to create a new request. Then fill in and save it.


51/123

51

After activating this BC Set. You get the below message at the bottom of the screen.


52/123

52

Perform the steps again for the other BC Set GRAC_RA_RULESET_SAP_BASIS.

Activate it.

That concludes the rule set activation.



53/123

53

Section 3

Step 2

Generate

Rules

Generate Access Rules.

Generate the rules by going to IMG under Governance, Risk and Compliance Access Control Access Risk Analysis SoD Rules

Generate SoD Rules. There are alternative methods to generating the rules. In the NWBC interface, in the RULESET sub-menu,

you can generate the rule set rules there. For this exercise, we are using the IMG method below.


54/123

54

Fill in the full range in the drop-down, from the first entry on the left to the last entry on the right.

Execute this. A small message appears at the very bottom of the screen showing program is completed.

Steps Steps to be performed (No changes needed, verify only)

Section 3 Maintain Config ration Settings Use SPRO to re ie the config ration settings Ans er one q estion belo no changes needed


55/123

55

Section 3

Step 3

Config

Settings

Maintain Configuration Settings. Use SPRO to review the configuration settings. Answer one question below, no changes needed.


56/123

56

Note the setting for the Risk Analysis. What is the Default Rule Set used? HINT – Look at Param ID 1025.

FYI – SAP has a guide dedicated to the configuration settings available for download.

No changes needed here, only look at them.

Steps Steps to be performed (No changes needed, verify only, important step)

Section 3 Run the NWBC and check that the rules are loaded


57/123

57

Section 3

Step 4

Check

Rules

Run the NWBC and check that the rules are loaded.

The Web browser launches.


58/123

58

Check that the Access Risks, Functions, and Rule Set exists. See next three screens.


59/123

59

Check that the Access Risks exist.

Check that the Functions exist.


60/123

60

Check that the Rule Set exists. What is the Rule Set Name?

If any of the above screens are empty, contact the instructor in the room immediately! This needs to be correct before

proceeding.


Section 3

S 5

We need to run the Synchronization jobs to get the user, role, profile, and authorizations data from the source systems. In our

h i l h GRC Thi i fi f l i h hi i i W j b


61/123

61

Step 5

Sync

Jobs

case, the source system is also the same GRC system. This is fine for learning purposes, such as this training. We run two jobs.

In IMG go to Access ControlSynchronization Jobs and run Authorization Synch (program GRAC_PFCG_AUTHORIZATION_SYNC). It

is recommended you run it in the background, but we will run it in foreground during this lab exercise. This program contains three jobs: Org. Value sync, Transaction Sync, and Objects sync.

1st

Job to run = Authorization Data Synchronization

Fill in the Connector name and click Execute. We run this in the foreground.

NOTE: These jobs can be scheduled to run in background using SM36 to create the background job, and SE38 to create the varients

to store the values in the fields so they can be used over and over again


62/123

62

to store the values in the fields so they can be used over and over again.

The result screen comes up in about three to five minutes. It should not take that long for these systems.Note: Larger ERP systems may take 30-40 minutes to run. That is why background processing is usually preferred.

(Note – screen above has GRDCLNT100 for example, your screen should have GRDCLNT200)

In the same path go to Repository Object Synch (program GRAC_REPOSITORY_OBJECT_SYNC).


63/123

63

Be sure to select the Full Sync Mode.

This job runs in one to three minutes.

NOTE: On larger systems with many users and roles, this job may take 10-20 minutes to run.

NOTE: These jobs can be scheduled to run in background using SM36 to create the background job, and SE38 to create the varients

to store the values in the fields so they can be used over and over again. Usually a full sync is done weekly and an incremental sync

is done daily. More frequent jobs can be scheduled to allow new users and roles to be used in the GRC analysis jobs, reports, and

ad-hoc analysis.


64/123

64

y

(Note – screen above has GRDCLNT100 for example, your screen should have GRDCLNT200)

Completed job output above.



65/123

65

p p p

Section 3

Step 6

Run

Risk

Analysis

Now you should be able to run a risk analysis. Go to Access Management Workcenter and run a User Level Risk Risk Analysis on a

specific user.

Let’s test this. Go to the main menu of the system and run the NWBC transaction.

Run the NWBC again.

In the NWBC Browser window, Click the Access Management sub-menu.


66/123

66

Run the User Level anaylsis first. Use system GRDCLNT200 and user GRCTRAIN1. Fill out as shown below. Use the minus button to

remove unwanted items from the query screen.

Fill in the screen. Run in foreground. Check the settings carefully.

View the results. Example below:


67/123

67


68/123

68

Run the same Risk Analysis – User Level, change the Report Options for REMEDIATION VIEW only.


69/123

69

After choosing Remediatation view, it will look like the above. It may take longer to come up.

(Note – screen above shows system GRDCLNT100 in this example, your screen will be actual system GRDCLNT200)

Perform the same steps for the Role Level analysis. Use role SAP_GRC_SPC_SETUP for this analysis test.


70/123

70


71/123

71

Results of ROLE analysis above.


Section 3

Step 7

Set up Parallel Jobs capability. This is in preparation of running the full batch risk analysis.

Run RZ12 transaction (not in the IMG menu). Check if the Login Group parallel_generators exists. If so, verify the settings as shown


72/123

72

Setup

ParallelJobs

g p p _g y g

below. Otherwise, click the white paper icon to create the group assignment. The name must be “parallel_generators” to be used

in the applications.


73/123

73

Click Save. A message will appear at bottom in yellow. You must press enter to save and get past this screen! INGORE WARNINGand press enter to save it.

Go in and check the entry again to make sure it saved.


Section 3

Step 8

To run the Full Batch Risk Analysis, go into the SPRO transaction again and click on the Execute Batch Risk Analysis menu item.

Fill out the screen as shown and execute the job. It will take about 10-15 minutes to complete it. You will monitor the job during

h f h b d l h h h b


74/123

74

Run

FullBatch

Risk

Analysis

this time. After running this job, move immediately to the next step on how to monitor the job.

NOTE: It is possible to also run using a transaction GRAC_BATCH_RA (or program GRAC_BATCH_RISK_ANALYSIS) as an alternative.


75/123

75

Fill out the Batch Risk Analysis screen as shown above and execute it.


Section 3

Step 9

Monitoring the Batch Risk Analysis.

Using SPRO (IMG) go to the menu Access Risk Analysis and run Monitor Batch Risk Analysis


76/123

76

MonitorBatch

Risk

Analysis

Using SPRO (IMG) go to the menu Access Risk Analysis and run Monitor Batch Risk Analysis.

Change the dates so the start date is one day earlier. We have noticed some time issues with the system time not matching thetime in Vegas. With time out of sync, you may miss picking up the jobs in the search. Making the date range larger will help to pick

up the jobs.

Note: You can monitor the batch risk analysis job with transaction GRACRABATCH_MONITOR.


77/123

77

Click the box in front of the job row and click Show Details. Drill into the details to see the detailed status.


78/123

78

You can see what is going on while it is running.

For large systems, this job can take a long time.


79/123

79

Check that the job is using parallel processes. Use transaction SM50 while the job is executing in the background to see the two

batch work processes running the job. Below is SM50 screen.


80/123

80


Section 3

Step 10

View

View the Risk Analysis dashboards. The data in the dashboards are only visible after running the batch risk analysis jobs.

In the NWBC screen, go to the Reports and Analytics menu. We will run the Risk Violations, User Analysis, and Role Analysis

dashboards. These pop up in another window. Run each one, one at a time. See below screens for examples.


81/123

81

DashBoards


82/123

82

The Risk Violations screen is interactive. You can click into the pie chart or bar chart items to see the detail below them. Try this

for both the pie chart HIGH and MEDIUM and BS00 in the bar chart. Be sure to drill down in the next screens that open. Check out

the details. Try changing the Analysis Type from User to Role.


83/123

83

Check the User Analysis dashboard too. Explore the details.


84/123

84

Find the GRC roles in the Role Analysis dashboard. They begin with SAP_GRC.

The data in the dashboards is based on the Batch Risk Analysis job. This job needs to be scheduled nightly to get the data updated.


Section 3

Step 11

SLG1

Appl

Check the Application logs for errors. Run transaction SLG1 in the GRD system. Fill the screens as shown below and execute.


85/123

85

pp

Errors

See examples of log output below. This is a very useful tool for GRC applications when problems are occurring.


86/123

86

SECTION 4 - GRC Emergency Access Configuration and First Emergency Access

Special User Instructions:

1) The steps to configure the “Emergency Access Management” component of GRC 10.1 are illustrated in this

i


87/123

87

section.2) Please log in using GRCEAMADM for all the steps except for Step 10, where you will use GRCTRAIN1 and

GRCTRAIN2 for configuration and testing the EAM functions. The users to be used for each step are

pointed out in the documentation.

High Level Overview of the Configuration Steps

A pictorial depiction of the high-level configuration steps is shown below:


88/123

88

Activate BC Sets(Emergency

Access)

Add Connectorsto Firefighting

Scenario (SUPMG)


Settings

MaintainCriticality Levels

Create FirefighterIDs in Target

Systems

CompleteSynchronization

Define Ownersand Controllers

Assign FirefighterIDs to Firefighters

Access FirefighterID

Run LogCollection Job

Access andReview Firefighter

Logs


Section 4

Step 1

Activate

BCSETS

Activate BC Sets. (Logged in as user GRCEAMADM)

Enter transaction code SCPR20. Enter GRAC_SPM_CRITICALITY_LEVEL in the BC Set field and press F7 or click Activate. Create a

new transport request or assign to an existing one. Use the Expert Mode under the Activation Options window and click OK to

complete the activation.


89/123

89

On successful activation, a confirmation message is shown as below.


Section 4

Step 2

Plug-In

Settings

Maintain Plug-in settings. (Logged in as user GRCEAMADM)

Navigate to Tcode SPROSAP Reference IMG expand Governance, Risk and Compliance (Plug-in)Access ControlMaintain

Configuration Settings.

Review and ensure the values for the following parameters exist:


90/123

90

Review and ensure the values for the following parameters exist:

1089 1

1090 SAP_GRAC_SPM_FFID


Section 4

Step 3

SUPMG

Connector

Add Connectors to the Super user Management Scenario (SUPMG) (Logged in as user GRCEAMADM)

Navigate to Tcode SPROSAP Reference IMG expand Governance, Risk and ComplianceCommon Component

SettingsMaintain Connection Settings.

Enter SUPMG in Integration Scenario and click OK.


91/123

91

Enter SUPMG in Integration Scenario and click OK.

Highlight the row that indicates the SUPMG scenario and double-click the Scenario-Connector Link folder.

Review and confirm the entry for the target connection as shown in the screen below. If no entry exists, click on New Entries and

add the Target Connector.


Section 4

Step 4

Criticality

Review Criticality Levels for Emergency Access Management. (Logged in as user GRCEAMADM)

Navigate to Tcode SPROSAP Reference IMG expand Governance, Risk and ComplianceAccess ControlEmergency Access

ManagementMaintain Criticality Levels for Emergency Access Management.


92/123

92

Criticality

Levels ManagementMaintain Criticality Levels for Emergency Access Management.

Confirm that criticality levels are populated in the table as indicated in the screen below.

Changes can be made and saved, but would require the creation of a new transport or addition to an existing transport.


Section 4

Step 5

Config

Settings

For

Review Key Configuration Settings for Emergency Access Management. (Logged in as user GRCEAMADM)

Navigate to Tcode SPROSAP Reference IMG expand Governance, Risk and ComplianceAccess ControlMaintain

Configuration Settings.


93/123

93

EAM

Changes can be made and saved, but would require the creation of a new transport or addition to an existing transport.


Section 4

Step 6

Create

FF IDs

Create Firefighter IDs. (Logged in as user GRCEAMADM)

Use Tcode SU01

Enter FF_TRAIN01 in the User field. Click Users (Top menu) and click Copy. In the To field, enter FF_TRAINGRC. Check all the boxes

in the copy screen and click Copy (F5).


94/123

94

In the Logon data tab, click on the Wizard button next to the Initial password field. Save the changes to complete the creation of

the Firefighter ID.


Section 4

Step 7

Run

FULL

RepositorySync Job

Synchronize Created Firefighter IDs using Tcode GRAC_REP_OBJ_SYNC. In the Connector field, use the Search button to choose the

connector. (Logged in as user GRCEAMADM)

Choose Full Sync Mode.


95/123

95

Click Execute (F8) to complete the sync.


Section 4

Step 8

Define

Owners

AndControllers

Define Owners and Controllers for the created Firefighter ID. (Logged in as user GRCEAMADM)

Execute Tcode NWBC to launch the SAP NetWeaver Business Client window. Navigate to the Setup tab and click “Access Control

Owners” under Access Owners Sub menu.


96/123

96

Confirm that GRCTRAIN2 is setup as a Firefighter ID Owner and a Firefighter ID Controller. Once confirmed close the window.

Navigate back to the Setup tab and click Owners. Within the Owners window, click Assign at the top of the window.


97/123

97

Search for user GRCTRAIN2. To choose the user, highlight it on the search screen and then click on it. Click on Add within the

Firefighter ID table and click Go to show the list of Firefighter IDs.

Choose FF_TRAIN01 and move it to the selected pane by highlighting it and using the directional arrow (shown above).

Click Save on the Owner Assignment screen.

To assign controllers, without leaving the Setup tab, click Controllers under Superuser maintenance. Within the Owners window,

click Assign at the top of the page.


98/123

98

Search for user GRCTRAIN2. To choose the user, highlight it on the search screen and then click on it. Click on Add within the

Firefighter ID table and click Go to show the list of Firefighter IDs. Add the Firefighter ID FF_TRAIN01 and set the ‘Notification by’ to

Log Display.


Section 4

Step 9

Define

Reason

Codes

Define Reason Codes for Firefighter Usage. (Logged in as user GRCEAMADM)

Execute transaction NWBC. Within the Setup folder tab, locate the Reason Codes link under Superuser Maintenance menu (bottom

of the page) and click on it. Within the Reason Code window, click on Create to define a new reason code.


99/123

99

Add the Reason Code and a long description within the respective text fields. To define the systems for which the created reason

code is applicable, click Add within the system table. Click Save to save your changes once all the fields have been defined.


Section 4

Step 10

Assign

Firefighter

Assign Firefighter ID to Firefighter User. (Logged in as user GRCEAMADM)

Execute Transaction NWBC. Within the Setup folder tab, locate the Firefighters link under Superuser Maintenance menu (bottom of

the page) and click on it. Click Assign at the top of the Firefighter window. Search for user GRCTRAIN2, highlight it on the search

screen, and click on it to choose it.


100/123

100

Click on Add within the Firefighter ID table and click Go to show the list of Firefighter IDs. Choose FF_TRAIN01 and move it to theselected pane by highlighting it and using the directional arrow. Choose the Owner (GRCTRAIN1) from the search screen and click

Save to save the assignment.


Section 4

Step 11

Use

Firefighter

Using a Firefighter ID. ** (Logged in as user GRCTRAIN1 now) **

Logout as GRCEAMADM. Ensure you are logged in as GRCTRAIN1. Execute transaction GRAC_EAM. Click the Logon button within

the Emergency Access Management Dashboard.


101/123

101

Choose a reason code from the Reason Code dropdown. Enter the planned activity within the text area (use your own). Enter

transaction codes to be used (eg. PFCG, SU01, SU10, SE38 etc.) within the Actions field. Click OK to launch the remote session.


Section 4

Step 12

Run

Log Sync

Job

Execute the Firefighter Log Synchronization job to complete collection of the Activity log. (Logged in as user GRCEAMADM)

Execute TcodeGRAC_SPM_LOG_SYNC. Enter the connector name and click Execute (F8) to initiate the job that collects the

activities performed under the Firefighter ID.


102/123

102


Section 4

Step 13

View

FF Logs

View the Firefighter logs.

Execute Tcode NWBC. Click the Reports and Analytics folder tab.

Locate the Firefighter Log Summary Report link under the Emergency Access Management Reports menu and click on it.


103/123

103

Click on ‘Run in foreground’ to view the generated log list.

View the log by highlighting the item on the list and click Open to see the details.

SECTION 5 - GRC Access Request Configuration and First Access Request

Activate BC Sets

(UserProvisioning)

Create Access

Request

Approve Access

Request


104/123

104

Add Connectorsto Firefighting

Scenario (PROV)


Settings

Maintain

ProvisioningSettings

Activate MSMPWorkflow

Import Roles

CompleteSynchronization

Review AutoProvisioning


Section 5

Step 1

Activate

BCSETS

Activate BC Sets.

Enter transaction code SCPR20. Enter the BC Sets below, one by one in the BC Set field and use F7 or click Activate. Create a new

transport request or assign to an existing one. Select Expert Mode under the Activation Options window and click OK to complete

the activation.

GRAC_ACCESS_REQUEST_APPL_MAPPING

GRAC_ACCESS_REQUEST_EUP


105/123

105

GRAC_ACCESS_REQUEST_PRIORITY

GRAC_ACCESS_REQUEST_REQ_TYPE

On successful activation, a confirmation message is shown as below.


Section 5

Step 2

Add

Connector

for Prov.

Add Connectors to the User Provisioning scenario (PROV).

Navigate to Tcode SPROSAP Reference IMG expand Governance, Risk and ComplianceCommon Component

SettingsMaintain Connection Settings.

Enter PROV in Integration Scenario and click OK.


106/123

106

Highlight the row that indicates the PROV scenario and double-click the Scenario-Connector Link folder.

Review and confirm the entry for the target connection as shown in the screen below. If no entry exists, click on New Entries and

add the Target Connector.


Section 5

Step 3

Maintain

Prov.

Settings

Maintain Provisioning Settings.

Navigate to Tcode SPROSAP Reference IMG expand Governance, Risk and ComplianceAccess ControlUser Provisioning

Maintain Provisioning Settings.


107/123

107

Double-click Maintain Global Provisioning Settings. Set the values as shown below.

Role provisioning Type Direct

Auto Provisioning Auto provisioning at end of request

Role assignment Check Provisioning Effective Immediately

Save the settings and add to transport request.


Section 5

Step 4

Activate

MSMP

Workflow

Activate the MSMP Workflow.

Navigate to Tcode SPROSAP Reference IMG expand Governance, Risk and ComplianceAccess ControlWorkflow for Access

ControlMaintain MSMP Workflows.


108/123

108

Go to Change mode and click on Step 7 (Generate Versions) and choose Activate.

Confirm activation of the approval workflow.


109/123

109


Section 5

Step 5

NWBC

Role

Import

Import Roles.

Execute Tcode NWBC. In the Access Management tab, under Role Mass Maintenance, click Role Import.


110/123

110

In the Role Import screen, populate the screen as indicated below for Stage 1.

For Stage 2, enter the details as shown below:


111/123

111

For Stage 3, click Next to move to Step 4. In Step 4, set the job as a background job using the parameters shown below.

A confirmation message is shown in Stage 5 indicating successful scheduling.


Section 5

Step 6

Run

Sync

Jobs

Run the Synchronization job.

Execute Tcode GRAC_REP_OBJ_SYNC to initiate a repository sync job on completion of the background job from Step 5.


112/123

112

Click Execute (F8) to initiate the job. On completion, the log is shown (example below).


Section 5

Step 7

Create

Access

Request

Create an Access Request.

Execute Transaction NWBC. Within the My Home tab, click on Access Request to launch the Access Request screen.


113/123

113

In the Access Request screen, fill in the fields as shown below. To add roles, click on Add and choose Role.

Navigate to the User Details tab and fill in the First Name, Last Name and Email for the user.


114/123

114

In the Add Role screen, click on Search to search for a role. Highlight one of the search results and use the arrow buttons to move

them to the selected screen.

Click OK to return to the Access Request screen.

Click Submit to submit the access request.

\


115/123

115


Section 5

Step 8

Approve

Access

Request

Approve the Access Request.

Login as GRCTRAIN2. Execute Tcode NWBC. From the My Home tab, click on Work Inbox.


116/123

116

In the Work Inbox, locate the request number and click on it to open the Request Approval window.

In the Approval window, review the request and click on Submit to approve the request.


117/123

117

Enter comments in the Comments tab prior to approval. A confirmation message is shown on the approval.


118/123

118


Section 5

Step 9

Review

Auto

Provision.

Review the Auto Provisioning.

Execute Tcode SU01. In the User field, enter GRCCONF01 and click Display.


119/123

119

Navigate to the Roles tab and review the request role. Confirm that it was assigned to the user.

End of Lab – Great Job, you made it, and thanks for attending!!

APPENDIX – FOR YOUR REFERENCE:


Section

Appendix

Step A

Enter Transaction SCOT to set up email. (Validation Only in this section, no changes!)

Click on SMTP Node under the Settings Folder, Outbound Messages Folder.


120/123

120

EMAIL

SETUP

Verify the settings in the screen below (NO CHANGES).


121/123

121

No changes needed, verify the settings. The settings for Internet should have * in the SET button.


122/123

122

Check that the job is running. You can double click the Job Name to open the popup panel. See the job runs every ten minutes. Exit

this transaction, SCOT.

(DO NOT PERFORM THE FOLLOWING COMMAND, READ ONLY)

a beginners guide to the post-installation configuration of sap access control

Documents