hands-on lab: how to set up and configure sap process...

Hands-On Lab: How to Set Up and Configure SAP

Process Control

(Based on SAP Process Control 10.1)

Jessica Scott and Mel Hensey

Deloitte

[email protected]

[email protected]

2

SECTION 1 - Lab Contents

Section 1: Lab Introduction

o Lab Overview

o Lab Schedule

o Lab User Access Information

Section 2: SAP Process Control Master Data Creation

Section 3: SAP Process Control Automated Rule Configuration

SECTION 1 - Lab Overview

GRC System for this lab is running locally on the laptops and not on a server across the

network.

We have 40-50 GRC systems running here, one per laptop.

o This was done to guarantee performance and complete independence from

others working on the same system.

The system is strictly yours and not shared.

Laptop is running VM Workstation 10.

The GRC system is running on SUSE Linux 11.3 Server and uses MAXDB database.

The GRC system is based on SAP NetWeaver 7.40 SP13.

The GRC system is running GRCFND_A 10.1, SP11.

The GRC plug-in is installed and is version 10.1, SP11.

The SAP GUI is installed and is version 7.40 SP2.

3

SECTION 1 - Lab Schedule

Thursday, March 17th, 2016

Section 1 – Lab Overview 10 Minutes (3:00 – 3:10)

Lab – Section 2 Overview 10 Minutes (3:10 – 3:20)

Lab – Section 2 Hands On Lab 70 Minutes (3:20 – 4:30) Short Break 10 Minutes (4:30 – 4:40)

Lab – Section 3 Overview 10 Minutes (4:40 – 4:50) Lab – Section 3 Hands On Lab 70 Minutes (4:50 – 6:00)

SECTION 1 - Lab User Access Information

• SAP System SID is “GRD”

• Client number is 600 (if default is 200, must specify 600 when logging in)

• Server host is “USSLTCSNL1271”

• Instance number is 00

• Start the SAP GUI

• Launch the GRD LAB system GUI

• Log in to client 600 as grctrain1 or grctrain2 with password of “grc2016lab"

• Launch Transaction “NWBC” for the GRC Web Interface

4

SECTION 2 – SAP Process Control Master Data Creation

Log in to the System

Access Netweaver Business Client

(NWBC)

Review Regulation Hierarchy

Review Process Structure

Create Subprocess

Map Regulation to Subprocess

Create Control

Map Regulation and Regulation

Requirement to Control

Review Organization Hierarchy

Create an Organization

Map Subprocess and underlying Controls

to Organization

Review Master Data Level Security Roles

(Control Owner / Control Tester

5

Steps Steps to be performed

Section 2 Step 1 STARTUP LOGIN

Note: The lab system should have the VMware Workstation Lab System “USSLTCSNL1271” loaded and running for you already. If you get an error when accessing the system using the SAPGUI in the next step, contact the instructor. 1) Start SAP GUI and connect to GRD LAB System.

2) SAP Login screen. Log in to the GRD system.

3) Log in client 600 with user grctrain1 (or grctrain2 for some parts of the lab) and password

“grc2016lab”.

6

Steps Steps to be performed (NAVIGATION ONLY, NO CHANGES)

Section 2 Step 2 Navigate to NWBC / GRC Front End

1) To navigate to the GRC Front End, enter transaction NWBC in the transaction window to the right of the green check. (NWBC = NetWeaver Business Client)

TIP: If you are not currently at the main menu but inside another screen or transaction, enter /nNWBC to run the NWBC transaction.

The NWBC screen should appear in a new browser window (pop up). The screen defaults to the “My Home” tab.

This completes the navigation to the NWBC screen.

7

Steps Steps to be performed (REVIEW ONLY, NO CHANGES)

Section 2 Step 3 Review Regulation Hierarchy

PURPOSE: To understand navigation and key characteristics of the Regulation Hierarchy. FROM PRIOR STEP: The NWBC screen should be open. 1) Select the “Master Data” tab at the top of the NWBC screen.

The Master Data tab and underlying sub-menus are displayed. Note the sub-menu headings that correspond to the three key Master Data hierarchies –

Organizations Regulations and Policies Activities and Processes

8

2) Select the “Regulations” task within the “Regulations and Policies” sub-menu.

9

The Regulation Hierarchy screen is displayed.

KEY FEATURE: Note the summary of key data fields (right-hand pane) for the item highlighted in the hierarchy (left-hand pane).

3) Select “Actions” > “Expand All” to display all nodes in the hierarchy

All of the Regulation Hierarchy nodes are displayed.

BUILDING BLOCKS: Note that there are three types of nodes displayed for Regulations; Regulation Group, Regulation, and Regulation Requirement.

Regulation Group is the highest level node type in the hierachy; it may be subordinate to another Regulation Group. In this way, it is possible for a regulation hierarchy to be constructed that is more than three levels deep. A Regulation is always subordinate to a Regulation Group; it may NOT be subordinate to another Regulation. Multiple Regulations may be present under a single Regulation Group. A Regulation Requirement is always subordinate to a Regulation; it may NOT be subordinate directly to to a Regulation Group or to another Regulation Requirement. Multiple Regulation Requirements may be present under a single Regulation.

10

4) Select the “Sarbanes-Oxley (SOX)” Regulation to highlight it and then select “Open”.

The Regulation details pane is displayed.

HEADS UP: Note that there is a dropdown to select a specific pre-configured value (in this case “SOX”) that must be associated to the Regulation when it is initially created.

A configured value (Regulation Configuration) may only be associated with a single Regulation, and each Regulation in the hierarchy requires its own unique configured value. SAP delivers two regulations (SOX and FDA) which may be activated via configuration and used to model configuration for additional regulations. Additional Regulations may be configured as required to meet specific compliance needs (e.g., NERC/FERC). For the purpose of this lab exercise the SAP delivered regulations (SOX and FDA) have been activated. Please retain SOX for the current exercise.

NOTE: Configuration of Regulation values is not in scope for this workshop.

11

5) Exit the Regulation screen by selecting the “X” in the top right corner.

The Regulation Hierarchy screen remains open. 6) Exit the Regulation Hierarchy screen by selecting the “X” in the top right corner.

This completes the review of the Regulation Hierarchy.

12


Section 2 Step 4 Review Process Structure; Set Date

PURPOSE: To understand navigation and key characteristics of the Process Structure [hierarchy]. FROM PRIOR STEP: The Master Data tab and underlying sub-menus remain open. 1) Select the “Business Processes” task within the “Activities and Processes” sub-menu.

The Process Structure screen is displayed.

KEY FEATURE: Note the summary of key data fields (right-hand pane) for the item highlighted in the hierarchy (left-hand pane).

13

KEY FEATURE: The “Date” field that is present on the hierarchy screen for each type of master data may be changed using the dropdown and selecting “Apply”. Note that this drives two functions: (1) display of the hierarchy that is effective at a particular point in time, and (2) setting the date that will default into the “Valid From” date when creating or changing master data.

TIP: Always confirm that the “Date” is set as expected prior to creating or updating master data. The “Advanced” function may be used to set the date so it will stay the same whenever any master data screen is accessed during the session.

2) Using the “Advanced” function, select “Fixed Date” and use the date dropdown to set the date to

15.01.2015 (January 15, 2015), then select “OK” to complete.

3) Confirm that the “Date” field now displays “15.01.2015”. 4) Select “Actions” > “Expand All” to display all nodes in the structure

14

All of the structure nodes are now displayed (see system screenshot below).

BUILDING BLOCKS: Note that there are three types of nodes displayed in the Process Structure; Process, Subprocess, and Control.

Process is the highest level node type in the structure; it may be subordinate to another Process. In this way, it is possible for a process structure to be constructed that is more than three levels deep. A Subprocess is always subordinate to a Process; it may NOT be subordinate to another Subprocess. Multiple Subprocesses may be present under a single Process. A Control is always subordinate to a Subprocess; it may NOT be subordinate directly to a Process or to another Control. Multiple Controls may be present under a single Subprocess (and typically are).

5) Select the “1 - Accounting” Process to highlight it and then select “Open” to review it.

The Process details pane is displayed.

BUILDING BLOCKS: Asterisked fields require input before a new Process may be saved.

- “Name”: Restricted to 40 characters - “Description”: To further describe the Process if necessary beyond the 40 character limitation of the "Name"

BEST PRACTICE: It is recommended that the “Name” provided for each master data element be unique, although the system does not require it. Identical names can be confusing when master data is presented in list displays and reports.

15

6) After your review, exit the Process screen by selecting the “X” in the top right corner.

16


Section 2 Step 5 Create a new Subprocess; Map a Regulation to the Subprocess

PURPOSE: To add a new Subprocess node within the Process Structure and subsequently map relevant Regulations from the Regulation Hierarchy.

FROM PRIOR STEP: The Process Structure screen is displayed, or otherwise navigate via the “Master Data” tab, “Business Processes” task. 1) Confirm that the “Date” is set to “15.01.2015”

(January 15, 2015) or other date provided by the workshop leader.

2) Select Process “6 – Sales Management” to highlight it and then select “Create”, and then select

“Subprocess” from the drop-down.

The “Central Subprocess” new entry screen is displayed, “General” tab.

KEY FEATURE: Note that the “Valid From” date defaults to the value of “Date” from the prior screen, and the “Valid To” date defaults to the value “31.12.9999” (December 31, 9999), or indefinite.

KEY FEATURE: Note that there is a system-generated unique “ID” for every master data object created within GRC.

17

3) Enter the following text into the “Name” field: “6.1 - Customer Master Data”. This field is restricted

to 40 characters.


4) Enter the following text into the “Description” field: “6.1 - Customer Master Data - Process -

description”.

18

5) Select the “Regulations” tab.

BUILDING BLOCKS:

Subprocesses are mapped to one or more Regulations so that underlying Controls may be subsequently mapped to the Regulation and underlying Regulation Requirements. Subprocesses may be mapped to multiple Regulations; Regulations may be mapped to multiple Subprocesses.

The “Regulations” tab is displayed. 6) Select “Add”, select “Sarbanes-Oxley (SOX)” from the list of Regulations, and select “OK”. NOTE: If

“SOX” appears in the list twice, select the first instance.

19

The “Regulations” tab now lists the selected Regulation. 7) Select “Save”.

The display returns to the Process Structure screen with the message that “Data has been saved”.

This completes the creation of the “6.1 - Customer Master Data” Subprocess and the linking of the “Sarbanes-Oxley (SOX)” Regulation.

20


Section 2 Step 6 Create a new Control; Map a Regulation and Regulation Requirement to the Control

PURPOSE: To add a new Control within the Process Structure and subsequently map relevant Regulations and Regulation Requirements from the Regulation Hierarchy. FROM PRIOR STEP: The Process Structure screen is displayed, or otherwise navigate via the “Master Data” tab, “Business Processes” task. 1) Confirm that the “Date” is set to “15.01.2015” (January

15, 2015) or other date provided by the workshop leader.

2) Select Subprocess “6.2 - Customer Credit Management” to highlight it. 3) Select “Create”, and then select “Control” from the drop-down.

The “Central Control” new entry screen is displayed, “General” tab.

21


22

4) Enter the following text into the “Name” field: “CR-621 – Credit Limit Sales Order Block”. This field

is restricted to 40 characters. 5) Enter the following text into the “Description” field: “SAP is configured with automatic credit

checking to block production orders / planned orders when they exceed credit limits in SAP.” 6) For the remaining fields, select the indicated values from the dropdown lists.

BUILDING BLOCKS: Most of these fields are “information only”, that is, they document characteristics of the Control for documentation purposes, but do not drive or control action within the GRC tool. Asterisked fields require input before a new Control may be saved.

23

7) Select the “Regulations” tab.

BUILDING BLOCKS: Controls are mapped to one or more Regulations and underlying Regulation Requirements in order to support compliance tasks. Regulations and underlying Regulation Requirements may be mapped to multiple Controls.

The “Regulations” tab is displayed.

24

8) Select “Add”. 9) Select “Sarbanes-Oxley (SOX)” from the list of Regulations. 10) Select “OK”.

KEY FEATURE: Multiple Regulations may be selected (test Control once, satisfy many Regulations concept).

HEADS UP: Note that the Regulation must be mapped to the Control’s parent Subprocess before it can be linked to the Control.

25

The “Regulations” tab now lists the selected Regulation.

KEY FEATURE: Note that, by selecting “Maintain Regulation-Specific Attributes” = “Yes”, it is possible to change characteristics of the Control as it applies to the specific Regulation. No changes are required to complete this exercise.

11) Select the “Requirement” tab.

The “Regulation Requirement” tab is displayed. 12) Select “Add”, then select “SOX Section 404” from the list of Regulation Requirements, then select

“OK”.

KEY FEATURE: Multiple Regulation Requirements may be selected.

26

The “Requirement” tab now lists the selected Regulation Requirement. 13) Select “Save”.

The display returns to the Process Structure screen with the message that “Data has been saved”.

The Process Structure screen remains opened.

14) Exit the screen by selecting the “X” in the top right corner.

This completes the creation of the “CR-621 – Credit Limit Sales Order Block” Control and the linking of the “Sarbanes-Oxley (SOX)” Regulation and underlying “SOX Section 404” Regulation Requirement.

27


Section 2 Step 7 Review Organization Hierarchy

PURPOSE: To understand navigation and key characteristics of the Organization Hierarchy FROM PRIOR STEP: The Master Data tab and underlying sub-menus remain opened. 1) Select the “Organizations” task within the “Organizations” sub-menu.

The Organizations screen is displayed. 2) Confirm that the “Date” field displays “15.01.2015” (January 15, 2015). 3) Select “Actions” > “Expand All” to display all nodes in the hierarchy.

28

All of the Organization Hierarchy nodes are now displayed (see system screen print below).

BUILDING BLOCKS: Note that, unlike the Regulation Hierarchy and Process Structure, there are only two different types of Organization nodes:

A single ROOT node is the highest level node type in the structure; all other nodes are directly or indirectly subordinate to the root node. The root node and one child node must be created via configuration; all other nodes are created in the front end. In this structure, “ABC Corporation” is the root node and “Accounting” is the child node that was created during configuration of the root node. Multiple nodes may be present under any single node. The hierarchy may be many levels deep.

4) Select the “Information Technology” node to highlight it and then select “Open”.

29

The Organization details screen is displayed.

BUILDING BLOCKS:

- “Name”: Restricted to 40 characters - “Description”: To further describe the Organization if necessary beyond the 40 character limitation of the "Name" - Asterisked fields require input before a new Organization may be saved. BEST PRACTICE: It is recommended that the “Name” provided for each Master Data element be unique, although the system does not require it. Identical names can be confusing when master data is presented in list displays and reports.

5) After completing the review, exit the Organization details pane by selecting the “X” in the top right

corner.

30


Section 2 Step 8 Create an Organization; Map a Subprocess and Underlying Controls

PURPOSE: To add a new Organization node within the Organization Hierarchy and subsequently map a relevant Subprocess and underlying Controls from the Process Structure. GRC requires Controls to be associated with an Organization before compliance activities can be performed. FROM PRIOR STEP: The Organizations screen is displayed, or otherwise navigate via the “Master Data” tab, “Organizations” task. 1) Confirm that the “Date” is set to “15.01.2015” (January 15, 2015) or other date provided by the

workshop leader. 2) Select Organization node “Americas” to highlight it. 3) Select “Add”.

31

The “Create Organization” new entry screen is displayed, “General” tab.


KEY FEATURE: Note that there is a system-generated unique “ID” for every master data object created within GRC.

32

4) Enter the following text into the “Name” field: “Sales & Marketing (Americas)”. This field is

restricted to 40 characters.


5) Enter the following text into the “Description” field: “Sales & Marketing (Americas) - Organization -

description”.

For purposes of this exercise, it is not necessary to change the defaulted values for the remaining fields.

33

6) Select the “Subprocess” tab.

BUILDING BLOCKS: Organizations at any level may be mapped to one or more Subprocesses and underlying Controls in order to support compliance tasks. Subprocessess and underlying Controls may be mapped to multiple Organization nodes.

34

The “Subprocess Assignment” screen is displayed. 7) Select “Assign Subprocess”. 8) Select “6.2 - Customer Credit Management” from the list of Subprocesses. 9) Select “Next”.

The “Subprocess Assignment” screen now lists the selected Subprocess. 10) Accept the default response “No” for “Allow Local Changes” and select “Next”.

KEY FEATURE: Central Control (Allow Local Changes = “No”) vs. Local Control (Allow Local Changes = “Yes”)

35

Central Control – exists within the Process Structure

Local Control – an instance of a control mapped from the Process Structure to an Organization

Maintained in the Process Structure Maintained in the Process Structure or Organizational Hierarchy (based upon configuration)

Control attributes are maintained centrally and pushed out to all organizational assignments

Attributes are maintained specifically for each organization (based upon configuration)

Can utilize shared services Cannot utilize shared services

All controls within a subprocess are mapped to each linked organization

Any or all controls within a subprocess may be mapped independently to each linked organization

Cannot be used as mitigating controls Can be used as mitigating controls (in conjunction with the GRC Access Control module)

The “Subprocess Assignment” screen now lists the Control(s) associated with the selected subprocess, as well as any risks that have been linked to the controls (risks are not in scope for this workshop). 11) Select “Submit”.

The screen displays “The assignments are made . . .” 12) Select “Finish”.

36

The added subprocess now displays as being linked on the “Subprocess” tab. The underlying control(s) may also be listed by selecting the expansion icon (triangle). 13) Select “Save”.

The display returns to the “Organizations” screen with the message “Organization created successfully”.

The Organizations screen remains opened.

37

14) Exit the screen by selecting the “X” in the top right corner.

This completes the creation of the “Sales & Marketing (Americas)” Organization and the linking of the “6.2 - Customer Credit Management” Subprocess.

38


Section 2 Step 9 Review Front End Assignment

PURPOSE: Review the front-end role assignments that identify workflow task owners for the Control that will be set up in Section 3 for automated monitoring. User IDs assigned as Control Owners receive issues in their work inboxes as a result of control deficiencies identified during automated control monitoring. FROM PRIOR STEP: The Master Data tab and underlying sub-menus remain opened. 1) Select the “Access Management” tab. 2) Select the “Business Processes” task within the “GRC Role Assignments” sub-menu.

39

The “Assign Process, Subprocess and Control Roles” screen appears. 3) Enable the “Control” checkbox in the “Select Role Levels to be assigned” section. 4) Select “No” under the “Show Cross-Regulation Roles?” section. 5) Select “Add” Regulations. The “Select Regulations to Filter” pop-up appears. 6) Select the first instance of the “Sarbanes-Oxley (SOX)” Regulation listed in the “Available” pane and

select the arrow icon to move it to the “Selected” pane.

The “Sarbanes-Oxley (SOX)” Regulation is moved to the “Selected” pane. 7) Select “OK”.

40

8) Add a filter to narrow down the items presented on the subsequent screen by selecting “Add” under

“Filters: Process”, moving the “2 - Information Technology” Process to the “Selected” pane, and selecting “OK”.

9) Once selections and filters have been completed, select “Next”.

41

The “Assignments” screen is displayed. 10) Note that the User named “GRC GRCTRAIN1” has been assigned as the Control Owner for Control

“IT-232 – Monitor Client Setting Changes” as linked to the “Information Technology” Organization, and that the User named “GRC GRCTRAIN2” has been assigned as the Control Tester.

BUILDING BLOCKS: Each column on the assignment screen represents a role that has been configured to receive specific workflow tasks. Specific Users are entered at the intersection of a role with a specific entity, in this case, a Control.

The Control Tester is the default role to perform regulation-specific control testing (in this case, SOX). Users with such roles will receive the task to perform or confirm the results of a control test in their work inbox. The Control Owner is the default role to receiver of issues that result from regulation specific control monitoring.

This completes the Review of Front End Assignments for the Control “IT-232 – Monitor Client Setting Changes”. This completes SECTION 2 – SAP Process Control Master Data Creation.

42

SECTION 3 – SAP Process Control Automated Monitoring

Create Data Source

Create Business Rule

Assign Business Rule to Control

Schedule Automated

Monitoring Job

Receive Exception Task in

Work Inbox

Review Monitoring

Exception Details

Take Required Action

Close Issue

43


Section 3 Step 1 Create Data Source

The automated monitoring process starts with the creation of a Data Source. To monitor any system in your IT landscape, GRC PC first has to be able to extract data from it. The data could be anything: configurations, master data, transactions, usage logs, or any structured information which the monitored system can provide on demand. Data Sources store the information about the actual sources of data in the remote systems which will be invoked when an automated monitoring rule runs. For the purpose of this exercise, we are building a Data Source to pull information from table: T000 from system GRDCLNT600 that contains information about “client maintenance settings”. 1) Navigation Path: Rule Setup >> Continuous Monitoring >> Data Sources.

2) If the date field is not visible, select “Show Quick Criteria Maintenance”; confirm that the date is set

to 14.01.2015 (January 14, 2015) or use the date dropdown to select it; then select “Apply”.

44

3) Click on “Create”.

4) Enter details in “General Tab” –

a. Data Source – Enter name for the Data Source – “Client Maintenance Settings v2” b. Description – Enter description – e.g., “Data Source for table T000 to monitor client

maintenance settings” c. Valid From – By default Today’s Date if the date has not been reset to “14.01.2015” as shown in

task 2 for this exercise d. Valid To – By default 31.12.9999 – retain for this exercise e. Status – Select “In Review” from drop-down f. Navigate to “Object Field” tab

45

5) Enter the following details in “Object Field” tab:

a. Sub-Scenario – Select “Configurable” from drop-down for purpose of this exercise. KEY FEATURE: Note that, SAP delivers multiple sub-scenarios for selection at this step. These sub-scenarios are different types of Data Source options available in PC. Details for each of the available sub-scenario is as follows: i. ABAP Report – use to leverage suitable ABAP reports already available ii. SOD Integration – use to invoke access control risk analysis in the context of PC controls iii. BW Query – use to invoke queries against SAP BW iv. Configurable – use to monitor values or change logs for tables in remote systems v. Event – use value check vi. External Partner – use to define simple deficiency conditions for monitor expections or

values vii. Process Integration - use to define simple deficiency conditions for monitor expections

or values viii. Programmed – use to invoke programs available ix. SAP Query – query to invoke data from single or multiple tables based on query built in

the backend

b. Connection Type – Auto populates to “SAP System”.

46

6) Select “Main Connector” – GRDCLNT600.

BUILDING BLOCKS: Note that, multiple connectors can be defined for selection at this step. Typically ECC connectors are defined to monitor changes/values in the ECC systems. For the purpose of this exercise, we have pre-set a connector to the same GRC system.

7) Click on “Main Table Lookup”.

47

8) Enter Table Name “T000” and click “Apply” in the pop-up window.

9) Select table “T000” entry and click “OK”.

48

10) Scroll Down on the main screen and click “Select Additional Table Fields”.

11) Select all the fields using the Right Double Arrow button. Click “OK”.

NOTE: Specific fields can be selected using the Single Right Arrow button but typically all the fields are selected at this point to allow flexibility in building multiple Business Rules (if required) with the same Data Source. PC allows re-use of a Data Source for multiple Business Rules.

49

12) Validate that fields are pulled to the main screen window and click on the “Adhoc Query” tab.

13) Select “Target Connector” for the drop-down – GRDCLNT600 and click the “Execute Query” button

to validate that data is pulled from the selected T000 source table for monitoring.

50

14) Click on “Connector” tab and validate your defined connector is displayed.

15) Click “Save” on the top.

16) Validate that the Data Source created is successfully SAVED.

51

17) Select the Data Source and click “Open”.

18) Select the “Status” drop-down and change value to “Active”. Click “Save”.

19) Saved Data Source is successfully ACTIVATED.

52


Section 3 Step 2 Create Business Rule

The next step in the process of setting up automated monitoring is the creation of a Business Rule. Business Rules filter the data stream coming from Data Sources, and apply user-configured conditions and calculations against that data to determine if there is a problem which requires attention. In PC this is called a deficiency. The nature of the Business Rule depends strongly on the Data Source type, which is why the process of creating a Business Rule begins with Data Source selection. For the purpose of this exercise, we are creating a Business Rule to monitor values for specific fields in table: T000 – client maintenance settings. Details of fields and values being monitored in this Business Rule are:

a. “Protection reg. client program and comparison tools” – There are 3 values that can be maintained for this field: i. Blank – Protection level 0: No Restriction ii. X – Protection level 1: No overwriting iii. L – No overwriting, no external availability Typically, the field is set to “L”, i.e., the client is not available externally and does not allow overwriting. In the Business Rule for this exercise, we will monitor if the value is not set to “L”.

b. “Changes and transports for client-specific objects” – There are 4 values can be maintained for this field: i. Blank - No automatic recording of changes for transport ii. 1 - Changes are recorded in transport request iii. 2 - Customizing in this client cannot be changed iv. 3 - Customizing: Can be changed as req., but cannot be transp. Typically, the field is set to “2”, i.e., the channges and transports for this client cannot be changed. In the Business Rule for this exercise, we will monitor if the value is not set to “2”.

c. “Client Control: CATT und eCATT Authorization” – There are 5 values that can be maintained for this field: i. Blank - eCATT and CATT Not Allowed ii. X - eCATT and CATT Allowed iii. T - eCATT and CATT Only Allowed for 'Trusted RFC' iv. E - eCATT Allowed, but FUN/ABAP and CATT not Allowed v. F - eCATT allowed, but FUN/ABAP and CATT only for 'Trusted RFC' This field determines if you can run test cases, test scripts and test configurations in this client. Running such cases or scripts cause extensive database changes, which is typically not allowed. In this Business Rule, we will monitor if the value is set to “X”, i.e., running test scripts/cases/configuration is allowed in this client.

53

1) Navigation Path: Rule Setup >> Continuous Monitoring >> Business Rules

2) If the date field is not visible, select “Show Quick Criteria Maintenance”; confirm that the date is set

to 14.01.2015 (January 14, 2015) or use the date dropdown to select it; then select “Apply”.

3) Click on “Create”.

54

4) Select “Search”.

5) Click on “Search” in the pop-up window.

6) Select the Data Source “Client Maintenance Settings” click “OK”.

55

7) Click on “Continue” to start Business Rule creation for the Data Source.

8) On tab 1 “Basic Information”, enter the following details: a. Name – Short name for the Business Rule – “Monitor Client Maintenance Settings v2” b. Description – Business Rule description – “Monitor field values for client maintenance

settings” c. Select Category – Value Check d. Status – select “In-Review” from drop-down e. Valid From – By default today’s date if the date has not been reset to “14.01.2015” as shown

in task 2 for this exercise f. Valid To – By default 31.12.9999 – retain for this exercise g. Click on “Next”

56

9) On tab 2 “Data for Analysis”, select all fields for analysis using arrows (Double Right Arrow will

select all fields):

10) Once fields are selected, click on “Next”.

57

11) On tab 3 “Filter Criteria”, select “Select/Unselect Filters”, then check the box for “Client” and

click “OK”.

58

12) Scroll down and Click “Add” to add specific filters to “Client” to monitor deficiencies for the

defined field filtered for a specific client. Add the following details: a. Sign – Range Limit Included b. Option – Equals c. Low – Select dropdown, select Client “600"

59

13) Click on “Next” to go to tab 4 “Deficiency Criteria”. Click on “Select/Unselect Deficiency” to add

fields to be monitored for deficiencies from table T000 that could generate an exception whenever the table is monitored. Select the field names displayed in below screen print, i.e., “Protection req . . . “, “Changes and transports . . . “, and “Client Control . . . “, then select “OK”.

BUILDING BLOCKS: Note that, for “Field Analysis Type” – values that may be selected are “Blank Check” (exception generated if the field is blank in the table T000) or “Value Check” – (exception generated whenever the field value is changed to something other than specified). For purposes of this exercise, you will be selecting “Value Check” for all three monitored fields in the next task.

60

Using the dropdowns in the “Field Analysis Type” column, select “Value Check” for each of the three selected fields.

BUILDING BLOCKS: Note that, a deficiency is a condition which requires human attention. This section of the Business Rule lets you define such conditions. There are two main ways to do this: you can treat everything pulled back by the Data Source as requiring human review, or pick a specific field and define a logical condition against it (for example, document amount exceeding a set limit). A variation on the latter would be to define a calculated field deficiency, which represents an arithmetic/logical operation on any of the available fields. Calculated fields are explained fully in the next section. For all such deficiency criteria, you can choose a “value check” or a “blank check”. A blank check restricts you to monitoring whether a field should be populated with any value or should be blank. A value check assumes the field has a value, and allows you to define a wide range of conditions using the usual logical operators such as equal to, less than, between, and so on. You can define three conditions, corresponding to three levels of deficiency: low, medium and high. The “Deficiency Description” column allows you to optionally define what to call each deficiency level. REVIEW: Details of fields and values being monitored in this Business Rule are:

a. “Protection reg. client program and comparison tools” – There are 3 values that can be

maintained for this field: i. Blank – Protection level 0: No Restriction ii. X – Protection level 1: No overwriting iii. L – No overwriting, no external availability Typically, the field is set to “L”, i.e., the client is not available externally and does not allow overwriting. In the Business Rule for this exercise, we will monitor if the value is not set to “L”.

b. “Changes and transports for client-specific objects” – There are 4 values that can be maintained for this field: i. Blank - No automatic recording of changes for transport ii. 1 - Changes are recorded in transport request iii. 2 - Customizing in this client cannot be changed iv. 3 - Customizing: Can be changed as req., but cannot be transp. Typically, the field is set to “2”, i.e., the channges and transports for this client cannot be changed. In the Business Rule for this exercise, we will monitor if the value is not set to “2”

61

c. “Client Control: CATT und eCATT Authorization” – There are 5 values that can be maintained

for this field: i. Blank - eCATT and CATT Not Allowed ii. X - eCATT and CATT Allowed iii. T - eCATT and CATT Only Allowed for 'Trusted RFC' iv. E - eCATT Allowed, but FUN/ABAP and CATT not Allowed v. F - eCATT allowed, but FUN/ABAP and CATT only for 'Trusted RFC' This field determines if you can run test cases, test scripts and test configurations in this client. Running such cases or scripts cause extensive database changes, which is typically not allowed. In this Business Rule, we will monitor if the value is set to “X”, i.e., running test scripts/cases/configuration is allowed in this client.

14) Scroll down and add deficiency types and values.

Highlight each field description row in turn and select the following deficiency values: “Potection reg . . .” – Deficiency Type = “High”, Sign = “Range limit included”, Option = “Not equal to”, Low = “L” “Changes and . . .” – Deficiency Type = “High”, Sign = “Range limit included”, Option = “Not equal to”, Low = “2” “Client Control . . .” – Deficiency Type = “High”, Sign = “Range limit included”, Option = “Equals”, Low = “X”

62

15) Click “Next” to go to tab 5 “Conditions and Calculations” to add any specific condition to

monitor – OPTIONAL.

BUILDING BLOCKS: Note that, this tab is used to define the calculations necessary to compute the value of a “calculated field” deficiency. PC uses the standard NetWeaver rule engine, to allow users to define calculations. You can configure very powerful processing using this rule engine, and the goal was to make it easy to configure relatively simple rules (calculate an average of two fields, say, or compare two dates), and yet provide a path to configure more complex rules if needed. For purposes of this exercise, you will not be defining any conditions or calculations.

16) Click “Next” to go to tab 6 “Output Format” to select the output fields and sequence of columns in the exception notification. “Output Format” section is common to all Business Rule/Data Source types, and arranges the output of any detected deficiencies in the left-to-right column order specified. You can also hide unwanted columns here.

63

Output fields are defined for each Deficiency. Select each Deficiency from the drop-down and click on “Select/Unselect Output Fields” button. A pop-up window opens up for selection of output fields. For the purpose of this exercise, please select the following output fields for each of the Deficiency and click “OK”: - Client, Client Name, Date of Last Change, Last Changed By

17) Click on “Next” to go to tab 7 “Technical Settings”.

64

BUILDING BLOCKS: Note that, these primarily affect the execution and performance of monitoring. Most Data Sources (although not all) will allow users to cap the maximum amount of data they will process, as a performance management feature. Since performance can be difficult to predict and manage—too much depends on the size of tables, network issues, etc.—we strongly advise all customers to test the performance of any monitoring rules before putting them into production. Note that most monitoring rules can be run in synchronous or asynchronous mode. The impact of the two is stated below: Synchronous – This is a one-way communication. The execution will make a RFC call to the selected connector to perform its task and wait for RFC call to return, then it will continue on the PC server side. In most Sub Scenario, the RFC only collects data on the remote side, apply the Business Rule is carried out on the PC side. Asynchronous – This is a two-way communication. The execution will make a RFC call to submit a background job on the selected connector to perform its task and then execution on the PC side is done. Once the background job step on the destination side is done, it will make a RFC call back to PC side to update the job step. For example, by default, Sub Scenario Configurable is sync; SAP query and BI query BRs have to be sync and Programmed can only be async. Async uses two-way communication which could have some performance overhead; but if the data volume is too high, you may consider async since the RFC could drop if the network goes down or there is a lot of traffic on the network.

Validate settings. Click on edit button (pencil icon) to make any changes. For the purpose of this exercise, please change the “Max. No. of Records to Analyze” to “10000”.

65

18) Click on “Next” to go to tab “Ad-hoc Query” to validate data is pulled by the Data Source from

the required source system and that the Business Rule criteria is used to: (1) collect data (select “Data Collection” and select “start” to view results). (2) identify deficiencies (select “Apply Rule”, select “Deficiency” on which to filter, and

select “start” to view results); this query setting may be used to view results for each of the three deficiencies in this exercise.

19) Click on “Save” and validate the Business Rule was successfully SAVED.

66

20) Select the saved Business Rule and click “Open”.

21) Change status to “Active” and click “Save”.

67

22) Once the Business Rule is set to “Active” status then the rule can be assigned to a control and

an automated monitoring job can be scheduled. No further changes are allowed to the rule. To make any edits, the status has to be changed from “Active” to “In-Review” for fields to become editable for update.

68


Section 3 Step 3 Assign Business Rule to Control

The next step in the Automated Monitoring process is assignment of defined Business Rules to the controls. This allows the automated monitoring jobs to be scheduled for the assigned control. This is a mandatory step before automated monitoring jobs can be scheduled. 1) Navigation Path: Rule Setup >> Continuous Monitoring >> Business Rule Assignment

The “Business Rule Assignment” link brings up the following page. 2) Select today’s date and Click “Apply”.

BUILDING BLOCKS: Note that, the search widget at the top of this page lets you narrow the search for local Controls to which the Business Rule may be assigned — that is, Controls assigned to a particular Organization node, Process, Subprocess or even a specific Control. The next step is to select a specific local Control in the middle part of the screen, by clicking on its row. You then modify the Business Rules assigned to the Control by choosing the “Modify” pushbutton, and then choosing the “Add” pushbutton in the bottom portion of the screen. A screen displays then allows you to search through Business Rules in the “Active” state, which you can then assign to the local Control. You can also modify existing assignments and maintain frequencies of monitoring or compliance checks. Once this assignment step is complete, you will be able to schedule the monitoring rule in the Automated Monitoring scheduler.

69

3) Click “Search” to seach for Controls (filtering is not required). Select Control “IT-232-Monitor Client

Setting Changes”.

4) Scroll down and click on “Modify”.

5) Click on “Add”.

70

6) Click Search in the pop-up window, Select the Business Rule created in the previous step, Click

“OK”.

7) Select the new Business Rule and click on “Maintain Frequencies”. This allows the user to define

the frequencies that express the usage limitation for a monitoring rule. This is typically done to avoid scheduling monitoring rules that scan high volume data tables and might impact system performance or to ensure the same rule is not scheduled more than the frequency defined for the assigned control. For the purpose of this exercise, please select “Any Frequency” for both the “Monitoring” and “Compliance” checkboxes to provide the flexibility to schedule the job as many times as required.

71

8) In the pop-up window select “Any Frequency” and click “OK”.

9) Click on “Save” and validate assignment of Business Rule to Control and that frequencies have been

maintained.

72


Section 3 Step 4 Schedule Automated Monitoring Job

The next step in the process of setting up automated monitoring is to schedule the automated monitoring job. SAP Process Control automated monitoring capabilities enable customers to define their expectations of how controls should be configured, and how transactions should occur. Correct configuration settings ensure that business process steps controlled by those settings will always comply with the enterprise’s intentions; broader transaction monitoring can then be used to cover those situations where configuration-based controls are not enough, or to look for fraud at the margins. The monitoring methods available to PC customers fall into one of two broad classes: query-driven or event-driven. PC initiates query-driven monitoring, typically via the scheduler. This is why some practitioners also call it schedule-driven monitoring. 1) Navigation Path: Rule Setup >> Scheduling >> Automated Monitoring.

2) Click on “Create Job”

3) Click on “Continue”.

73

4) The top of the screen shows that scheduling is a 4-step process, and the wizard guides you through

it. The most important thing to note about the scheduler is that you can run jobs as frequently as hourly, and as infrequently as annually. Enter the following details on tab 1 “Header” and click “Next”:

a. Job Name: Name for the job (e.g., MONITOR CLIENT MAINT- 1) b. Execution Type: Immediate c. Frequency: Daily d. Test Period From: Today’s Date e. Test Period To: Today’s/Tomorrow’s Date f. Target Connector: GRDCLNT600

5) Select Regulation: “Sarbanes-Oxley (SOX)” in tab 2 “Share Regulation”, select radio button “Do not share”, and click “Next”.

74

6) Click on “Search” on tab 3 “Select Controls”.

7) Select the control and click on Single Arrow Down button to move the selected control to the

lower half of the screen. If there are multiple controls and all the controls need to be selected then click on Double Arrow Down button. Single and Double Arrow Up buttons can be used to deselect the controls. Click “Next”.

75

8) Select and validate the Business Rule(s) on tab 4 “Control Details”. Click “Save”.

The screen displays “Your schedule has been saved successfully”; when this screen is closed the “Active Queries” screen remains opened.

9) Validate that the job is successfully scheduled (an entry for the newly scheduled job appears on the “Active Queries” screen). Monitor for the “Status” to be displayed as “Completed”. Click on “Refresh” on the lower right of the screen in case the job status is not updated.

76


Section 3 Step 5 Receive Exception Task in Work Inbox

Next step would be to login to your work inbox to review the automated monitoring exception notification.

REVIEW: All users previously assigned as a Control Owner for the control being monitored will receive the issue in the their work inbox.

1) Navigation Path: My Home >> Work Inbox

2) Validate that exception task “Remediate Exception: Automated Monitoring” is received in the work

inbox. The “Created On” date should match today’s date for the exception that was just generated in the previous Step 4.

77


Section 3 Step 6 Review Monitoring Exception Details

The purpose of this step is to review the details of the issue received in the Work Inbox. 1) Open the automated monitoring task received in the Work Inbox by selecting on the link in the

“Subject” column.

2) Review issue details and click on the “Evaluation” tab to review the exception details

78

3) Click on “Fail” to open the exception details

4) Select the drop-down on the top of the next screen to review the exception details for each of the

fields selected for deficiency monitoring at the time of Business Rule set up. The lower half of the screen displays the results in the output format defined at the time of rule definition. Other links such as “Administrative Info”, “Business Rule Info”, etc., can be clicked to see additional details like when was the job scheduled, what are the conditions defined in the Business Rule, etc.

79

5) Select another parameter to validate exceptions. Close the window once validated.

80


Section 3 Step 7 Take Required Action

1) Once exception details have been reviewed, navigate back to the “Issues” tab to take action on the issue. For the purpose of this exercise, please proceed to the next step (Step 8) after you have reviewed the possible actions in this step.

NOTE: For your reference, the following actions (a, b, c, d, e) are available:

a. Assign Remediation Plan: Click on this to select a remediator and assign a remediation plan

81

b. Close Without Plan: Close the issue without assigning a remediation plan

82

c. Reassign the issue: Click on this to select a user to reassign the issue recevied

83

d. Exception: Status of each of the exception items

84

e. Void: Close out the issue as it is not valid

85


Section 3 Step 8 Close Issue

In this step, you will select the action to close the issue without a plan.

1) Click on “Close Without Plan” in the “Issues” tab.

2) Enter comments in the pop-up box and click “OK”.

86

3) Validate comments entered are updated in the “Comments” field. Click “Submit”.

4) Validate that the action was submitted successfully. Close the Window.

87

5) Refresh the Work Inbox and validate that the task is not longer displayed.

This completes SECTION 3 – Automated Monitoring. END OF LAB – Good Job and Congratulations for Completing.

hands-on lab: how to set up and configure sap process...

Documents